Deleting a file

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

It seems like one of the computers that I have is infected with the
Downloader virus. When I try to delete it in normal mode or safe mode it is
giving me a "access is denied" message. When I ran the process exploere
program from sysinternals..it tells me the files that I am trying to delete
"itimund.dll" is associated with the winlogon.exe process.

How do I stop this process and to delete this *.dll file.

Please help.

Thanks,

TRung
 
Trung Quach said:
It seems like one of the computers that I have is infected with the
Downloader virus. When I try to delete it in normal mode or safe mode it is
giving me a "access is denied" message. When I ran the process exploere
program from sysinternals..it tells me the files that I am trying to delete
"itimund.dll" is associated with the winlogon.exe process.

How do I stop this process and to delete this *.dll file.

Please help.

Thanks,

TRung
Click to expand...

Try renaming it, and deleting it after a restart. Alternately, make sure
that the Recovery Console has access to the folder where this file is, then
boot from the CD to recovery console and delete it.

Failing that, remove the drive and host it on another system via a USB2
drive case, delete teh file and do a thorough scan of that drive while it's
out.

HTH
-pk
 
Make sure that the value of userinit in the registry is:

C:\WINDOWS\system32\userinit.exe,

Click Start, Run, type: REGEDIT and click OK.

Navigate to >>>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

In the right-pane, if the value of Userinit is not:

C:\WINDOWS\system32\userinit.exe,

Change it so that it is exactly the same. Type the above value exactly as
given, including the comma. Or better yet, copy it and paste it into the
Value Data.

Also, change the path to userinit.exe appropriately if Windows is installed
in a different drive.

Close the Registry Editor and restart Windows.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Wesley Vogel said:
Make sure that the value of userinit in the registry is:

C:\WINDOWS\system32\userinit.exe,

Click Start, Run, type: REGEDIT and click OK.

Navigate to >>>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

In the right-pane, if the value of Userinit is not:

C:\WINDOWS\system32\userinit.exe,

Change it so that it is exactly the same. Type the above value exactly as
given, including the comma. Or better yet, copy it and paste it into the
Value Data.

Also, change the path to userinit.exe appropriately if Windows is installed
in a different drive.

Close the Registry Editor and restart Windows.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Click to expand...

Wesley:

Thanks for the response. I am going to try that out. Before I do, do you
suggest I change the registry key and this will allow me to delete that file
after the restart?

Thanks,

Trung
 
Hi Trung,

Before you do anything, just look at the entry and post back with what it
is.

I would suspect that winlogon is what is being used to start itimund.dll
running.

C:\WINDOWS\system32\userinit.exe, A path to a program can be added after
the comma.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
I just checked and the path in the registry is exactly

C:\WINDOWS\system32\userinit.exe,

I also tried the post by Patrick, however that is not going to work because
I think the file is locked up by the winlogon.exe process.

Trung
 
Wesley:

I've tried what you mention below. However when I try to delete the
winlogon.exe process it gives me the following message.

"This is a critical system process. Task manager cannot end this process."

Any other ideas? TIA.

Trung
 
Try this.

Somewhere in the registry is Start Reference to itimund.dll.

Open the Registry Editor and delete every reference to itimund that you can
find.

Or...

Post back with every reference to itimund that you can find. Search for
itimund and not itimund.dll that way if there is a reference to just itimund
you can find any of those as well as any to itimund.dll.

Open the Registry Editor...
Start | Run | Type: regedit | Click OK |
Hit your F3 key | Type: itimund in the box |
Click the Find Next button | Keep hitting F3 until you see the Finished
searching through the registry message.

To copy a registry key name
1. In the registry tree (on the left), right click a registry key.
2. Select Copy Key Name.
3. Paste the name of the registry key into Notepad and then copy and paste
everything that you find referring to itimund into a message and post back.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Wesley:

I found all reference of itmund.dll and delete all referenc of it in the
regisitry. However, it still not allowing me to delete it.

any other ideas.

Trung
 
<kibbitz> Excuse my butting in here.
1) I'd want to make sure the dll in question is "truly" related to a virus.
What other tools have you used to remove the "downloader" malware?
Is it a confirmed malware?.

You really need to run antivirus & anti-spyware tools in Safe mode first.
And if you need to do any downloads, use another machine that is known to be
clean.

Make very sure your system does not have malware.
See <http://www.elephantboycomputers.com/page2.html#Removing_Malware>


Sysclean would be a good first run for virus check. Just be sure to also
run other spyware / malware checks.


See The Parasite Fight Quick Fix Protocol at
http://www.aumha.org/a/quickfix.htm


2) If it is a confirmed malware, and still present,
then a) I'd use
regsvr32 /u itimund.dll <<--- be certain the name
is spelled correct

to un-register it (even if it were non-registered). Then I'd use Windows
Explorer to get to it's folder location.
Rename the file to itimund.xxx
Then do a full antivirus and security checks.

If unable to rename in normal mode, then reboot to Safe mode and do that.

Once system is known to be clean, and it is running fine, go and delete the
file.
</kibbitz>
 
I don't mind. Maybe Trung will be back to see.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Maurice and Wesley:

Thanks for your input. I will try what you suggested when I am back in the
office. I will post back my results sometime next week.

Thanks,

Trung
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Need to Replace Winlogon.exe 2
CROSS-POST - winlogon.exe consuming 50% CPU time 7
Problems deleting files 4
Undeletable file. I'm stumped. 94
Can't delete file 3
Deleting old disk structure files 1
Delete pagefile.sys 2
cant delete some files, winlogon is protecting them 3

Back
Top