| RhianBlock.com Blog | Rhian D. Block

Rhian's Tip on a Spyware / Trojan Issue + AppInit_DLLs Registry Key

Author: Rhian D. Block
rhian@vazoom.net

Recently I came upon a machine that had a really annoying issue relating to a spyware / virus trojan issue. After running multiple scans using the great programs of both Adaware and SpyBot - Search and Destroy, most of the damage was fixed. But, one issue still remained. Everytime a program such as Internet Explorer was opened Symantec Corporate would detect a Trojan virus in the Windows\System32 called WDMCABG.DLL which it couldn't quarantine or fix. See image below (click to enlarge):

So after rebooting into safe mode I looked into that folder and to my suprise there was no file that was even named wdmcabg.dll
So opening regedit from the Start Menu > Run I did a search for that file name and it came up under the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\Windows\AppInit_DLLs Key.
See image below (click to enlarge):

After some research on this key I found out the following. You have to remove this key. The value of this key may look blank for you, but it is really is not. The creator of the trojan has the ability to hide it somehow. This registry key tells Windows to load the trojan DLL (In my case WDMCABG.DLL) every time any application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. If you actually select the key as shown in the above image and attempt to delete it, the AppInit_DLLs registry key will magically reappear after you hit F5 to refresh the view. Here is a simple step to get rid of this thing from the registry.
1. Rename the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to something else temporarily...like Windowsold.
2. Now delete the AppInit_DLLs key under the Windowsold folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windowsold folder back to Windows.

At this point it may be best to do another search through the registry for any other keys that may have the WDMCABG.dll file listed in them.

Please note that the WDMCABG.dll trojan may have another name like wind.dll or apps.dll. Use the same technique id you too are in the same position.

Another great utilitythat isvailable to remove issues with spyware and the About:Blank junk in your web browser is a program called AboutBuster.
Do a search on google and run this utility in safe mode. Here is a link to the program. I will attempt to keep this version for download the latest release. Currently V 1.31 Click here to download

t.y.

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Backdoor.Agent.B
File: C:\WINDOWS\SYSTEM32\SQLKIK.DLL
Location: C:\WINDOWS\SYSTEM32
Computer:
User:
Action taken: Quarantine failed : Delete failed : Access denied
Date found: Sun Dec 19 07:34:14 2004

that was on my com for so long and i could not get rid of it thank you very much