-
Ok, This is another question of mine that isnt about vb, but everyone here knows everything anyway. I have a password stealer on my computer, and password stealer it self is named uninstallms.exe, and its in windows. Whenever I try to delete this file it just comes right back, I think there is a ms-dos program running that keeps me from editing the file and restores it when its deleted, I have disabled the file, so the pws is no problem now, but its still on my comp and this dos program is still running and i have no clue which file it is, It doesnt tell me which dos program is running when i press alt+ctr+del. Also I think it uses the registry to load itself when windows starts, but I dont know where it would be in the registry. Thanks in advance for the help.
-
I have experienced something similar, although possibly not identical.
There are two things you can try.
1. Start your machine with windows running in safe mode. This will hopefully disable whatever is causing the file to stay. Now try deleting it.
2. Start your machine in MS-DOS safe mode and try erasing it at the command line. This will require some knowledge of basic DOS commands.
Hope this helps.
SC.
-
thanks for you time, but i tried both of those, whatever file that is running in dos, keeps replacing the file if i delte it, i dont know what the deal is. if i figure out where it would be in the regestry i could stop the dos file from running when windows starts. anyone know this or have any other suggestions
-
I would think that if it's a DOS app doing it then it may be running as a TSR loaded at startup. The first thing I would look at would be your bootup files. Start Menu - Run - sysedit. Take a close look at autoexec.bat, config.sys and the "load" and "run" entries in win.ini. Next thing would be to look at the following keys in the registry under HKCU, HKLM and HKU\DEFAULT. You might not have all of them and (if it's in the registry) it's probably under number 1 or 4 since the others only execute on the next boot.
\SoftWare\Microsoft\Windows\CurrentVersion\Run
\SoftWare\Microsoft\Windows\CurrentVersion\RunOnce
\SoftWare\Microsoft\Windows\CurrentVersion\RunOnceEx
\SoftWare\Microsoft\Windows\CurrentVersion\RunServices
\SoftWare\Microsoft\Windows\CurrentVersion\RunServicesOnce
\SoftWare\Microsoft\Windows\CurrentVersion\RunServicesOnceEx (May not exist?)
As a last resort, you could write your own QB app (or get someone else to) that will delete and then open the won't-stay-deleted file for LOCKED-UNSHARED access. You may get an error popup from the offender (when it tries to access the app) that will tell you where it is.
Hope this helps!
