Strange (Virus Like) System32 File Activity

  • Thread starter Thread starter Neil
  • Start date Start date
N

Neil

Hi All,

My Trend Micro AV is advising that nnnligh.dll in c:\windows\system32 is a
generic trojan (Win XP SP2).

Trend Micro is unable to quarantine, clean or delete the file.

Manual attempts to delete the file are met with 'access is denied', whether
in safe mode or not.

How might I gain access to this file in order to delete it ?

Thanks,

Neil
 
Neil said:
Hi All,

My Trend Micro AV is advising that nnnligh.dll in c:\windows\system32
is a generic trojan (Win XP SP2).

Trend Micro is unable to quarantine, clean or delete the file.

Manual attempts to delete the file are met with 'access is denied',
whether in safe mode or not.

How might I gain access to this file in order to delete it ?
Click to expand...

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with either Sysclean or Multi_AV, plus Ewido. Do all
prep/finishing work and follow instructions to do all scans in Safe
Mode.

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the link above (not here, please).

In addition, you may wish to see:

Undeletable Files:
http://aumha.org/a/stubborn.php
http://www.petri.co.il/delete_undeletable_files.htm
http://www.dougknox.com/xp/tips/xp_undeletable_file.htm - Pocket KillBox
http://www.bleepingcomputer.com/files/killbox.php

If the procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a professional
computer repair shop (not your local version of BigStoreUSA).

Malke
 
From: "Neil" <[email protected]>

| Hi All,
|
| My Trend Micro AV is advising that nnnligh.dll in c:\windows\system32 is a
| generic trojan (Win XP SP2).
|
| Trend Micro is unable to quarantine, clean or delete the file.
|
| Manual attempts to delete the file are met with 'access is denied', whether
| in safe mode or not.
|
| How might I gain access to this file in order to delete it ?
|
| Thanks,
|
| Neil
|

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
Most hostile files which deny you access to delete them can be renamed.
On my home PC (Win2000) I preface suspect names with xx_ and leave them there.
They are now cut off from registry entries or scripts that activate them,
and can always be restored if they are some well-kept secret from MS or app
providers.
 
From: "Newell White" <[email protected]>

| Most hostile files which deny you access to delete them can be renamed.
| On my home PC (Win2000) I preface suspect names with xx_ and leave them there.
| They are now cut off from registry entries or scripts that activate them,
| and can always be restored if they are some well-kept secret from MS or app
| providers.

Not always true. The reason is becuase the File Handle is held open by the OS and thus the
file can not be Deleted or Renamed.
This will often be used as a "self preservation" technique.
 
Neil said:
Hi All,

My Trend Micro AV is advising that nnnligh.dll in c:\windows\system32
is a generic trojan (Win XP SP2).

Trend Micro is unable to quarantine, clean or delete the file.

Manual attempts to delete the file are met with 'access is denied',
whether in safe mode or not.

How might I gain access to this file in order to delete it ?

Thanks,

Neil
Click to expand...

Have you tried booting into Safe Mode and deletin git from there?

If no luck, you could try it from the Command Prompt if you know how to. If
not, come back and ask.

Have you tried any spyware detection tools? They might be able to get it.

I searched but cannot find anything about that file in any of the virus
sites.

Have you tried looking at msconfig to see if there are any hints there? If
a simialr name shows up you could turn it off and see if you can delete then
after a restart.

Pop`
 
Back
Top