problem deleting a file

[Guest]

I have a virus-infected file on my C-drive. The file (dasm.dll) is "in use
by another program" (Explorer.exe). Thus, I cannot delete it while Windows
is running. So, I figured that if I booted using DOS, I would be able to
delete the file without Windows interferring. However, once I booted to DOS,
DOS would not recognize my C-drive ("invalid drive specification"). Someone
suggested that DOS would not recognize the C-drive because the C-drive is
formatted to NTFS while DOS is based on FAT. Do you have any idea how I can
access the C-dirive through DOS? or how I can delete this infected file?

 

[Rock]

I have a virus-infected file on my C-drive. The file (dasm.dll) is "in use
by another program" (Explorer.exe). Thus, I cannot delete it while
Windows
is running. So, I figured that if I booted using DOS, I would be able to
delete the file without Windows interferring. However, once I booted to
DOS,
DOS would not recognize my C-drive ("invalid drive specification").
Someone
suggested that DOS would not recognize the C-drive because the C-drive is
formatted to NTFS while DOS is based on FAT. Do you have any idea how I
can
access the C-dirive through DOS? or how I can delete this infected file?

Use malware removal tools for cleaning the system.

Malware Removal
http://www.elephantboycomputers.com/page2.html#Removing_Malware

THE PARASITE FIGHT
Finding, Removing & Protecting Yourself From Scumware
http://aumha.org/a/parasite.htm

Richard Harper’s Guide to Cleaning Pests
http://rgharper.mvps.org/cleanit.htm

A better newsgroup for virus issues is microsoft.public.security.virus

You could create a Bart's PE bootable CD, boot from that and delete the
file.
http://www.nu2.nu/pebuilder/

 

[Wesley Vogel]

Kill explorer.exe and open a command prompt. You do not need MS-DOS!

To kill explorer and restart it.

Open the Task Manager...
Ctrl + Shift + Escape | Click on the Processes tab | Locate and highlight
explorer.exe | Right click explorer.exe | Click End Process | Click
Yes to the Task Manager Warning that pops up | Click File on the Toolbar |
Click New Task (Run...) | Type in: cmd | Click OK

You may have to drag the Task Manager out of the way or minimize it. Ctrl +
Shift + Escape again to maximize it.

When the command prompt opens, type:

del %windir%\system32\dasm.dll

and hit Enter.

Assuming that is the location of dasm.dll.

To restart explorer.exe...
Click New Task (Run...) | Type in: explorer | Click OK

End Process on explorer.exe will make your Desktop, Taskbar and all programs
disappear. This can be startling. Restarting explorer will bring
everything back.

Get rid of the scumware program that placed the file on your machine first.
This is probably not the only bad file. dasm.dll is possibly from a trojan.

UPDATE your antivirus software and run a full system scan.

UPDATE whatever anti-spyware applications that you have and run a full
system scan with each one.

You might want to start in Safe Mode to run your antivirus and anti-spyware
software.

Running a full system antivirus scan or anti-spyware scan in Safe Mode can
be a good idea. Some viruses and other malware like to conceal themselves
in areas Windows protects while using them. Safe mode will prevent those
applications access and therefore unprotect the viruses or other malware
allowing for easier removal.

How to start Windows in Safe Mode Windows XP
http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Elmo]

I have a virus-infected file on my C-drive. The file (dasm.dll) is "in use
by another program" (Explorer.exe). Thus, I cannot delete it while Windows
is running. So, I figured that if I booted using DOS, I would be able to
delete the file without Windows interferring. However, once I booted to DOS,
DOS would not recognize my C-drive ("invalid drive specification"). Someone
suggested that DOS would not recognize the C-drive because the C-drive is
formatted to NTFS while DOS is based on FAT. Do you have any idea how I can
access the C-dirive through DOS? or how I can delete this infected file?

Many a/v programs can be set to run a boot scan. Since this is
performed before Windows starts, the malware hasn't taken hold yet.
Avast! has this option..

Safe Mode, Command Prompt should work for deleting the file too. It
still needs to be removed from the Registry, or wherever it's started,
too. You a/v should be removing this for you, if it discovered the file.

 

[Rich Barry]

John, check here http://www.bootdisk.com/ntfs.htm

 

[Guest]

I got around explorer.exe, as you suggested, by using task manager. However,
I found that the virus-infected file is ALSO attached to winlogon.exe, which
is a "critical process" and cannot be shutdown. Any ideas on how I can get
around the winlogon process?

 

[Wesley Vogel]

John,

FWIW, there is also a winlogon.exe that's a trojan.

SWAG. This could be what's launching your crap.

Verify the Userinit setting in this registry key.

Open the Registry Editor...
Start | Run | Type: regedit | Click OK |
Navigate to >>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon

Value Name: Userinit
Data Type: REG_SZ
Value Data: C:\Windows\System32\userinit.exe,

This is executed when a user logs in. A path to a program can be added
after the comma and is commonly used by malware.
Make sure that the comma is at the end.
There should not be anything after the comma at the end.
Close the Registry Editor and reboot your computer.

An example of a trojan (mshtml.exe) adding a start item after the comma.

C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mshtml.exe

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

I checked the registry - winlogon, userinit is as it should be - no problem
there.
I have determined that the virus is identified as WS\BACKDOOR.AAOL
Does that info help?

 

[Wesley Vogel]

I have determined that the virus is identified as WS\BACKDOOR.AAOL

Does that info help?

No.
http://www.google.com/search?as_q=&...as_dt=i&as_sitesearch=&as_rights=&safe=images

How did you determine the name?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

my AV identified it as such
--
John

No.
http://www.google.com/search?as_q=&...as_dt=i&as_sitesearch=&as_rights=&safe=images

How did you determine the name?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

my mistake: it is named: W32/BACKDOOR.AAOL, not WS/....

 

[Wesley Vogel]

W32/BACKDOOR.AAOL brings up some hits on Google, but nothing helpful.

E-mail your AV (whoever that may be) people and ask about it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In