infected file refuses to be removed

  • Thread starter Thread starter zeetboy
  • Start date Start date
Z

zeetboy

At work today I was cleaning an hp desktop running XP, It had probably
30 different trojan viruses and as much spyware as I have seen on any
computer that was still booting up and aquiring an ip. I took off the
norton crap software and installed AVG and scanned and removed almost
all the infected files.There was one file that I could not remove,
msgge.dll located in c:\windows\system32. I even tried deleting it,
with the drive as a secondary while in safe mode and from a command
promt. I still could not delete it, nor change its properies from
read-only. but I could change its file name. I changed the name to
remove .txt but AVG still would come up every few seconds.Then I moved
it into a created folder and I was able to move it to the desktop of
Administrator. But still could not delete the file at any point. When
I booted back up on the drive still could not remove it from the
desktop of Admin. but AVG no longer saw it as a virus.
 
From: "zeetboy" <[email protected]>

| At work today I was cleaning an hp desktop running XP, It had probably
| 30 different trojan viruses and as much spyware as I have seen on any
| computer that was still booting up and aquiring an ip. I took off the
| norton crap software and installed AVG and scanned and removed almost
| all the infected files.There was one file that I could not remove,
| msgge.dll located in c:\windows\system32. I even tried deleting it,
| with the drive as a secondary while in safe mode and from a command
| promt. I still could not delete it, nor change its properies from
| read-only. but I could change its file name. I changed the name to
| remove .txt but AVG still would come up every few seconds.Then I moved
| it into a created folder and I was able to move it to the desktop of
| Administrator. But still could not delete the file at any point. When
| I booted back up on the drive still could not remove it from the
| desktop of Admin. but AVG no longer saw it as a virus.

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt486.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Ad-aware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible
5) Using both the Trend Sysclean utility and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * Please report your results ! * *
 
Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files
Click to expand...

Dave, do you find IE and/or Windows lies about deleting those
files? Or does one need to log in as each user account in turn
and do it for all of them?
How far would one screw things up by manually deleting the
relevant folder(s) contents?
 
From: "Dave Budd" <[email protected]>

|
| Dave, do you find IE and/or Windows lies about deleting those
| files? Or does one need to log in as each user account in turn
| and do it for all of them?
| How far would one screw things up by manually deleting the
| relevant folder(s) contents?
| --
| UN-altered REPRODUCTION and DISSEMINATION of this IMPORTANT
| information is ENCOURAGED.


To clean the PC, one should logon as the Administrator or as a user with Administrative
rights. This will scan all files on the hard disk. Then, you only need to logon as
individual users and perform a scan to clean the user's Registry of alterations made by
malware.

I don't know I can characterize IE/Windows as lying as you describe.

The idea of dumping the IE Cache is twofold. Dumping the TIF cache should delete any
infectors residing in the cache and havind an empty cache means faster scanning times.
 
To clean the PC, one should logon as the Administrator or as a user with Administrative
rights. This will scan all files on the hard disk. Then, you only need to logon as
individual users and perform a scan to clean the user's Registry of alterations made by
malware.

I don't know I can characterize IE/Windows as lying as you describe.

The idea of dumping the IE Cache is twofold. Dumping the TIF cache should delete any
infectors residing in the cache and havind an empty cache means faster scanning times.
Click to expand...

I typically find that, even though I've logged in as
Administrator, when I do a full scan AFTER having told IE to
clear all the Temporary Internet Files (including offline
stuff), I see the scanner looking at files in those folders.
 
From: "Dave Budd" <[email protected]>

|
| I typically find that, even though I've logged in as
| Administrator, when I do a full scan AFTER having told IE to
| clear all the Temporary Internet Files (including offline
| stuff), I see the scanner looking at files in those folders.
|
| --
| UN-altered REPRODUCTION and DISSEMINATION of this IMPORTANT
| information is ENCOURAGED.


Assuming the TIF was dumped, the indexing files, I believe, remain.
 
On infected computers I always log in as admin in safe mode and delete
all users temp files including the content.ie folders, In turned out
when I went to properties and security on the file on was able to give
rights to admin and then delete it., there was another file that
turned up in system32 that AVG called r?ndll32.exe and when I looked
for it in system32 there were 2 files with different icons called
rundll32.exe so I scanned them both and deleted the one that AVG saw
as a virus, I havent played around with trend micro stuff although I
have done a couple online scans before. typicly I have had great
success with AVG picking up what is suspect, I also use Adaware,
Spybot, SpySweeper and Hijack on every system I work on, I am not
done until I know what every process running at startup is and there
is nothing suspicious in msconfig by going through all the run
commands in the reg as well as all the start up directories and
deleting the crap directories in c:\program files and c:\program
files\common files, after uninstalling the junk in add\remove programs
of course.
What I find most annoying is when users have incripted there profile
and I cant get into it in as admin in safe mode to clean temp files,
But I have found I can do it while logged into thier account from a
command prompt. just takes more time.

Does anyone know how to unincrpt a user profile?

Thanks for the input
 
Back
Top