elitepya32.exe (sic)

Discussion in 'Malware Help (A Specialist Will Reply)' started by rubbernub, May 2, 2005.

  1. rubbernub

    rubbernub Private E-2

    Background: bought laptop from shady ebay auction. WinXP sp1, preloaded with trojans and malware galore. Got rid of everything, except a pesky iexplore.exe popup (searchmiracle, revenue.net) at random intervals, even when IE was closed.

    Wasn't recognized by: Spybot S&D, Ad-aware, Microsoft anti; AVG, Norton, Trend, A^2 antivirus, Google searches to majorgeeks.

    Workaround: rebooted in Safe mode, renamed "c:\program files\internet explorer\" to "c:\program files\foo\" and booted normally. A second after explorer loaded:

    "The application, C:\windows\system32\elitepya32.exe, generated an application error. The error occurred on (snip). The exception generated was c0000005 at address 00401B79 (elitepya32)"

    And no popups since. I've seen this file on other people's unresolved hijack logs, so maybe you heard it here first.

    RE:
    http://www.thetechguide.com/forum/index.php?showtopic=16355
    http://forums.maddoktor2.com/index.php?showtopic=3969
     
    rubbernub, May 2, 2005
    #1
  2. rubbernub

    rubbernub Private E-2

    One more thing: the file is invisible in Windows explorer, cmd.exe, taskmgr, and regedit text search. Renaming IE was the only thing that revealed its existence.
     
    rubbernub, May 2, 2005
    #2
  3. rubbernub

    rubbernub Private E-2

    To further clarify: I'm not looking for tech support, just giving a heads up that this thing: 1) causes popups, 2) isn't recognized by spyware/virus defs, 3) crashes after you rename IE in Safe mode.
     
    rubbernub, May 2, 2005
    #3
  4. rubbernub

    rubbernub Private E-2

    One other thing: crashing it releases about 20M of ram, and stops a trickle of upstream packets to points unknown.
     
    rubbernub, May 2, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I have fixed at least 50 of these here on MG's. The files are far from unknown and are easily found in the registry and by using HijackThis to see them run at Startup. They are easily remove from the c:\windows\system32 folder after fixing the registry entry and then booting into safe mode and deleting them. Typically there are from 1 to 10 of this similarly named files.

    None of the logs with these files in them have gone unresolved on MGs.

    Disabling IE is not the correct approach. What are you going to do when you need IE (like to download your Windows Updates for one example)?
     
    chaslang, May 3, 2005
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds