MerstingB

  • Thread starter Thread starter Robin Graham
  • Start date Start date
R

Robin Graham

I'm trying to get rid of MerstingB. I'm told that putting cacls.exe
c:\windows32\htmle.dll/g Everyone:f into Run will cure it. But as soon as I
click OK I get a quick flash of a new window and then nothing. Why does this
not work?

Rob Graham
 
Robin said:
I'm trying to get rid of MerstingB. I'm told that putting cacls.exe
c:\windows32\htmle.dll/g Everyone:f into Run will cure it. But as soon as I
click OK I get a quick flash of a new window and then nothing. Why does this
not work?
Click to expand...

the command you cited changes the permissions on a file or folder on an
ntfs partition... specifically it changes the permission for
c:\windows32\htmle.dll such that everyone will have full control
(read/write/execute/you-name-it) of the file...

i can't see how that could possibly get rid of any kind of malware, i
think someone may have been playing you for a fool...
 
i can't see how that could possibly get rid of any kind of malware, i
think someone may have been playing you for a fool...
Click to expand...

Well Kurt, you may be right. However, I've got this from a reasonable
source. Also, I'm told that the reason I can't get rid of the Mersting file
is that it has been modified so that the permissions don't work, or words to
that effect. The calcs routine will restore these permissions and the file
can then be deleted.

This makes sense to me, except that I cannot get the calcs routine to 'go'!
I've had this Mersting B file on my computer for yonks, and although it
doesn't seem to cause any harm I just don't want it there. Do you have a
better cure?

Rob
 
Robin said:
Well Kurt, you may be right. However, I've got this from a reasonable
source.
Click to expand...

be that as it may, the command you quoted will not *remove* anything
other than protections on a certain file...
Also, I'm told that the reason I can't get rid of the Mersting file
is that it has been modified so that the permissions don't work, or words to
that effect. The calcs routine will restore these permissions and the file
can then be deleted.
Click to expand...

so i've now seen...
This makes sense to me, except that I cannot get the calcs routine to 'go'!
Click to expand...

try spelling it's cacls, instead... as in Change ACLs (Access Control
Lists)... also, the command you posted specified an invalid directory
name... no such creature as c:\windows32, but there is a
c:\windows\system32...
I've had this Mersting B file on my computer for yonks, and although it
doesn't seem to cause any harm I just don't want it there. Do you have a
better cure?
Click to expand...

usually the product that detects it can also remove it... failing that,
the company that makes the product that detects it will probably have a
dedicated removal tool (you should actually look for the dedicated
removal tool first since they do a better job of removal)...

well, having googled it, i now see that the command you mentioned was
only one small part of what you need to do... you'll also need to
remove the registry entry that gets it loaded automagically when you
logon - you certainly won't be able to delete it after it's been loaded
(it will be locked by windows)...

take a look at
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AC
 
try spelling it's cacls, instead... as in Change ACLs (Access Control
Lists)... also, the command you posted specified an invalid directory
name... no such creature as c:\windows32, but there is a
c:\windows\system32...
Click to expand...

I was spelling it cacls actually. I was spelling it wrong in my posting!
However, I've tried *cacls.exe c:\windows\system32\htmle.dll/g Everyone:f*
(I take your point about the windows directory) and all I get is a flash of
a black window and then nothing.

Rob
 
...
However, I've tried *cacls.exe c:\windows\system32\htmle.dll/g Everyone:f*
(I take your point about the windows directory) and all I get is a flash of
a black window and then nothing.
Click to expand...

Well you would, if you start it from the "Run" box. Cacls is a console
application (no GUI). If you run it from a command prompt you'll see
any output it may give (there may be none, unless you make a mistake).
Type 'cacls /?' for help. Also check that your windows directory is
actually called 'windows' and not 'winnt'.
 
Robin said:
I was spelling it cacls actually. I was spelling it wrong in my posting!
However, I've tried *cacls.exe c:\windows\system32\htmle.dll/g Everyone:f*
(I take your point about the windows directory) and all I get is a flash of
a black window and then nothing.
Click to expand...

probably because you're executing it from the start->run box... you
aren't seeing anything because there's nothing to see... it's
finished... if you typed cmd instead and then typed that command at the
command prompt in the dos window you'd see more...
 
Ah! Now we're getting somewhere! Thank you both for this. However, I'm now
stumped. I've got info on cacls from the c prompt but I don't know how to
use the info. I've tried putting in the filename with one or other of the
codes shown by cacls but access is denied. Can you help a bit more, please?

Rob
 
Robin said:
Ah! Now we're getting somewhere! Thank you both for this. However, I'm now
stumped. I've got info on cacls from the c prompt but I don't know how to
use the info. I've tried putting in the filename with one or other of the
codes shown by cacls but access is denied. Can you help a bit more, please?
Click to expand...

access denied? do you have administrative privileges? did you follow
the directions exactly? (removing the relevant registry values, then
restarted, etc)

what is the process you're following, exactly...
 
Thanks for your all your help so far. I'll have to get back to you on this
in due course.

Rob
 
Back
Top