[gt93grad]

There's a DLL in my \windows\system32 directory (XP) called msephh.dll, and it contains the Backdoor-CFB virus. Very annoying. McAfee prompts me to delete or quarantine the file, but I get an Access Denied. I went to DOS to try to delete it, but I still get an access denied. I can't delete it in Explorer either. The weirdest thing: I reboot and load Safe mode. The DLL isn't there in Safe Mode!!! Someone on here mentioned Shift-Delete, but that doesn't work either. I even tried a System Restore (turning it off) option that I found at microsoft.com, but I still couldn't do it. How can I FORCE this file to be deleted?

[Sampson]

First, bring up a Dos Prompt within windows.
Then, hit CTRL-SHIFT-ESC to bring up your task manager.
Find Explorer.exe, click on it to highlight it. Then, click the End Process button. Your windows desktop may act strangely and some icons may disappear. Pay no attention to that.
Click back into the Dos window and type cd \windows\system32 or whatever directory you are looking for. Use the command dir msephh.dll to be sure that the file is there then del msephh.dll
Type exit to leave the Dos window. Click on the start button Run then type explorer.exe or you can just reboot.

[gt93grad]

Thanks, but I did EXACTLY that, and I still get "Access denied" in DOS. (I'm very computer literate by the way.) Any other ideas?

[Sampson]

I am not exactly certain you followed the instructions as printed since by disabling explorer.exe, in general, the protection is taken off of the files. In any case, there is apparently a process still holding onto this file that needs to be stopped prior to stopping explorer.exe in the task manager.
Sysinternals has two programs that will allow you to see what process is using what .dll. The graphic program is found here: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml and the "generic" version is here: http://www.sysinternals.com/ntw2k/freeware/handle.shtml
Using either of these tools should indicate what process is connected to the .dll. You can then unregister it or end it through the task manager. Then, try the trick of disabling exporer.exe and going through the Dos prompt to delete it.
A second approach would be to run regedit and do a find on this dll. If found or several instances are found, delete those values.
Reboot. This may release its being used and you can then delete it.

[PTS]

Try this..


From a command prompt type:
regsvr32 /u msephh.dll

Next, try to delete the file. If you still can't, then go into your registry and try to find any entries for this file and see what it is associated with. If you can, remove the entrie(s).
Reboot and try to delete again.

[Jerry Atrik]

yet another way

right click/properties/security
remove all security rights (including system)
reboot
delete file

if the system doesnt have access then it can't load

[gt93grad]

Hey jerry atrik (yeah, I get the name), you said click/properties/security. Where is this?

[Jerry Atrik]

find the file u want to delete and right click on it
then properties, then the security tab on top.
it shows a list of people and things with permissions
remove them all.

ps if a box pops up saying that inherited permissions rule
then hit that advanced button and uncheck the inherited permissions.

[Jerry Atrik]

thnx for the kudos
since i daily fix web hijackings around here there, is always that one file that loads even during a safemode boot

the only way i figured out how to remove it easily is to deny the system permission to load.

[sapiens74]

Originally posted by jerry atrik:

Quote:

yet another way

right click/properties/security
remove all security rights (including system)
reboot
delete file

if the system doesnt have access then it can't load

Good call ou beat me to the punch.

[sapiens74]

Alec we used to have these Windows 2000 workstations that we had to install an older MS version of Maps.

This old version would overwrite a .dll file and would error every boot.

I couldn't delete it even in safe mode and finally denied access to system. Then in safe mode could delete it

Silly MS

[adamvjackson]

@Stake security (http://www.atstake.com) has a WFPdisable tool that (temporarily) disables Windows File Protection, for when you need to replace protected files.

[gt93grad]

Jerry atrik,

When I right click on the file and choose Properties, all I have is the general tab. The file is read only, but when I turn it off and apply, I get "An error occurred while applying attributes." Then I have the IGNORE, IGNORE ALL, RETRY, CANCEL options. I'm screwed either way.

[gt93grad]

Sampson, tried sysinternals, but the msephh.dll doesn't even show up in the list! McAfee keeps warning me about it constantly though.

[gt93grad]

PTS, tried the regsvr32, but got "Load library failed, access is denied." Will it ever end?

[Jerry Atrik]

geez at this time i would cramming my sp2 cd in the drive

[Sampson]

You have become the real guinea pig for this issue. So, if we can't get it to release, the explorer trick doesn't work, here is a program that might help: http://www.softwarepatch.com/software/moveonboot.html
It is called moveonboot. It is free. It really wasn't designed for this but essentially, you run the program, issue what you want to do to a file (move, rename, delete) then when you reboot and before Windows kicks in, it intervenes and does what you asked it to do to the file.

[gt93grad]

Sampson,

Thought I had it but the DLL keeps coming back. It appears to be gone, but then I get the Antivirus popup and it's back again.

Alec,

Sorry, I want to try your option, but I don't have the installation CD.

[PTS]

Actually, in trying to help I simply did a search in google for the problem he is having. What you see is what I saw. I made no claims that this would work, but he was welcome to try it. Nothing else had worked so far, so..... Anyway! Go lecture google.

[quafboy]

rename the file. then delete it.