Infected DLL files - can't delete.

Status
Not open for further replies.
M

miked8887

Baseband Member
Messages
21
Hello, first of all, I hope this is the right place on this forum to post this. I looked around, and decided to post it here. If it belongs somewhere else, sorry and let me know.

---------------------------
Here's my question:

I have a problem with 2 infected DLL files (trojans) on one of my PCs (Windows XP professional SP2).

The first file is called c:\windows\system32\batmete.dll. When I try to delete it (even in safe mode), I get an ‘Access Denied' error. I know AVG isn't the best, but it fails to remove the file after detection even though it says it will after reboot. I don't know if there is a root kit, or what, but I cannot get it deleted.

The second file is called c:\windows\system32\efedc.dll. It is the same case as above (unable to delete) except the error is ‘This file is being used by another program.' When I viewed a tasklist /m command on the cmd-line, I noticed that winlogon.exe and explorer.exe are using efedc.dll as a module. The problem is that winlogon.exe cannot be shutdown without shutting the whole system down. It won't allow me to kill the process, but even if I could get it killed somehow, the operating system then wouldn't be running for me to delete the file with. I'm assuming winlogon.exe is a very essential part of the Windows running operating system, so shutting it down means the operating system wouldn't work... right? Let me know if I'm wrong because I don't know everything.

Anyway, I was wondering if the following is possible:
I would like to plug my hard drive (let's call it H1) into a separate computer (with hard drive H2) so that the system files on H1 wouldn't be running the system they make up. The operating system on H2 would be running, therefore, the system files on H1 would, again, not be running or holding access to other files on H1. This would allow me to delete the DLL files off H1, just like a jump drive, using the system running on H2. In other words, I'd like to treat the infected hard drive like a jump drive by plugging it into another computer, then delete the infected files I mentioned above. How could I accomplish this if possible? I would also like to safeguard against infecting H2.

Also, let me know if there is a different way to remove these files.

Thanks for your help.
 
miked8887 said:
Hello, first of all, I hope this is the right place on this forum to post this. I looked around, and decided to post it here. If it belongs somewhere else, sorry and let me know.

---------------------------
Here's my question:

I have a problem with 2 infected DLL files (trojans) on one of my PCs (Windows XP professional SP2).

The first file is called c:\windows\system32\batmete.dll. When I try to delete it (even in safe mode), I get an ‘Access Denied' error. I know AVG isn't the best, but it fails to remove the file after detection even though it says it will after reboot. I don't know if there is a root kit, or what, but I cannot get it deleted.

The second file is called c:\windows\system32\efedc.dll. It is the same case as above (unable to delete) except the error is ‘This file is being used by another program.' When I viewed a tasklist /m command on the cmd-line, I noticed that winlogon.exe and explorer.exe are using efedc.dll as a module. The problem is that winlogon.exe cannot be shutdown without shutting the whole system down. It won't allow me to kill the process, but even if I could get it killed somehow, the operating system then wouldn't be running for me to delete the file with. I'm assuming winlogon.exe is a very essential part of the Windows running operating system, so shutting it down means the operating system wouldn't work... right? Let me know if I'm wrong because I don't know everything.

Anyway, I was wondering if the following is possible:
I would like to plug my hard drive (let's call it H1) into a separate computer (with hard drive H2) so that the system files on H1 wouldn't be running the system they make up. The operating system on H2 would be running, therefore, the system files on H1 would, again, not be running or holding access to other files on H1. This would allow me to delete the DLL files off H1, just like a jump drive, using the system running on H2. In other words, I'd like to treat the infected hard drive like a jump drive by plugging it into another computer, then delete the infected files I mentioned above. How could I accomplish this if possible? I would also like to safeguard against infecting H2.

Also, let me know if there is a different way to remove these files.

Thanks for your help.
Click to expand...

Short answer is yes. And because the operating system won't be calling those DLL files, they won't be running, so they won't infect H2.
 
Okay, good, that's what I figured was possible. Now, you said 'short answer,' but is there anything important I should know about the 'long answer?' And can I just plug it into another PC?
 
Basically, as long as you know how to hook up a second hard drive (if it's IDE, you might need to configure master and slave), you'll be OK. The long answer was basically you are running off of the second hard drive's operating system, so it won't be referring to those DLLs. Now it's possible, depending on what crap you caught, it may start throwing error messages that it can't find blah blah.dll. From there you should look at msconfig (Start, run, msconfig) and find anything that references those dll files you mentioned in the original post under the Startup tab. If you have any further questions, feel free to post them. Although, somebody else will have to answer them as I am signing off.

Namaste,
jervin
 
jervin32189 said:
Basically, as long as you know how to hook up a second hard drive (if it's IDE, you might need to configure master and slave), you'll be OK. The long answer was basically you are running off of the second hard drive's operating system, so it won't be referring to those DLLs. Now it's possible, depending on what crap you caught, it may start throwing error messages that it can't find blah blah.dll. From there you should look at msconfig (Start, run, msconfig) and find anything that references those dll files you mentioned in the original post under the Startup tab. If you have any further questions, feel free to post them. Although, somebody else will have to answer them as I am signing off.

Namaste,
jervin
Click to expand...

That's ok if you're signing off... I don't need these questions answered right away. I just want to eventually get this problem fixed.

I don't know what you mean by "if its IDE." I know what IDE means, but I don't know how it applies to working with a hard drive through another computer system. I would prefer to hook H1 (the first hard drive... of infected computer) up to the 2nd computer and use the 2nd computer in safe mode (cmd-prompt) to access the files on H1. The second computer is going to be the same operating system as the one on H1 (i.e. Windows XP Pro SP2). Also, I don't see how the 2nd computer would not be able to find the files on H1 if the system on H1 is not running. A dir command with the arguments /as, /ah, and /ar should list all the files regardless of their attributes.

Lastly, I am worried that this may ruin the system. One infected file, again, is called batmete.dll. It replaced the normal batmeter.dll that comes with windows, so if I delete the infected replacement, the system might not work right because it replaced a necessary system file. But I'm going to do it anyway and see what happens.

Another inquiry is this: can I copy system dll-files (or executables) from one computer and copy them to another computer? Let's say I delete batmeter.dll from computer1 and copy the batmeter.dll from computer2 to computer1. Will computer1 then work right?
 
miked8887 said:
That's ok if you're signing off... I don't need these questions answered right away. I just want to eventually get this problem fixed.

I don't know what you mean by "if its IDE." I know what IDE means, but I don't know how it applies to working with a hard drive through another computer system.
Click to expand...

Well I was just referring to how to connect them via master and slave so they both would work. That's if they are indeed IDE.

miked8887 said:
Lastly, I am worried that this may ruin the system. One infected file, again, is called batmete.dll. It replaced the normal batmeter.dll that comes with windows, so if I delete the infected replacement, the system might not work right because it replaced a necessary system file. But I'm going to do it anyway and see what happens.
Click to expand...

As I said before, it won't be called upon to run because even if you booted into the regular operating system, it's using the operating system files of the other hard drive. Therefore, the infected file will not be called upon to run. The file will only infect if it is executed (run).

miked8887 said:
Another inquiry is this: can I copy system dll-files (or executables) from one computer and copy them to another computer? Let's say I delete batmeter.dll from computer1 and copy the batmeter.dll from computer2 to computer1. Will computer1 then work right?
Click to expand...

I don't see why not. As long as the computer is in safe mode, you should be able to as long as they are the same operating system. If the computer is not in safe mode, it may not copy because the file is in use. The Safe Mode command prompt would be a good choice for that.
 
Okay, the last things I need to know are:
1) how to remove the hard drive
2) how to plug it in (what kind of cord)

in reference to #2, I know one side of the cord should be a USB, but what should the other side be?

Anyway, thanks for all your help; I appreciate it.
 
Actually, the hard drive has to be connected to the inside of the computer, unless you have a special enclosure. So it doesn't use USB.

Click here for directions on removing a hard drive.

Now, if your hard drive is IDE, you need to make sure that the jumper (a plastic piece in between the IDE connector and the power connector) is set on cable select. Check to see what two pins the piece is over and reference that to the diagram on the hard drive. Make sure it is set as cable select. Then connect it to the spare connector on the cable that connects your current hard drive on the other computer. Make sure that you also connect power.

This is the complicated way, connecting it internally. You may find it a better value to spend a tad of money and get an external enclosure. You just need to find one that accomodates your hard drive, whether it's IDE or Serial ATA (SATA). Click here for a nice IDE model. Click here for a SATA model. You just need to find the type that matches the interface on your hard drive that is infected.

If you are confused about the difference between IDE and SATA, look down.

Notice the connectors on the IDE:
16837_hard-disk.gif


Now this is a SATA hard drive (notice the connectors):
Western_Digital_Raptor_10-2c000_RPM_80GB_SATA_Hard_Drive_Q0Z-detail.jpg


Hope this helps. Let me know if you hit any more curbs.
 
if u want to delete this file u have to hiren'sboot and programing vokovcomander 4.99 for delete that file
 
Status
Not open for further replies.

Similar threads

J
Deleting files on my iphone
Replies
2
Views
754
Joe C
Joe C
O
hello & mostly clueless & would appreciate mac security help after trojan attack!
Replies
0
Views
914
once2023
O
Trotter
Files missing from drive in external enclosure
2
Replies
18
Views
2K
PP Mguire
PP Mguire
R
Deleted a needed file
Replies
1
Views
768
tehnokraat
T
P
Blue screen error again?
2
Replies
16
Views
2K
phantom555
P
Back
Top Bottom