I'm sure you can. But remember, us guru's sometimes overlook the simple and the obvious.

I know, that’s why I still checked even though I was sure it was off (it was off).

Real rootkit behaviour:
http://www.symantec.com/security_res...030212-3857-99
Luckily Slysoft doesn't use that to block their own programs

Elbycdio does a FASTIO_QUERY_STANDARD_INFO as part of its design to check whether drive access is required? If you don't use the programs, remove the service. Also, CD/DVD Filters get left behind by many programs (e.g. Gear Software and others) so check your registry and remove them if the programs are no longer installed (e.g. for Windows XP):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}

From the horse's (or Sheep's) mouth:

For the last time, nobody said it was a rootkit, just that it had some rootkit-like aspects (in fact it is general malware-like in that it uses up resources, puts things where they don’t belong, and impacts performance, no matter how little—even actual malware doesn’t necessarily impact performance to any significant degree, but when multiple ones add up…)

Simply deleting the ElbyCDIO service is sufficient to stop the behavior (> sc delete ElbyCDIO) although cleaning up orphaned filters is always useful.

I did theorize that the polling may be for some technical reason (why every 10 seconds?), but it was not present in older versions, so the question is why was it added recently? They usually keep pretty good changelogs, so why is this not indicated (or is it, but not in so many words)? Even if there is a technical reason for the polling, it still does not explain why it uses a temp file in \Windows. Plus, there should be a (novice-friendly) way to deactivate it when not required (for example when you want to play a game and you quit all non-essential background programs) since it restarts the service when you run any of those four apps anyway.

My link to the rootkit was ironic, because that copy-protection attempt used one to target Slysoft.

There is nothing novice-friendly about Windows (just look at UAC in Vista). Stopping system services (according to Microsoft, they are always "essential") is a lot different to unloading TSR's from the system tray (which is as far as a novice might get).

You really are making a mountain out of a molehill here - my posts were just to show this is hardly exceptional behaviour for any program which controls drive access as part of its primary function - polling every 10 seconds means nothing to a modern system. If you don't need that function - remove it. Or set the service to manual (not that a novice would know how to do that). As to the Temp file - why does that matter? Microsoft keeps (famously) the WGA log in the Temp file. Updating that on a regular basis also takes place after activation.

Most users have dozens of unnecessary services running on any Windows platform, all of which really do degrade system performance on a full-time basis. To paraphrase an old saying: a nanosecond is a long time in computing - 10 seconds is an eternity*

*Harold Wilson, British Prime Minister, when asked if he was worried about political fallout from a devaluation of the pound sterling in an election due the next year: a week is a long time in politics - next year is an eternity...

Actually, whenever I install VMWare I always have to manually set all of its (dozen) services to demand. Of course, that's not exactly a novie-level app.

Even so, it doesn't explain why it started only recently. Is it part of a new protection defeat?

Didn't Data say that in an episode of Next Gen?

Precisely. Most users don't even know what you are talking about, let alone know how to do anything with services.

Who knows if it started recently or was just elsewhere before? ElbyCDIO has undergone a lot of changes despite the apparent inactivity in CloneDVD2 (of which a major revision is coming according to a post from Slysoft over at their forum). All I care is that it does what I paid for it to do - so it is an essential service for me.

LOL - never seen that. I made it up based on your concern over ElbyCDIO polling every ten seconds. I'm a first series fan, so Spock would have to be your reference (contemporary with the original quote as well.)

However, this is getting like Groundhog Day - let's not repeat this over and over.

Although a STOP SERVICE button is not complex; a lot of security apps (eg firewalls) have them.

You mean like CloneDVD3? I wonder if that will require a new license to upgrade.

Yup, I’m fairly sure it was in the movie First Contact where Picard asked him if he was tempted by the Bord Queen’s offer, and Data said yes for a nanosecond, but for him that is an eternity.

As a complete outsider, and reading through this (pretty entertaining) thread; I went through the trouble of registering because I feel like Synetech's posts throughout, have been well thought-out, supported with a decent amount of evidence, and completely respectful in tone.

I think that the point he's trying to make: "Hey in case anyone cares, I have noticed that all the recent and updated version of INSERT_COMPANY_HERE's software is polling a file on my computer every ten seconds."

Remarkably, no one seemed to care, and in fact some seemed to get upset at him at the very possibility that what he said, was happening. No one has proven him wrong thus far...

If it is unneccessarily polling a file on your computers, does that not bug anyone else?

Welcome to CDF's:

Well i've stayed out of this for awhile..........all i'm saying is if you don't like it, uninstall it. Get rid of it. Use something else. There are other apps to use.

And thanks for bringing it to our attention

That's fine...Should he have not brought it to anyone's attention (on this site) and simply uninstalled it? 'cuz he found a workaround and was trying to share his findings and possibly get some answers.

Well this is a Slysoft forum but if it was me i would have posted it at http://forum.slysoft.com/ James doesn't come here much anymore like he used to.

He cant get an answer to something that does not exist. CloneDVD2 has not been updated for months. There are thousands if not more users, do you think noone would have noticed this behavior before, please.

I did post this in the Slysoft forum with a link to this thread just to give them an opportunity to respond. The reception wasn't friendly. I was surprised that it upset so many people. I wasn't knocking Slysoft at all, I just wanted them to see what people were saying if they hadn't heard.

It probably was not friendly because it it only happening to 1 person, and I doubt that CloneCDhas anything to do with it, the program has not been updated recently as the OP says and if you want to believe that this is really happening then do so, but if it was happening someone would have noticed it already, I use this program since it was released in 2002 and it never exibited this behavior. So there you have 1 user with a problem.

yeah i remember you mentioning that.

Upset? In what way?

Bob..Page 1 of this thread...here is the link:

http://forum.slysoft.com/showthread....8244#post78244

Since you refuse to state whether you even tried the steps indicated to reproduce the problem (which clearly indicates that you are not any sort of scientist); open any Windows folder, click the Tools menu, then Folder Options, click the View tab, scroll down, then click Show hidden files…, and uncheck the two Hide… boxes. Now open the folder C:\Windows, and click on the Name column, then scroll down to see if there is a file that starts with S and has a TMP extension.

Then again, don’t bother.

And in the dozens of other places where I post—usually to help others with problems but sometimes to ask the few advanced questions that I cannot solve myself—when someone (yes even ONE PERSON) has a problem, people do what they can to help that one person fix it, rather than freak out and call them a liar, a thief, an idiot, etc. The reception on this board is unlike any I have ever seen; it appears to be filled with a small group of 5000+ posts buddies who think they know everything and the rest of us can go to Hell.

I guess I should not have bothered registering here, and just remained a lurker (although that would have been pointless since any questions that others may ask that I find interesting would receive similarly fruitless receptions). Welcome indeed.

Indifference is a contagious poison; what’s one more this and one more that right? But thanks for the support; it’s nice to see that there are people out there who understand things not written in 1337.

The matter is closed anyway (the thread may as well be closed or deleted now since the responses have just been unproductive insults and accusations). You can stop it (more or less) by booting into safe mode, deleting the temp file then creating a dummy file or folder of the same name as the temp file, setting the service to manual/demand (> sc config ElbyCDIO start= demand), and making sure to stop it when not using a SlySoft app (> net stop ElbyCDIO). Granted it’s just a workaround, the Windows folder remains unnecessarily cluttered, and the file is polled (or at least attempted even if it can’t open/create the file) every ten seconds in an infinite loop for some reason, but it’s better than nothing.

There, I helped anyone else who runs into this behavior without calling anyone an stupid, evil idiot. Who would have thought it would be so easy to avoid that? (Oh, and for the record, I created a clean virtual machine to test it, and it did it in there too.)

Your wish is my command.