Desperately need to delete a file

[gt93grad 0]

There's a DLL in my \windows\system32 directory (XP) called msephh.dll, and it contains the Backdoor-CFB virus. Very annoying. McAfee prompts me to delete or quarantine the file, but I get an Access Denied. I went to DOS to try to delete it, but I still get an access denied. I can't delete it in Explorer either. The weirdest thing: I reboot and load Safe mode. The DLL isn't there in Safe Mode!!! Someone on here mentioned Shift-Delete, but that doesn't work either. I even tried a System Restore (turning it off) option that I found at microsoft.com, but I still couldn't do it. How can I FORCE this file to be deleted?

[Sampson 0]

First, bring up a Dos Prompt within windows.

Then, hit CTRL-SHIFT-ESC to bring up your task manager.

Find Explorer.exe, click on it to highlight it. Then, click the End Process button. Your windows desktop may act strangely and some icons may disappear. Pay no attention to that.

Click back into the Dos window and type cd \windows\system32 or whatever directory you are looking for. Use the command dir msephh.dll to be sure that the file is there then del msephh.dll

Type exit to leave the Dos window. Click on the start button Run then type explorer.exe or you can just reboot.

[gt93grad 0]

Thanks, but I did EXACTLY that, and I still get "Access denied" in DOS. (I'm very computer literate by the way.) Any other ideas?

[Sampson 0]

I am not exactly certain you followed the instructions as printed since by disabling explorer.exe, in general, the protection is taken off of the files. In any case, there is apparently a process still holding onto this file that needs to be stopped prior to stopping explorer.exe in the task manager.

Sysinternals has two programs that will allow you to see what process is using what .dll. The graphic program is found here: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml and the "generic" version is here: http://www.sysinternals.com/ntw2k/freeware/handle.shtml

Using either of these tools should indicate what process is connected to the .dll. You can then unregister it or end it through the task manager. Then, try the trick of disabling exporer.exe and going through the Dos prompt to delete it.

A second approach would be to run regedit and do a find on this dll. If found or several instances are found, delete those values.

Reboot. This may release its being used and you can then delete it.

[PTS 0]

Try this..

 

 

From a command prompt type:

regsvr32 /u msephh.dll

 

Next, try to delete the file. If you still can't, then go into your registry and try to find any entries for this file and see what it is associated with. If you can, remove the entrie(s).

Reboot and try to delete again.

 

 

[Jerry Atrik 0]

yet another way

 

right click/properties/security

remove all security rights (including system)

reboot

delete file

 

if the system doesnt have access then it can't load

[gt93grad 0]

Hey jerry atrik (yeah, I get the name), you said click/properties/security. Where is this?

[Jerry Atrik 0]

find the file u want to delete and right click on it

then properties, then the security tab on top.

it shows a list of people and things with permissions

remove them all.

 

ps if a box pops up saying that inherited permissions rule

then hit that advanced button and uncheck the inherited permissions.

[Jerry Atrik 0]

thnx for the kudos

since i daily fix web hijackings around here there, is always that one file that loads even during a safemode boot

 

the only way i figured out how to remove it easily is to deny the system permission to load.

[sapiens74 0]

Originally posted by jerry atrik:

Quote:

yet another way

 

right click/properties/security

remove all security rights (including system)

reboot

delete file

 

if the system doesnt have access then it can't load

 

Good call ou beat me to the punch.

 

[sapiens74 0]

Alec we used to have these Windows 2000 workstations that we had to install an older MS version of Maps.

 

This old version would overwrite a .dll file and would error every boot.

 

I couldn't delete it even in safe mode and finally denied access to system. Then in safe mode could delete it

 

Silly MS

[adamvjackson 0]

@Stake security (http://www.atstake.com) has a WFPdisable tool that (temporarily) disables Windows File Protection, for when you need to replace protected files.

[gt93grad 0]

Jerry atrik,

 

When I right click on the file and choose Properties, all I have is the general tab. The file is read only, but when I turn it off and apply, I get "An error occurred while applying attributes." Then I have the IGNORE, IGNORE ALL, RETRY, CANCEL options. I'm screwed either way.

[gt93grad 0]

Sampson, tried sysinternals, but the msephh.dll doesn't even show up in the list! McAfee keeps warning me about it constantly though.

[gt93grad 0]

PTS, tried the regsvr32, but got "Load library failed, access is denied." Will it ever end?

[Jerry Atrik 0]

geez at this time i would cramming my sp2 cd in the drive

[Sampson 0]

You have become the real guinea pig for this issue. So, if we can't get it to release, the explorer trick doesn't work, here is a program that might help: http://www.softwarepatch.com/software/moveonboot.html

It is called moveonboot. It is free. It really wasn't designed for this but essentially, you run the program, issue what you want to do to a file (move, rename, delete) then when you reboot and before Windows kicks in, it intervenes and does what you asked it to do to the file.

[gt93grad 0]

Sampson,

 

Thought I had it but the DLL keeps coming back. It appears to be gone, but then I get the Antivirus popup and it's back again.

 

Alec,

 

Sorry, I want to try your option, but I don't have the installation CD.

[PTS 0]

Actually, in trying to help I simply did a search in google for the problem he is having. What you see is what I saw. I made no claims that this would work, but he was welcome to try it. Nothing else had worked so far, so..... Anyway! Go lecture google.

[quafboy 0]

rename the file. then delete it.

 

[Sampson 0]

Ok. When you are able to delete it using moveonboot, check to see what the creation date is. It looks to me that you are now able to actually delete this dll, but some other process is creating it when windows eventually comes up. I saw this in trying to eliminate eAcceleration's software once. You could uninstall the software, but it impedded itself in the registry, invented a popup stopper attached to IE (a BHO) and kept creating a dll that ran in the background. This may not have been created by the eAcceleration software on your machine, but it could be using some of the same tricks. In the meantime, go to PestPatrol http://www.pestpatrol.com/ and try to scan your machine. Since MacAfee is seeing something in association with this dll and alerting you, it means their definitions know of this thing. I know that some of these company's are not the most helpful, but it won't hurt to email them with your quandry about what this dll is.

[Sampson 0]

I went looking for spyware that sets off MacAfee and does something of what yours is doing - creating a random named dll unique to your system but essentially spyware. This is one possible solution from Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.J

[Sampson 0]

This is what MacAfee had to say:

This detection is for a DLL component which may be installed automatically onto the victim's machine whilst visiting a website.

 

The filename of the DLL varies, for example:

 

* COMPCKP.DLL

* CTLAPA.DLL

* CTLJOH.DLL

* D3DKHE.DLL

* HLPJP.DLL

* HLPEO.DLL

* KBDJEF.DLL

* LOG.DLL

* MS.DLL

* MSA.DLL

* WIN.DLL

* WINLG.DLL

* WDM.DLL

 

Registry modifications are made such that the DLL is loaded at system startup. The name of the Registry key added may vary, but it always starts with '**', followed by 1-4 random characters. For example:

 

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run

"**xx" = RUNDLL32, %SysDir%\(DLL filename).DLL,StreamingDeviceSetup

 

The following Registry key modification will also present:

 

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

"AppInit_DLLs"="%SysDir%\(DLL filename).DLL"

 

This key is modified like this in order to load the DLL into other processes as they are run on the system. Because of this, removal with the specified DATs requires either a restart, or the scanning/cleaning to be performed in Safe Mode.

 

The DLL file is not malicious by itself but it may be used by a malicious program to export system information from the victim's machine.

 

Analysis is still ongoing and the description will be updated once we have finished.

[Sampson 0]

Apparently this fellow invented his own cure for something similar to what you found in MacAfee: http://www.zonavirus.com/descargas/EliBDCFB.exe

 

[gt93grad 0]

quaf, tried that a long time ago. Access denied. Can't turn off the Read Only either. Access denied. Someone did a good job with this one.

 

Alec, yep, '93 Georgia Tech grad. Industrial Engineering. I live in Sandy Springs now, so not far from Marietta.