Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Closed Thread
 
Thread Tools Search this Thread Display Modes
 
Old 11-01-2008, 12:12 AM   #1
Baseband Member
 
Join Date: Oct 2008
Posts: 21
Default Infected DLL files - can't delete.

Hello, first of all, I hope this is the right place on this forum to post this. I looked around, and decided to post it here. If it belongs somewhere else, sorry and let me know.

---------------------------
Hereís my question:

I have a problem with 2 infected DLL files (trojans) on one of my PCs (Windows XP professional SP2).

The first file is called c:\windows\system32\batmete.dll. When I try to delete it (even in safe mode), I get an ĎAccess Deniedí error. I know AVG isnít the best, but it fails to remove the file after detection even though it says it will after reboot. I donít know if there is a root kit, or what, but I cannot get it deleted.

The second file is called c:\windows\system32\efedc.dll. It is the same case as above (unable to delete) except the error is ĎThis file is being used by another program.í When I viewed a tasklist /m command on the cmd-line, I noticed that winlogon.exe and explorer.exe are using efedc.dll as a module. The problem is that winlogon.exe cannot be shutdown without shutting the whole system down. It wonít allow me to kill the process, but even if I could get it killed somehow, the operating system then wouldnít be running for me to delete the file with. Iím assuming winlogon.exe is a very essential part of the Windows running operating system, so shutting it down means the operating system wouldnít work... right? Let me know if Iím wrong because I donít know everything.

Anyway, I was wondering if the following is possible:
I would like to plug my hard drive (letís call it H1) into a separate computer (with hard drive H2) so that the system files on H1 wouldnít be running the system they make up. The operating system on H2 would be running, therefore, the system files on H1 would, again, not be running or holding access to other files on H1. This would allow me to delete the DLL files off H1, just like a jump drive, using the system running on H2. In other words, Iíd like to treat the infected hard drive like a jump drive by plugging it into another computer, then delete the infected files I mentioned above. How could I accomplish this if possible? I would also like to safeguard against infecting H2.

Also, let me know if there is a different way to remove these files.

Thanks for your help.
__________________

miked8887 is offline  
Old 11-01-2008, 12:20 AM   #2
Fully Optimized
 
Computer Head's Avatar
 
Join Date: Jun 2006
Posts: 2,841
Default Re: Infected DLL files - can't delete.

Quote:
Originally Posted by miked8887 View Post
Hello, first of all, I hope this is the right place on this forum to post this. I looked around, and decided to post it here. If it belongs somewhere else, sorry and let me know.

---------------------------
Hereís my question:

I have a problem with 2 infected DLL files (trojans) on one of my PCs (Windows XP professional SP2).

The first file is called c:\windows\system32\batmete.dll. When I try to delete it (even in safe mode), I get an ĎAccess Deniedí error. I know AVG isnít the best, but it fails to remove the file after detection even though it says it will after reboot. I donít know if there is a root kit, or what, but I cannot get it deleted.

The second file is called c:\windows\system32\efedc.dll. It is the same case as above (unable to delete) except the error is ĎThis file is being used by another program.í When I viewed a tasklist /m command on the cmd-line, I noticed that winlogon.exe and explorer.exe are using efedc.dll as a module. The problem is that winlogon.exe cannot be shutdown without shutting the whole system down. It wonít allow me to kill the process, but even if I could get it killed somehow, the operating system then wouldnít be running for me to delete the file with. Iím assuming winlogon.exe is a very essential part of the Windows running operating system, so shutting it down means the operating system wouldnít work... right? Let me know if Iím wrong because I donít know everything.

Anyway, I was wondering if the following is possible:
I would like to plug my hard drive (letís call it H1) into a separate computer (with hard drive H2) so that the system files on H1 wouldnít be running the system they make up. The operating system on H2 would be running, therefore, the system files on H1 would, again, not be running or holding access to other files on H1. This would allow me to delete the DLL files off H1, just like a jump drive, using the system running on H2. In other words, Iíd like to treat the infected hard drive like a jump drive by plugging it into another computer, then delete the infected files I mentioned above. How could I accomplish this if possible? I would also like to safeguard against infecting H2.

Also, let me know if there is a different way to remove these files.

Thanks for your help.
Short answer is yes. And because the operating system won't be calling those DLL files, they won't be running, so they won't infect H2.
__________________

__________________
A+, Network+
Official "Birthday Man" of CF.

http://www.yourpcforums.org
Computer Head is offline  
Old 11-01-2008, 12:57 AM   #3
Baseband Member
 
Join Date: Oct 2008
Posts: 21
Default Re: Infected DLL files - can't delete.

Okay, good, that's what I figured was possible. Now, you said 'short answer,' but is there anything important I should know about the 'long answer?' And can I just plug it into another PC?
miked8887 is offline  
Old 11-01-2008, 01:04 AM   #4
Fully Optimized
 
Computer Head's Avatar
 
Join Date: Jun 2006
Posts: 2,841
Default Re: Infected DLL files - can't delete.

Basically, as long as you know how to hook up a second hard drive (if it's IDE, you might need to configure master and slave), you'll be OK. The long answer was basically you are running off of the second hard drive's operating system, so it won't be referring to those DLLs. Now it's possible, depending on what crap you caught, it may start throwing error messages that it can't find blah blah.dll. From there you should look at msconfig (Start, run, msconfig) and find anything that references those dll files you mentioned in the original post under the Startup tab. If you have any further questions, feel free to post them. Although, somebody else will have to answer them as I am signing off.

Namaste,
jervin
__________________
A+, Network+
Official "Birthday Man" of CF.

http://www.yourpcforums.org
Computer Head is offline  
Old 11-01-2008, 04:46 AM   #5
Baseband Member
 
Join Date: Oct 2008
Posts: 21
Default Re: Infected DLL files - can't delete.

Quote:
Originally Posted by jervin32189 View Post
Basically, as long as you know how to hook up a second hard drive (if it's IDE, you might need to configure master and slave), you'll be OK. The long answer was basically you are running off of the second hard drive's operating system, so it won't be referring to those DLLs. Now it's possible, depending on what crap you caught, it may start throwing error messages that it can't find blah blah.dll. From there you should look at msconfig (Start, run, msconfig) and find anything that references those dll files you mentioned in the original post under the Startup tab. If you have any further questions, feel free to post them. Although, somebody else will have to answer them as I am signing off.

Namaste,
jervin
That's ok if you're signing off... I don't need these questions answered right away. I just want to eventually get this problem fixed.

I don't know what you mean by "if its IDE." I know what IDE means, but I don't know how it applies to working with a hard drive through another computer system. I would prefer to hook H1 (the first hard drive... of infected computer) up to the 2nd computer and use the 2nd computer in safe mode (cmd-prompt) to access the files on H1. The second computer is going to be the same operating system as the one on H1 (i.e. Windows XP Pro SP2). Also, I don't see how the 2nd computer would not be able to find the files on H1 if the system on H1 is not running. A dir command with the arguments /as, /ah, and /ar should list all the files regardless of their attributes.

Lastly, I am worried that this may ruin the system. One infected file, again, is called batmete.dll. It replaced the normal batmeter.dll that comes with windows, so if I delete the infected replacement, the system might not work right because it replaced a necessary system file. But I'm going to do it anyway and see what happens.

Another inquiry is this: can I copy system dll-files (or executables) from one computer and copy them to another computer? Let's say I delete batmeter.dll from computer1 and copy the batmeter.dll from computer2 to computer1. Will computer1 then work right?
miked8887 is offline  
Old 11-01-2008, 01:12 PM   #6
Fully Optimized
 
Computer Head's Avatar
 
Join Date: Jun 2006
Posts: 2,841
Default Re: Infected DLL files - can't delete.

Quote:
Originally Posted by miked8887 View Post
That's ok if you're signing off... I don't need these questions answered right away. I just want to eventually get this problem fixed.

I don't know what you mean by "if its IDE." I know what IDE means, but I don't know how it applies to working with a hard drive through another computer system.
Well I was just referring to how to connect them via master and slave so they both would work. That's if they are indeed IDE.

Quote:
Originally Posted by miked8887 View Post
Lastly, I am worried that this may ruin the system. One infected file, again, is called batmete.dll. It replaced the normal batmeter.dll that comes with windows, so if I delete the infected replacement, the system might not work right because it replaced a necessary system file. But I'm going to do it anyway and see what happens.
As I said before, it won't be called upon to run because even if you booted into the regular operating system, it's using the operating system files of the other hard drive. Therefore, the infected file will not be called upon to run. The file will only infect if it is executed (run).

Quote:
Originally Posted by miked8887 View Post
Another inquiry is this: can I copy system dll-files (or executables) from one computer and copy them to another computer? Let's say I delete batmeter.dll from computer1 and copy the batmeter.dll from computer2 to computer1. Will computer1 then work right?
I don't see why not. As long as the computer is in safe mode, you should be able to as long as they are the same operating system. If the computer is not in safe mode, it may not copy because the file is in use. The Safe Mode command prompt would be a good choice for that.
__________________
A+, Network+
Official "Birthday Man" of CF.

http://www.yourpcforums.org
Computer Head is offline  
Old 11-01-2008, 02:45 PM   #7
Baseband Member
 
Join Date: Oct 2008
Posts: 21
Default Re: Infected DLL files - can't delete.

Okay, the last things I need to know are:
1) how to remove the hard drive
2) how to plug it in (what kind of cord)

in reference to #2, I know one side of the cord should be a USB, but what should the other side be?

Anyway, thanks for all your help; I appreciate it.
miked8887 is offline  
Old 11-01-2008, 03:31 PM   #8
Fully Optimized
 
Computer Head's Avatar
 
Join Date: Jun 2006
Posts: 2,841
Default Re: Infected DLL files - can't delete.

Actually, the hard drive has to be connected to the inside of the computer, unless you have a special enclosure. So it doesn't use USB.

Click here for directions on removing a hard drive.

Now, if your hard drive is IDE, you need to make sure that the jumper (a plastic piece in between the IDE connector and the power connector) is set on cable select. Check to see what two pins the piece is over and reference that to the diagram on the hard drive. Make sure it is set as cable select. Then connect it to the spare connector on the cable that connects your current hard drive on the other computer. Make sure that you also connect power.

This is the complicated way, connecting it internally. You may find it a better value to spend a tad of money and get an external enclosure. You just need to find one that accomodates your hard drive, whether it's IDE or Serial ATA (SATA). Click here for a nice IDE model. Click here for a SATA model. You just need to find the type that matches the interface on your hard drive that is infected.

If you are confused about the difference between IDE and SATA, look down.

Notice the connectors on the IDE:


Now this is a SATA hard drive (notice the connectors):


Hope this helps. Let me know if you hit any more curbs.
__________________
A+, Network+
Official "Birthday Man" of CF.

http://www.yourpcforums.org
Computer Head is offline  
Old 12-17-2008, 04:15 AM   #9
Solid State Member
 
mickybo's Avatar
 
Join Date: Dec 2008
Posts: 8
Default Re: Infected DLL files - can't delete.

if u want to delete this file u have to hiren'sboot and programing vokovcomander 4.99 for delete that file
__________________

mickybo is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 04:05 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0