Desperately need to delete a file

[gt93grad 0]

Sampson, I was able to remove the DLL from the Windows NT registry area (as you mentioned above). But it always comes back eventually. I even renamed it, but it recreated the DLL with the same name again. I even used the Permissions area to Deny access, and I don't see the DLL listed in the registry any longer, but I can't delete the DLL from the system32 directory, and McAfee keeps alerting me about the virus still. The zonavirus link didn't help either. The program said it can't open the DLL, and McAfee said access denied.

[quafboy 0]

I've actually done this before and gotten it to work. but if another process is protecting it your probably right.

 

twas just a thought

[quafboy 0]

this may sound like a dumb question but did you try bootin in safe mode and deleteing it?

[zoooom 0]

This may or may not help. There was this bug in windows 2000 ftp server that allowed pub scanners to create undeletable files and folders. I eventually found a way to do it by searching google. There is a rm.exe available on the win2k resource kit.. Some kindof posix thing. It was able to delete the files. Now in your case i understand its a security issue. Just out of curiousity.. I didnt read all the posts.. But are you sure that its a process error and not a ntfs problem. Maybe the virus has changed the security so you cant delete it. Take ownership of it ( as administrator ) and add all the permissions you need. It seems wierd that you would not be able to delete it from safe mode or recovery console unless there was a ntfs issue preventing deletion. Not even sure if ntfs matters in recovery console.

 

 

[MacGyverNYC2005 0]

here is my 2¢...

 

I have been studying this trojan and I have noticed:

 

PendingFileRenames value is monitored, if this value contains the name of the dll that is the carrier, it is overwritten with random characters. This pretty much negates any attempt by antivirus to remove the DLL.

 

Several have commented on how the file does not exist after a reboot to safe mode. It seems like the virus is renaming itself and loading itself into the PendingFileRenames value. Note the date/time stamp and the exact size of the file and search based on this instead of the name only.

 

Possible remedy: (not for the technically challenged...)

Close all apps.

Delete the PendingFileRenames value (reg_multi_sz) not the hive.

Power the machine off. (Yank the power cord on the newer boxes as pressing the power button will initiate a shutdown.) This should not hurt a NT/W2K/XP box.

ENABLE BOOT SECTOR WRITE PROTECTION IN THE BIOS.

Reboot to safe mode or preferably, reboot using the recovery console.

Search for the file, or any file that fits the description. (date/time or size...)

Run chkdsk /f from cmd prompt and delete any recovered files.

Check the PendingFileRenames value (reg_multi_sz) and verify any entries.

 

Let us know if this works...

 

 

[gt93grad 0]

PendingFileRenames? Where can I find this? Is this in the registry? Never heard of it. I'm in XP, BTW.

[Sampson 0]

Since last time this item reached the latest threads have found another tool called drdelete and can be found here: http://www.dslreports.com/forum/remark,7374516~mode=flat~days=9999~start=20

Have not used it yet, but it is supposed to be able to delete files in use.

[ndwg 0]

I have been having a similar problem (Symantec instead of McAfee, hlpoj.dll instead of msephh.dll), for about a week now and just ran across this thread. Thanks to all who posted suggestions of things to try. I ended up booting off the install CD, running the recovery console, removing the offending file.

 

To keep it from coming back, I copied another system dll file to the name of the trojan/virus one, and used "attrib +rsh".

 

If you (original poster) can get your hands on an install CD, or use one of the other methods of removing the file, perhaps this will work for you too.

 

Good luck,

Nathan

 

[ThankfulUser 0]

Just to add a 'me too' to the above. I came across the problem during an infestation with CoolWebSearch. Once I had cleared out all of the rest of the infection a stubborn 'kbdn.dll' remained in the System32 folder, constantly triggering Norton Anti Virus (which identifies it as the Backdoor.Agent.B trojan) but undeletable, and frequently undetactable, especially in Safe Mode. Every now and again it invents a new random .dll which tries to inveigle itself into Internet Explorer and change the homepage - WinPatrol is keeping that issue at bay for now, and I can delete the spin-off .dll files, but I've been having the same issues as gt93grad in trying to get rid of the trojan itself.

 

Since I've had the problem I've found it cropping up in forums everywhere recently. I'll give the fixes you mentioned a shot when I get back home - thanks for the tips; I was beginning to despair!

[Scooby108 0]

I have this same problem with file comm.dll. Renamed it once to comm.old and now can't do anything with the file. Even tried booting up into WinPE and Linux. Still didn't have access to the file. It's on an NTFS partition with XPHome. I'm at a loss, guys.

[ThankfulUser 0]

Scooby (and anyone else still being plagued) - I have discovered that TrendMicro has issued a specific fix for this problem that kills the class of trojans that has been under discussion here. I found it at:

https://beta.activeupdate.trendmicro.com/fixtool/fixagentv1.0007.zip

 

I tried it yesterday on my system and it worked like a charm. Of course it goes without saying that you need to run every piece of anti-virus software you can get your hands on afterwards to clean up the junk left behind by the trojan (I found three registry entries and a directory file that had been invisible to me beforehand - and not always where you would expect them to be, either).

 

Good luck.

 

Richard