WizYo Blog ! WizYo Sytes Net Tech Support
What a great place to share :) Here you will find flashes of brilliance caught for all the world to enjoy. .. Actually, these are brief articles describing how I fixed a problem. Every day, I find information online that helps me solve a mystery. So this is me giving back to the community. Thanks for stopping by.. and don't forget to tell your friends!

Hidden and in-your-face adware

Two bad-bads to watch out for:

c:\windows\system32\elitefbh32.exe
c:\windows\svchost.exe

The first one was detected with Hijack This! but the silly thing hids itself from the operating system. Very clever, but a royal pain in the caboose. I was able to see a few of it's little buddy files, but not the main one. And of course, when I removed the startup shortcut, it mysteriously reappeared in a few seconds. After much anger, I booted into recovery console and discovered several screenfuls of it's buddy-files as well as the main monster elitefbh32.exe Delete worked just fine on the one file, but informed me that recovery console delete doesn't support wildcards (WTF?!). I went ahead and removed a few elite folders from the Windows directory and rebooted.

Now it was no problem to remove the 30-something elite*.exe files under Win/Sys32 as well as it's buddy folders under Windows itself. HiJack This had no problem removing the startup entry, and this time, it stayed gone.

The second creepy issue was resolved by using Process Kill to kill off the svchost process and then deleting the Svchost.exe file from the Windows directory. Be careful and be quick. After killing this process, the system will shut down in 59 seconds. I recommend either doing it from a CMD prompt (like I did) or using a batch file.

This one was hard to spot because it shows up exactly the same in Task Manager as the real version of Svchost. Did I mention SpyBot detected 384 items? It did!

good luck out there !

 

 

( Windows XP Pro WinXP spyware eliteezw32.exe )

Thursday, May 12, 2005


0 Comments:

Post a Comment

Back to top.

Home
WizYo
Sytes Net

Links
~hot~ Links


this site !

GuestBook
Guests

Free Hit Counter

Blog!

Tell a friend about Tech Support available here !

Free Phone with iTunes
- Previous -
 
- Un-Welcome to Windows
 
- HP Jetadmin is no more
 
- Event 13568 and JRNL_WRAP_ERROR
 
- HP TFT5600 RKM controls different than manual woul...
 
- Gmail Contacts list export workaround
 
- Word Perfect 8.0 on Windows XP Pro
 
- Stop error 0x50 MRXDAV.sys on WinXP Pro
 
- Pool LPT1 with USB printer for DOS applications
 
- Adware in Services on WinXP
 
- Classic Win98 installation trick
 
- Search -
 

 


it's private

 

This page is powered by Blogger. Isn't yours?