Your generous donations help keep this site online! Click here to support cexx.org.
 
7.1 Rogue deinstallation

Apart from checking for "unauthorized" modifications to cyberp.ini, CP's "advanced anti-hacker security" consists of a new %windir%\system\system.drv that checks for the existence of the modules PROGIC, PROGICS and TS. These are represented by the files IC.EXE, ICFIRE.EXE and TS.DLL, all in the %windir%. The original system.drv is cleverly hidden away as %windir%\system.386.

The modules are loaded in two ways: first there is a load entry in the win.ini file, and second, there's a entry in the registry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run called "FltProcess", which will load %windir%\system\msinet.exe, which in turn will load the Cyber Patrol modules. After replacing the system.drv, which in the CP-version will halt loading of Windows if it doesn't find it's modules, and ask you to call their support number, you can safely do away with the registry entry, the load-key in the win.ini and any of the numerous binaries. Because of the many files CP installs to your system, we suggest you use the normal uninstaller instead. Not that it does a very good job of removing its system files, but there you go.

Optionally, if you come across an installation running unregistered, you can use the backdoor password omed to uninstall, or simply to gain administrator access.

[The above text excerpted from "The Breaking Of Cyber Patrol 4" copyright Eddy L O Jansson and Matthew Skala.]

Ed. note for nonprogrammers: "%windir%" refers to your Windows directory. In other words, if your Windows directory is \Windows, %windir%\system\msinet.exe means C:\Windows\system\msinet.exe. If your Windows drive and directory differ, make the appropriate substitutions.

To remove Registry entries that load a file upon start-up, see this HOWTO.
 
 
 

Up One Level (Removing Censorware)
HomeE-mailCopyrights and Disclaimers