-
Help with Windows, please no flames!
I have to use windows with virtual pc so I can run sql server 2000 for my databases class and now the darn thing has some sort of spyware which is slowing it down. I know where the culprit is but I can get to the folder.
its
c:\windows\system32\elitpaa32.exe
and that is not the folder WINDOWS on c. So does anyone know where I can find this mysterious folder because the darn thing is resistant to spybot, and I don't know what else to do
Thanks
PS regedit is too slow
-
-
reboot into recovery console and delete it, or boot a lin livecd and delete it. (otherwise find the real location)
-
Maybe the spyware created that folder to try to confuse the user. No windows user, would ever ,ever delete the Windows folder.
Maybe you should try to use a diferent spybot? in windows i use ad-aware.
Check if the windows folder isn't hidden
M3rlin
-
something reminded me of this... you can't delete a program that is running in winders... so when you're booting hit f8 a few times when the first loading screen shows for windows, boot to safemode then run spybot and ad-aware.
-
I also use Ad-Aware with good success.
You can look in Task Manager...Processes for a running process by that name and stop it, then try to find the file and delete it.
Booting a live Linux CD and removing the file that way would probably be the best.
To keep from getting more spyware, make sure to run Firefox instead of IE!
A great live CD for what you need is mutagenix, it's 128 megs and just boots the CLI for quick and dirty file work.
-
I always found time stamps to be the best way to locate spyware. If c:\windows\system32\elitpaa32.exe is really part of the spyware program, search for eveything created at the time elitpaa32.exe was created. Then boot to safe mode and rename all of it, just in case it happend to be a system file that you were wrong about.
-
You might to use Killbox to remove the file, http://www.bleepingcomputer.com/files/killbox.php
I would also suggest posting a HijackThis log at a spyware forum so an expert could take a look at it. I am a moderator at CastleCops, they have plenty of knowledgeable staff.
I haven't cried like this since I paid for Godfather III --Fat Tony
Currently breaking:
Gentoo Stage 1 w/gentoo-dev-2.6.14-r2 kernel
FreeBSD 6.0
XP Pro, well thats already broken
-
It's difficult to get it, but if you somehow can get a copy of Knoppicilin, that's the way to go.
-
If you can't remove that spyware, you can take drastic mesures. download the latest pattern file and the scan in www.trendmicro.com
we will can for everthing, it could take sometime, but he will get the job done.
I remind you its not the anti-virus aplication.
Its just a small aplication just for scan and clean or remove your computer worms.virus,spyware,malware... everting
make sure you download the lattest pattern file
M3rlin
-
Originally posted by gehidore
something reminded me of this... you can't delete a program that is running in winders...
Correct, however you can rename it to ensure that it (probably) won't load the next time you boot. At least, in NT kernels you can; I've never tried this under 9x.
I did this just the other day trying to remove an unwanted IE toolbar DLL (the retarded thing kept launching popups and bringing up the IE sidebar at the stupidest times, plus you couldn't really turn it off). I got the DLL's GUID from the registry's "BrowserHelperObjects" key, and then looked up that GUID under HKCR\CLSID to find the InProcServer32 filename (AKA, the DLL's actual name).
I did a "regsvr32 /u" on the file, to hopefully remove all its ActiveX registration information, then renamed it so that I could reboot to delete it. (Something had it open, and I'm not sure what.) After a reboot, I was able to delete it.
-
Originally posted by bwkaz
Correct, however you can rename it to ensure that it (probably) won't load the next time you boot. At least, in NT kernels you can; I've never tried this under 9x.
My personal experience is the opposite, at least with my least favorite .dll in the world--vfpodbc.dll. The software I support is extremely finicky about the exact version of this particular .dll. As such, I often find myself in the position of wanting to overwrite it with a different version.
On Win9x, it's pretty easy. Even if the .dll is running, I can just kill it if necessary and replace the file. On Win2000/XP, I have to boot up in safe mode to do ANYTHING to the file. It's highly deceptive, actually--in Windows Explorer it LOOKS like the file is deleted or renamed or whatever...until I hit "refresh" and it reveals that in fact that file is still there, immutable!
Isaac Kuo, ICQ 29055726 or Yahoo mechdan
-
1. you can use mconfig from run to see what loads at startup.if you don't know what the file loading is try a google search. (if you are using 2000 you will need to download startup control from mike lin(google search)).
2. another good program for taking it out of boot is "hijack this".
3. if it is a well written piece of spyware the file wont be there when you boot up safe-mode. There will be a .dll buried somewhere that only puts the spyware file there when booted into normal mode.
4. i have had good luck with a program called spy-subtract lately. There is a free 30 day trial.
soule
Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others. - Edward Abbey
IRC #linuxn00b
Support your Distro.
Slackware Store
Archlinux Schwag
-
Originally posted by IsaacKuo
My personal experience is the opposite, at least with my least favorite .dll in the world--vfpodbc.dll.
UGGGH, FoxPro!
I don't know, it's worked for every single file I've ever tried it with. Most of the time, I do it with DLLs and EXEs that are parts of programs that I write -- I rename them to <original filename>.old, then copy new versions of all of them down from the network, then restart the program. On the next startup, the program deletes all .old files in its directory. This is my poor-man's autoupdate feature -- all I have to do is dump a new set of files onto a network share, and all clients will autoupdate the next time they start the program.
Most of our machines at work are 2K Pro -- all the ones that do autoupdates are 2K Pro, at least.
If your wonderful DLL is in \windows\system32, then the problem might easily be Windows File Protection...
-
Trust me, I deal with tons of spyware, some of the new variants like Qoologic, VX2, and the latest, Bube.d are no simply removed by renaming files. Some CWS variants are especially nasty too. There is even one I've seen lately that makes the RPC service dependent on itself, so if you remove it, windows will not be able to start, because in turn RPC would not be able to start, and damn near everything in Windows is dependent on RPC, nice eh. They have watchtower processes that are hidden and reinstall the file instantly on the deletion of one of the files, there can be several of these, and they all need to be killed at once. Bube.d actually changes explorer.exe, the only AV that can remove it is Kaspersky. These adware/malware/spyware companies are really getting deceptive and expecially good at making an almost impossible to remove program.
I haven't cried like this since I paid for Godfather III --Fat Tony
Currently breaking:
Gentoo Stage 1 w/gentoo-dev-2.6.14-r2 kernel
FreeBSD 6.0
XP Pro, well thats already broken
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|