Urgent help needed

[Xade]

Right, think I've been infected by some bitch after some false installer started running its own 'DDE SERVER' or something.

It can't be deleted in normal or safe mode, as apparently its running, although it appears nowhere within the task manager etc etc.

Any way to delete and stop this thing outright? It's running from the file I double clicked (foolishly).

Help!!!!!!!!

 

[Xade]

Argh christ this thing is impossible to find. I need some damned help here please, people!!

 

[Trotterwatch]

Is it in the services.msc list?

 

[Gorxon]

Run -> "msconfig"

Check startup processes to see if something fishy has put itself there. Also what trotter said.

 

[Xade]

No and no - it's totally invisible. But I still can't delete the exe it originated from because it is 'in use'.

If I create a bootdisk to MS-DOS and delete it from dos will that work?

 

[Gorxon]

Probably, but I hope you got FAT32 then and not NTFS..or perhaps you get DOS bootdisks with NTFS support now? A linux live cd could take care of it perhaps, but I dont think you can mounte with write support using those? Really weird that it doesn't display in task manager and is not a service...never seen that before. Also, I assume you have ran Spybot and Ad-aware plus virus scan?

Good luck

 

[Trotterwatch]

You haven't mentioned it, but I assume you have ran a virus scan?

 

[Xade]

Ran them all. Extremely bizarre indeed. Anyway, I'm on NTFS format-wise, so yeah I'm aso curious as to whether the boot disk will allow ntfs dos access.

If not... well I don't know how I'll get rid of it. I haven't got any spare disks at the moment, either...

Service called "Server" in the services.msc list that will apparently stop 'Computer Browser' if I close it. Interesting, although the description quotes file and printer sharing. Would it be too risky to stop the service?

 

[Gorxon]

Well, the "Server" service is a normal windows service and is running on my computer too. I am not sure, but from the description it seems like it handles all network requests. How do you know that you are infected if you can't find it by the way?

 

[Xade]

For the key reason that the first time I quit windows afterwards it needed to terminate an unknown DDE Server, and that now that installer cannot be deleted - it is constantly in use, which is very suspicious.

Essentially I just want the dodgy file deleted, but with NTFS formatting this could be tricky. Any ideas?

 

[Nighty0]

Start in safe command line mode and delete manually the file (or rename to "something.bak").......

You can make a boot disk with ntfs support. You can use the windows 2k/xp/2003 CD and boot (but don't restore your system), choose the command line option (i don't remember the right steps now) and control your system via commandline (you will need your admin password)......

I don't care much about this because i have some rescue disks prepared by me with some bootable utils, and one disk with WinPE and some utils too.....

 

[Xade]

I see.

Is a boot disk the only way to access the prompt alone in xp? 98 was so much easier back in the day...

 

[Nighty0]

I see.

Is a boot disk the only way to access the prompt alone in xp? 98 was so much easier back in the day...

Press F8 in initialization and you can choose commandline + safe mode in XP

Don't agree. I have less problems with XP than 98.......
The only thing now I have is boot CDs instead boot disks....

 

[sheik124]

or you can make a Knoppix boot disc, i always keep one handy in case the need ever arises, its chockfull of junk you can use, and i am pretty sure they have a "Modded" compilation of Knoppix that supports writing to NTFS partitions, that is the sure-fire way i know of to eliminate the file

 

[Nighty0]

or you can make a Knoppix boot disc, i always keep one handy in case the need ever arises, its chockfull of junk you can use, and i am pretty sure they have a "Modded" compilation of Knoppix that supports writing to NTFS partitions, that is the sure-fire way i know of to eliminate the file

I have a kurumin knoppix rescue CD.......
Is a great tool........i can access internet and download the right patches......

 

[Xade]

I'll try command prompt, 2 minutes...

 

[rcgamer]

if these suggestions dont work, and if you have spybots search and destroy , you can use the secure shredder to delete the file. you can also try cutting and pasting the file to a floppy disk in safe mode. oh yeah , also turn off internet connection before you try to delete it.

 

[Xade]

Well, the big bad fuck was deleted in the safe command prompt. Unfortunately I really think that there's something still lurking... the file I opened was 32MB, although maybe that was for authenticity. (It was an installer for a backup of my PDark cartridge).

In any case, I've got all vulnerable DDE server ports shut, and I've got a firewall on... but I still don't like the idea of some stealth server sitting on my computer collecting data, even if it can't connect to the net...

Anyway, thanks for all your help in at least getting the thing deleted guys. I know I sound like a moron but, y'know...

*soooo long since I've meddled with dos prompts...*

(any excuse ) Bed calls. Night.