Help with Windows, please no flames!


Page 1 of 2 12 LastLast
Results 1 to 15 of 26

Thread: Help with Windows, please no flames!

  1. #1
    Join Date
    Jan 2004
    Posts
    299

    Help with Windows, please no flames!

    I have to use windows with virtual pc so I can run sql server 2000 for my databases class and now the darn thing has some sort of spyware which is slowing it down. I know where the culprit is but I can get to the folder.

    its

    c:\windows\system32\elitpaa32.exe

    and that is not the folder WINDOWS on c. So does anyone know where I can find this mysterious folder because the darn thing is resistant to spybot, and I don't know what else to do

    Thanks

    PS regedit is too slow

  2. #2
    Join Date
    Mar 2004
    Location
    Gatineau Quebec
    Posts
    823
    Format C:
    end of story.
    Linux user #367409

  3. #3
    Join Date
    Jul 2002
    Location
    near the pine trees
    Posts
    2,468
    reboot into recovery console and delete it, or boot a lin livecd and delete it. (otherwise find the real location)
    windows get broken, penguins don't get sucked into jet engines --gehidore
    Community help posting guidelines.
    || DSL || Kanotix || FreeBSD
    || dillo || JL FAH team ||

  4. #4
    Join Date
    Sep 2001
    Location
    Portugal
    Posts
    711
    Maybe the spyware created that folder to try to confuse the user. No windows user, would ever ,ever delete the Windows folder.
    Maybe you should try to use a diferent spybot? in windows i use ad-aware.
    Check if the windows folder isn't hidden
    M3rlin

  5. #5
    Join Date
    Jul 2002
    Location
    near the pine trees
    Posts
    2,468
    something reminded me of this... you can't delete a program that is running in winders... so when you're booting hit f8 a few times when the first loading screen shows for windows, boot to safemode then run spybot and ad-aware.
    windows get broken, penguins don't get sucked into jet engines --gehidore
    Community help posting guidelines.
    || DSL || Kanotix || FreeBSD
    || dillo || JL FAH team ||

  6. #6
    Join Date
    Jan 2003
    Location
    Denver, Colorado
    Posts
    1,488
    I also use Ad-Aware with good success.
    You can look in Task Manager...Processes for a running process by that name and stop it, then try to find the file and delete it.

    Booting a live Linux CD and removing the file that way would probably be the best.

    To keep from getting more spyware, make sure to run Firefox instead of IE!

    A great live CD for what you need is mutagenix, it's 128 megs and just boots the CLI for quick and dirty file work.
    Slackware current (Dell Latitude D610)
    CentOS 5.2 (Servers)
    Registered Linux User # 375030

  7. #7
    Join Date
    Jan 2004
    Location
    Dallas, Texas
    Posts
    648
    I always found time stamps to be the best way to locate spyware. If c:\windows\system32\elitpaa32.exe is really part of the spyware program, search for eveything created at the time elitpaa32.exe was created. Then boot to safe mode and rename all of it, just in case it happend to be a system file that you were wrong about.
    Desktop: Slackware 12, linux-2.6.23, GNOME;
    Firewall: OpenBSD
    Cube anyone?
    Deliantra: an amazing mmo, realtime nethack.
    Don't make the same mistakes I did as a new user: Read the Posting Guidelines or face being banned! [/color]

  8. #8
    Join Date
    Aug 2003
    Location
    Chicago, IL
    Posts
    702
    You might to use Killbox to remove the file, http://www.bleepingcomputer.com/files/killbox.php

    I would also suggest posting a HijackThis log at a spyware forum so an expert could take a look at it. I am a moderator at CastleCops, they have plenty of knowledgeable staff.
    I haven't cried like this since I paid for Godfather III --Fat Tony

    Currently breaking:
    Gentoo Stage 1 w/gentoo-dev-2.6.14-r2 kernel
    FreeBSD 6.0
    XP Pro, well thats already broken

  9. #9
    Join Date
    Jan 2003
    Location
    Zurich, Switzerland
    Posts
    2,658
    It's difficult to get it, but if you somehow can get a copy of Knoppicilin, that's the way to go.

    "What can be said at all can be said clearly, and what we cannot talk about we must pass over in silence."

    Tractatus Logico-Philosophicus by Ludwig Wittgenstein (1889-1951)

  10. #10
    Join Date
    Sep 2001
    Location
    Portugal
    Posts
    711
    If you can't remove that spyware, you can take drastic mesures. download the latest pattern file and the scan in www.trendmicro.com

    we will can for everthing, it could take sometime, but he will get the job done.
    I remind you its not the anti-virus aplication.
    Its just a small aplication just for scan and clean or remove your computer worms.virus,spyware,malware... everting

    make sure you download the lattest pattern file
    M3rlin

  11. #11
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,947
    Originally posted by gehidore
    something reminded me of this... you can't delete a program that is running in winders...
    Correct, however you can rename it to ensure that it (probably) won't load the next time you boot. At least, in NT kernels you can; I've never tried this under 9x.

    I did this just the other day trying to remove an unwanted IE toolbar DLL (the retarded thing kept launching popups and bringing up the IE sidebar at the stupidest times, plus you couldn't really turn it off). I got the DLL's GUID from the registry's "BrowserHelperObjects" key, and then looked up that GUID under HKCR\CLSID to find the InProcServer32 filename (AKA, the DLL's actual name).

    I did a "regsvr32 /u" on the file, to hopefully remove all its ActiveX registration information, then renamed it so that I could reboot to delete it. (Something had it open, and I'm not sure what.) After a reboot, I was able to delete it.

  12. #12
    Join Date
    Oct 2002
    Location
    Baton Rouge, Louisiana, USA
    Posts
    799
    Originally posted by bwkaz
    Correct, however you can rename it to ensure that it (probably) won't load the next time you boot. At least, in NT kernels you can; I've never tried this under 9x.
    My personal experience is the opposite, at least with my least favorite .dll in the world--vfpodbc.dll. The software I support is extremely finicky about the exact version of this particular .dll. As such, I often find myself in the position of wanting to overwrite it with a different version.

    On Win9x, it's pretty easy. Even if the .dll is running, I can just kill it if necessary and replace the file. On Win2000/XP, I have to boot up in safe mode to do ANYTHING to the file. It's highly deceptive, actually--in Windows Explorer it LOOKS like the file is deleted or renamed or whatever...until I hit "refresh" and it reveals that in fact that file is still there, immutable!
    Isaac Kuo, ICQ 29055726 or Yahoo mechdan

  13. #13
    Join Date
    Sep 2004
    Location
    /home/
    Posts
    1,204
    1. you can use mconfig from run to see what loads at startup.if you don't know what the file loading is try a google search. (if you are using 2000 you will need to download startup control from mike lin(google search)).

    2. another good program for taking it out of boot is "hijack this".

    3. if it is a well written piece of spyware the file wont be there when you boot up safe-mode. There will be a .dll buried somewhere that only puts the spyware file there when booted into normal mode.

    4. i have had good luck with a program called spy-subtract lately. There is a free 30 day trial.


    soule
    Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others. - Edward Abbey

    IRC #linuxn00b

    Support your Distro.
    Slackware Store
    Archlinux Schwag

  14. #14
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,947
    Originally posted by IsaacKuo
    My personal experience is the opposite, at least with my least favorite .dll in the world--vfpodbc.dll.
    UGGGH, FoxPro!

    I don't know, it's worked for every single file I've ever tried it with. Most of the time, I do it with DLLs and EXEs that are parts of programs that I write -- I rename them to <original filename>.old, then copy new versions of all of them down from the network, then restart the program. On the next startup, the program deletes all .old files in its directory. This is my poor-man's autoupdate feature -- all I have to do is dump a new set of files onto a network share, and all clients will autoupdate the next time they start the program.

    Most of our machines at work are 2K Pro -- all the ones that do autoupdates are 2K Pro, at least.

    If your wonderful DLL is in \windows\system32, then the problem might easily be Windows File Protection...

  15. #15
    Join Date
    Aug 2003
    Location
    Chicago, IL
    Posts
    702
    Trust me, I deal with tons of spyware, some of the new variants like Qoologic, VX2, and the latest, Bube.d are no simply removed by renaming files. Some CWS variants are especially nasty too. There is even one I've seen lately that makes the RPC service dependent on itself, so if you remove it, windows will not be able to start, because in turn RPC would not be able to start, and damn near everything in Windows is dependent on RPC, nice eh. They have watchtower processes that are hidden and reinstall the file instantly on the deletion of one of the files, there can be several of these, and they all need to be killed at once. Bube.d actually changes explorer.exe, the only AV that can remove it is Kaspersky. These adware/malware/spyware companies are really getting deceptive and expecially good at making an almost impossible to remove program.
    I haven't cried like this since I paid for Godfather III --Fat Tony

    Currently breaking:
    Gentoo Stage 1 w/gentoo-dev-2.6.14-r2 kernel
    FreeBSD 6.0
    XP Pro, well thats already broken

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •