Can't delete file; Can't delete registry key

[Bob Simon]

I've got some kind of malware on my hard drive that's smarter than I
am. It sets up three .dll files in windows/system32 and the names
keep changing. Even when I start up XP in safe mode, I can't delete
them because they are already in use.

One of these files shows up in the registry in
Winlogon/Notify/Installer. I not only can't delete or change the
DllName, but I can't change the Data part either.

I've scanned with Housecall and run spybot. It looks like I've got
rid of everything except for these last three files. Can someone tell
me how to kill them?

 

[David H. Lipman]

Submit the files to Virus Total - http://www.virustotal.com/flash/index_en.html
Post the EXACT results back to the thread.

--
Dave




| I've got some kind of malware on my hard drive that's smarter than I
| am. It sets up three .dll files in windows/system32 and the names
| keep changing. Even when I start up XP in safe mode, I can't delete
| them because they are already in use.
|
| One of these files shows up in the registry in
| Winlogon/Notify/Installer. I not only can't delete or change the
| DllName, but I can't change the Data part either.
|
| I've scanned with Housecall and run spybot. It looks like I've got
| rid of everything except for these last three files. Can someone tell
| me how to kill them?
|
| --
| Bob Simon
| remove both "x"s from domain for private replies

 

[Bert Kinney]

Hi Bob,

You didn't mention if virus software was run.

Do a virus scan with up to date virus software.
If you are in need of virus software. Here are a couple to choose
from, for free.
Download the software, and update it then do a complete virus scan.
AVG Anti-Virus - Free Download Page:
http://www.grisoft.com/us/us_dwnl_free.php
Free Offer: eTrust EZ Armor Security Suite from Computer Associates
http://www.my-etrust.com/microsoft/index.cfm

You should also run Ad-aware and CWShredder.

Ad-Aware SE Personal - Software - Lavasoft
http://www.lavasoftusa.com/software/adaware/

CWShredder: http://aumha.org/downloads/cwshredder.zip

And install SpywareBlaster for prevention:
http://www.wilderssecurity.net/spywareblaster.html

 

[Sky King]

I've got some kind of malware on my hard drive that's smarter than I
am. It sets up three .dll files in windows/system32 and the names
keep changing. Even when I start up XP in safe mode, I can't delete
them because they are already in use.

Have you tried running MSConfig to see what is being loaded at startup?

--

....Sky

Tom "Sky" King
=============

 

[Frank Saunders, MS-MVP]

I've got some kind of malware on my hard drive that's smarter than I
am. It sets up three .dll files in windows/system32 and the names
keep changing. Even when I start up XP in safe mode, I can't delete
them because they are already in use.

One of these files shows up in the registry in
Winlogon/Notify/Installer. I not only can't delete or change the
DllName, but I can't change the Data part either.

I've scanned with Housecall and run spybot. It looks like I've got
rid of everything except for these last three files. Can someone tell
me how to kill them?

Spybot won't catch everything.
What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx

CAUTION!!!!! Before you try to remove spyware using any of these programs ,
download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

See
Dealing with Unwanted Malware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Note that AdAware and SpyBot S & D will each catch some things the other
won't. Also, each needs to be updated with the program's update function
before every use, even when just downloaded. There's also a lot more to do
than just those two programs. CWShredder is also available here:
http://www.kellys-korner-xp.com/regs_edits/cwshredder.zip
**Post your HijackThis log to
http://www.spywareinfo.com/forums/
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/ or the Spyware forum at
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**
Alternative download pages for Ad-Aware, Spybot, HijackThis and CWShredder
may be found on this page:
http://aumha.org/a/parasite.htm.


See this link for information about malware:
http://arstechnica.com/articles/paedia/malware.ars

If nothing there helps, please post back to this thread.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx

 

[R. McCarty]

A number of vendors provide on-line scans for Malware, etc.
However, be careful indiscrimately downloading/installing tools
to detect/remove Spyware - Some are themselves pests.
You can try PestPatrol to see what is on your PC, but note the
scanner still presents some "False Positive" listings.
http://www.my-etrust.com/products/pestscan/pestscan.cfm
Also try Zone Alarm's (Anomymizer) Pest scanner @
http://download.zonelabs.com/bin/promotions/spywaredetector/index_za.html
Aluria makes a good tool, no removal but a comprehensive
free scan is available with it and for the most part it nails some
items that Spybot/AdAware does not.
http://www.aluriasoftware.com/homeproducts/spyware/
By far the best is Giant Software's (Now MS) Anti-Spyware -
Microsoft will be posting a re-branded Beta form of it soon.


A good detailed scanner for download is Aluria's Spyware

 

[Bob Simon]

Bert,
Housecall ran clean. Isn't this considered to be a good online virus
scan?

Ad-Aware found the the files I mentioned earlier are from vendor VX2,
but it could not remove them either.

Spybot found CoolWWWSearch but could not remove that either. I ran
the SmartKiller MiniRemoval tool but it reported that "v1/v2 has not
been found on your system."

 

[Bob Simon]

Frank,
Thank you for your comments. I posted some results a minute ago but
I'm still interested in how to delete a file that is locked or how to
change the winlogon section in regedit. I think if I could do either,
I could beat this thing.
Bob

 

[David H. Lipman]

What version of Adaware ?

--
Dave




| Bert,
| Housecall ran clean. Isn't this considered to be a good online virus
| scan?
|
| Ad-Aware found the the files I mentioned earlier are from vendor VX2,
| but it could not remove them either.
|
| Spybot found CoolWWWSearch but could not remove that either. I ran
| the SmartKiller MiniRemoval tool but it reported that "v1/v2 has not
| been found on your system."
|
|
| On Sun, 2 Jan 2005 13:05:30 -0500, "Bert Kinney" <[email protected]>
| wrote:
|
| >Hi Bob,
| >
| >You didn't mention if virus software was run.
| >
| >Do a virus scan with up to date virus software.
| >If you are in need of virus software. Here are a couple to choose
| >from, for free.
| >Download the software, and update it then do a complete virus scan.
| >AVG Anti-Virus - Free Download Page:
| >http://www.grisoft.com/us/us_dwnl_free.php
| >Free Offer: eTrust EZ Armor Security Suite from Computer Associates
| >http://www.my-etrust.com/microsoft/index.cfm
| >
| >You should also run Ad-aware and CWShredder.
| >
| >Ad-Aware SE Personal - Software - Lavasoft
| >http://www.lavasoftusa.com/software/adaware/
| >
| >CWShredder: http://aumha.org/downloads/cwshredder.zip
| >
| >And install SpywareBlaster for prevention:
| >http://www.wilderssecurity.net/spywareblaster.html
|
|
| --
| Bob Simon
| remove both "x"s from domain for private replies

 

[Frank Saunders, MS-MVP]

Frank,
Thank you for your comments. I posted some results a minute ago but
I'm still interested in how to delete a file that is locked or how to
change the winlogon section in regedit. I think if I could do either,
I could beat this thing.
Bob

delete undeletable files:
http://www.kellys-korner-xp.com/xp_abc.htm
Select D and scroll down. She has several entries to read.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx

 

[Bob Simon]

What version of Adaware ?

Ad-Aware SE Personal Build 1.05
Definitions file SE1R24 29.12.2004 Loaded

 

[Bob Simon]

Process explorer is a nice tool, thanks. I tried all of the ideas at
the site you suggested but still could not delete the three files in
windows\system32.

I have another idea: How do I start up windows with no services except
ntfs and a dos prompt?

 

[Frank Saunders, MS-MVP]

Process explorer is a nice tool, thanks. I tried all of the ideas at
the site you suggested but still could not delete the three files in
windows\system32.

I have another idea: How do I start up windows with no services except
ntfs and a dos prompt?

Darn!

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx

 

[Don Varnau]

Hi,
Did you run CWShredder from http://aumha.org/downloads/cwshredder.zip ? It
will remove some CWS variants better than Spybot or Ad-aware.

Did you use the VX2 Cleaner add-on with Ad-aware?

Don
[MS MVP- IE/OE]

 

[Bob Simon]

Ad-Aware finds a vx2 problem but can't remove it. The VX2 addin
doesn't even find it.

CWShredder 2.12 found several varients earlier, but now runs clean.

I still can't delete the three .dll files in windows/system32 because
they are in use and locked.
Bob

Hi,
Did you run CWShredder from http://aumha.org/downloads/cwshredder.zip ? It
will remove some CWS variants better than Spybot or Ad-aware.

Did you use the VX2 Cleaner add-on with Ad-aware?

Don
[MS MVP- IE/OE]

Bert,
Housecall ran clean. Isn't this considered to be a good online virus
scan?

Ad-Aware found the the files I mentioned earlier are from vendor VX2,
but it could not remove them either.

Spybot found CoolWWWSearch but could not remove that either. I ran
the SmartKiller MiniRemoval tool but it reported that "v1/v2 has not
been found on your system."

 

[David H. Lipman]

Did run Adaware in Safe Mode and shutdown as many applications as possible prior to running
a full scan using Adaware ?

--
Dave




| Ad-Aware finds a vx2 problem but can't remove it. The VX2 addin
| doesn't even find it.
|
| CWShredder 2.12 found several varients earlier, but now runs clean.
|
| I still can't delete the three .dll files in windows/system32 because
| they are in use and locked.
| Bob
|
|
| On Sun, 2 Jan 2005 19:48:48 -0600, "Don Varnau"
| <don_04[at]varnau[dot]org> wrote:
|
| >Hi,
| >Did you run CWShredder from http://aumha.org/downloads/cwshredder.zip ? It
| >will remove some CWS variants better than Spybot or Ad-aware.
| >
| >Did you use the VX2 Cleaner add-on with Ad-aware?
| >
| >Don
| >[MS MVP- IE/OE]
| >
| >| >> Bert,
| >> Housecall ran clean. Isn't this considered to be a good online virus
| >> scan?
| >>
| >> Ad-Aware found the the files I mentioned earlier are from vendor VX2,
| >> but it could not remove them either.
| >>
| >> Spybot found CoolWWWSearch but could not remove that either. I ran
| >> the SmartKiller MiniRemoval tool but it reported that "v1/v2 has not
| >> been found on your system."
| >>
|
|
| --
| Bob Simon
| remove both "x"s from domain for private replies

 

[Bob Simon]

Did run Adaware in Safe Mode and shutdown as many applications as possible prior to running
a full scan using Adaware ?

Thanks for the tip, I hadn't thought of that. Unfortunately, scanning
in Safe Mode did not work. No applications were running when I
scanned but tonight I'll try it after terminating explorer and see if
that does any good.

I also created a bootable floppy but it was not able to see the first
partition. Do you know how I can gain access to windows/system32
files without windows running?

 

[David H. Lipman]

You would have to create a BART PE Bootable CDROM. Something I have not yet done.

The other option is to put the hard disk in another WinXP or Win2K platform and make that a
"D:" drive then scan the system. The should clean any files but, will not correct the
Registry of the hard disk made as the "D:" drive.

--
Dave




| On Sun, 2 Jan 2005 22:39:02 -0500, "David H. Lipman"
|
| >Did run Adaware in Safe Mode and shutdown as many applications as possible prior to
running
| >a full scan using Adaware ?
|
| Thanks for the tip, I hadn't thought of that. Unfortunately, scanning
| in Safe Mode did not work. No applications were running when I
| scanned but tonight I'll try it after terminating explorer and see if
| that does any good.
|
| I also created a bootable floppy but it was not able to see the first
| partition. Do you know how I can gain access to windows/system32
| files without windows running?
|
| --
| Bob Simon
| remove both "x"s from domain for private replies

 

[Sky King]

I also created a bootable floppy but it was not able to see the first
partition. Do you know how I can gain access to windows/system32
files without windows running?

Boot with your XP CD into the Recovery Console.

--

....Sky

Tom "Sky" King
=============

 

[Alexander Grigoriev]

When you run the virus scan, open the task manager and kill EXPLORER.EXE
(desktop shell). Your desktop icons will disappear. You can then start
cmd.exe and delete those files using command line (if you know the names),
or allow your antivirus to delete them.
The files are loaded in explorer.exe process as shell extensions, this is
why you cannot easily delete them.