Results 1 to 10 of 10
  1. #1
    3 Star Lounger
    Join Date
    Apr 2002
    Location
    UK
    Posts
    298
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Deleting An Infected File

    Hi,

    I have been trying to sort out a machine which has been dragged through it some ... the gentleman in question has been frequenting some, well, very dubious sites and has done so without anti-virus or anti-spyware and it has taken me about 9 hours to clear the thing down. However there remains one file on the disk which I can rename (it was WIN.DLL) but cannot delete and of course it is infected. The system is XP so I don't think it needs WIN.DLL (certainly boots with it renamed and I can't find it on any other XP machines) and I have tried everything I know including booting with a linux disk (I don't think the NT filesystem driver can write/delete NTFS files), and putting the disk on my machine as a USB drive (which i genuinely thought would solve it since I believed the file was locked by the OS) but I still can't get rid of it.

    I need to get shot of this file (I feel it would be less than professional to return a still infected machine to the customer) and right now it is looking like my only option of doing so is to do a complete rebuild.

    If anyone knows of a way I might delete this file (windowssystem32WIN.DLL) I would greatly appreciate it!

  2. #2
    Gold Lounger Rebel's Avatar
    Join Date
    Jul 2001
    Location
    Canada
    Posts
    3,024
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Deleting An Infected File

    Try response #4 at this site . Symantec also has some info on this.
    John
    A Child's Mind, Once Stretched by Imagination...
    Never Regains Its Original Dimensions

  3. #3
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Deleting An Infected File

    There is a lot of discussion regarding the Win.dll file and the Seeker.K virus. Symantec has a description of it at SEEKER

    In short, it apparently replicates itself on reboot, so a rename doesn't do it. A search and delete in the registry of any mention of win.dll seems in order.
    A sample of the removal in one location of the reg is:
    Navigate to the key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentV ersionRun


    In the right pane, delete these values if they exist:

    "win"="regedit -s c:windowswin.dll"

    "@"="regedit -s c:windowswin.dll"

    Exit the Registry Editor
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  4. #4
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Deleting An Infected File

    You might want to look into downloading a copy of HijackThis and letting the folks at their forum analyze the log file it creates. This particular file seems like it may be somewhat difficult to remove using "normal" removal methods. There appear to be several possible causes or sources for this file and it's dug itself in deep. From all indications though, it can be removed.

    Edited to add You might also want to checkout Pocket KillBox. I've no personal experience with it, but it appears to be a tool for getting rid of stubborn files like this one. Personally, I'd prefer to find the cause and clear the problem at the root. But failing that, this may be a reasonable alternative. HTH
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  5. #5
    3 Star Lounger
    Join Date
    Apr 2002
    Location
    UK
    Posts
    298
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Thanks For The Replies ...

    ... and I will try these solutions. My suspicion is that this may not work because pretty much all the others said the had WIN.DLL they couldn't rename and that it was something running under windows that locks the file however I can rename the file and even taking the disk out a putting it on an alternative system via a USB HD caddy will not let me delete it. I will however try and report back when I have done so (I get the system back tonight).

    Thanks again

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Thanks For The Replies ...

    It may be in use by something in the Task List's processes pane that you can terminate. It often is difficult matching up processes with executables. The Process Explorer from SysInternals might help; maybe HijackThis also will spell out the details. If the DLL is not a startup program, look for other unknown or suspicious programs that might be firing it up.

    Additional Random Thought: I think I've read that Windows maintains a "backup" folder from which it restores "system" files that go missing. Maybe Windows is copying win.dll from that folder after you delete it from system32? Unless the malware inserted the DLL into a CAB file (probably too difficult) it may be just sitting in a folder somewhere waiting to die...

  7. #7
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,593
    Thanks
    5
    Thanked 1,059 Times in 928 Posts

    Re: Thanks For The Replies ...

    For any Windows OS that supports Windows File Protection a copy of files to be protected will be in %windir%system32dllcache. I believe these must be registered with the OS. Then if the file is corrupted or deleted it will be restored from the cache.

    Joe
    Joe

  8. #8
    3 Star Lounger
    Join Date
    Apr 2002
    Location
    UK
    Posts
    298
    Thanks
    6
    Thanked 0 Times in 0 Posts

    As I Guessed ...

    ... it didn't work.

    Pocket Killbox couldn't remove the file (SYstem Restore is off BTW), the Norton FxAgentB tool could not find the virus, even AVG's VCleaner couldn't touch it.

    I will post a Hijack This report shortly.

  9. #9
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,593
    Thanks
    5
    Thanked 1,059 Times in 928 Posts

    Re: As I Guessed ...

    Try the procedure in <post#=381438>post 381438</post#> for deleting in-use files. Should work for a rename also. Also, get and executeSysinternals Pendmoves just to make sure that nothing funky is going on with re-boot file naming. Get Sysinternals Autoruns. It will show virtually everywhere something can start on your system. You may be able to spot something.

    Joe
    Joe

  10. #10
    3 Star Lounger
    Join Date
    Apr 2002
    Location
    UK
    Posts
    298
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Hmmm ...

    <P ID="edit" class=small>(Edited by VampyreUK on 30-Oct-04 07:22. )</P>Hi Joe,

    I don't see how that will work any better than what I have already tried. Don't forget I HAVE removed the drive and powered it up on a another system (as an external drive, not under it's own OS's control) and I STILL can't delete the file ... surely that is the ultimate test for deleting a file (because it is not being protected by any OS)?

    I have one more test to try ... using NTFSPro. If that fails I think I will just give in and rebuilt the thing.

    EDIT: Just tried that ... it didn't work and I tested deleting a text file first!

    Thanks for eveyone's help, I have decided to back up the guy's documents/mail and rebuild the system!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •