Desperately need to delete a file
There's a DLL in my \windows\system32 directory (XP) called msephh. dll, and it contains the Backdoor-CFB virus. Very annoying. McAfee prompts me to delete or quarantine the file, but I get an Access Denied.
There's a DLL in my \windows\system32 directory (XP) called msephh.dll, and it contains the Backdoor-CFB virus. Very annoying. McAfee prompts me to delete or quarantine the file, but I get an Access Denied. I went to DOS to try to delete it, but I still get an access denied. I can't delete it in Explorer either. The weirdest thing: I reboot and load Safe mode. The DLL isn't there in Safe Mode!!! Someone on here mentioned Shift-Delete, but that doesn't work either. I even tried a System Restore (turning it off) option that I found at microsoft.com, but I still couldn't do it. How can I FORCE this file to be deleted?
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
I went looking for spyware that sets off MacAfee and does something of what yours is doing - creating a random named dll unique to your system but essentially spyware. This is one possible solution from Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.J
This is what MacAfee had to say:
This detection is for a DLL component which may be installed automatically onto the victim's machine whilst visiting a website.
The filename of the DLL varies, for example:
* COMPCKP.DLL
* CTLAPA.DLL
* CTLJOH.DLL
* D3DKHE.DLL
* HLPJP.DLL
* HLPEO.DLL
* KBDJEF.DLL
* LOG.DLL
* MS.DLL
* MSA.DLL
* WIN.DLL
* WINLG.DLL
* WDM.DLL
Registry modifications are made such that the DLL is loaded at system startup. The name of the Registry key added may vary, but it always starts with '**', followed by 1-4 random characters. For example:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
"**xx" = RUNDLL32, %SysDir%\(DLL filename).DLL,StreamingDeviceSetup
The following Registry key modification will also present:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"="%SysDir%\(DLL filename).DLL"
This key is modified like this in order to load the DLL into other processes as they are run on the system. Because of this, removal with the specified DATs requires either a restart, or the scanning/cleaning to be performed in Safe Mode.
The DLL file is not malicious by itself but it may be used by a malicious program to export system information from the victim's machine.
Analysis is still ongoing and the description will be updated once we have finished.
This detection is for a DLL component which may be installed automatically onto the victim's machine whilst visiting a website.
The filename of the DLL varies, for example:
* COMPCKP.DLL
* CTLAPA.DLL
* CTLJOH.DLL
* D3DKHE.DLL
* HLPJP.DLL
* HLPEO.DLL
* KBDJEF.DLL
* LOG.DLL
* MS.DLL
* MSA.DLL
* WIN.DLL
* WINLG.DLL
* WDM.DLL
Registry modifications are made such that the DLL is loaded at system startup. The name of the Registry key added may vary, but it always starts with '**', followed by 1-4 random characters. For example:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
"**xx" = RUNDLL32, %SysDir%\(DLL filename).DLL,StreamingDeviceSetup
The following Registry key modification will also present:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"="%SysDir%\(DLL filename).DLL"
This key is modified like this in order to load the DLL into other processes as they are run on the system. Because of this, removal with the specified DATs requires either a restart, or the scanning/cleaning to be performed in Safe Mode.
The DLL file is not malicious by itself but it may be used by a malicious program to export system information from the victim's machine.
Analysis is still ongoing and the description will be updated once we have finished.
Apparently this fellow invented his own cure for something similar to what you found in MacAfee: http://www.zonavirus.com/descargas/EliBDCFB.exe
Sampson, I was able to remove the DLL from the Windows NT registry area (as you mentioned above). But it always comes back eventually. I even renamed it, but it recreated the DLL with the same name again. I even used the Permissions area to Deny access, and I don't see the DLL listed in the registry any longer, but I can't delete the DLL from the system32 directory, and McAfee keeps alerting me about the virus still. The zonavirus link didn't help either. The program said it can't open the DLL, and McAfee said access denied.
This may or may not help. There was this bug in windows 2000 ftp server that allowed pub scanners to create undeletable files and folders. I eventually found a way to do it by searching google. There is a rm.exe available on the win2k resource kit.. Some kindof posix thing. It was able to delete the files. Now in your case i understand its a security issue. Just out of curiousity.. I didnt read all the posts.. But are you sure that its a process error and not a ntfs problem. Maybe the virus has changed the security so you cant delete it. Take ownership of it ( as administrator ) and add all the permissions you need. It seems wierd that you would not be able to delete it from safe mode or recovery console unless there was a ntfs issue preventing deletion. Not even sure if ntfs matters in recovery console.
here is my 2¢...
I have been studying this trojan and I have noticed:
PendingFileRenames value is monitored, if this value contains the name of the dll that is the carrier, it is overwritten with random characters. This pretty much negates any attempt by antivirus to remove the DLL.
Several have commented on how the file does not exist after a reboot to safe mode. It seems like the virus is renaming itself and loading itself into the PendingFileRenames value. Note the date/time stamp and the exact size of the file and search based on this instead of the name only.
Possible remedy: (not for the technically challenged...)
Close all apps.
Delete the PendingFileRenames value (reg_multi_sz) not the hive.
Power the machine off. (Yank the power cord on the newer boxes as pressing the power button will initiate a shutdown.) This should not hurt a NT/W2K/XP box.
ENABLE BOOT SECTOR WRITE PROTECTION IN THE BIOS.
Reboot to safe mode or preferably, reboot using the recovery console.
Search for the file, or any file that fits the description. (date/time or size...)
Run chkdsk /f from cmd prompt and delete any recovered files.
Check the PendingFileRenames value (reg_multi_sz) and verify any entries.
Let us know if this works...
I have been studying this trojan and I have noticed:
PendingFileRenames value is monitored, if this value contains the name of the dll that is the carrier, it is overwritten with random characters. This pretty much negates any attempt by antivirus to remove the DLL.
Several have commented on how the file does not exist after a reboot to safe mode. It seems like the virus is renaming itself and loading itself into the PendingFileRenames value. Note the date/time stamp and the exact size of the file and search based on this instead of the name only.
Possible remedy: (not for the technically challenged...)
Close all apps.
Delete the PendingFileRenames value (reg_multi_sz) not the hive.
Power the machine off. (Yank the power cord on the newer boxes as pressing the power button will initiate a shutdown.) This should not hurt a NT/W2K/XP box.
ENABLE BOOT SECTOR WRITE PROTECTION IN THE BIOS.
Reboot to safe mode or preferably, reboot using the recovery console.
Search for the file, or any file that fits the description. (date/time or size...)
Run chkdsk /f from cmd prompt and delete any recovered files.
Check the PendingFileRenames value (reg_multi_sz) and verify any entries.
Let us know if this works...
Since last time this item reached the latest threads have found another tool called drdelete and can be found here: http://www.dslreports.com/forum/remark,7374516~mode=flat~days=9999~start=20
Have not used it yet, but it is supposed to be able to delete files in use.
Have not used it yet, but it is supposed to be able to delete files in use.
I have been having a similar problem (Symantec instead of McAfee, hlpoj.dll instead of msephh.dll), for about a week now and just ran across this thread. Thanks to all who posted suggestions of things to try. I ended up booting off the install CD, running the recovery console, removing the offending file.
To keep it from coming back, I copied another system dll file to the name of the trojan/virus one, and used "attrib +rsh".
If you (original poster) can get your hands on an install CD, or use one of the other methods of removing the file, perhaps this will work for you too.
Good luck,
Nathan
To keep it from coming back, I copied another system dll file to the name of the trojan/virus one, and used "attrib +rsh".
If you (original poster) can get your hands on an install CD, or use one of the other methods of removing the file, perhaps this will work for you too.
Good luck,
Nathan
Just to add a 'me too' to the above. I came across the problem during an infestation with CoolWebSearch. Once I had cleared out all of the rest of the infection a stubborn 'kbdn.dll' remained in the System32 folder, constantly triggering Norton Anti Virus (which identifies it as the Backdoor.Agent.B trojan) but undeletable, and frequently undetactable, especially in Safe Mode. Every now and again it invents a new random .dll which tries to inveigle itself into Internet Explorer and change the homepage - WinPatrol is keeping that issue at bay for now, and I can delete the spin-off .dll files, but I've been having the same issues as gt93grad in trying to get rid of the trojan itself.
Since I've had the problem I've found it cropping up in forums everywhere recently. I'll give the fixes you mentioned a shot when I get back home - thanks for the tips; I was beginning to despair!
Since I've had the problem I've found it cropping up in forums everywhere recently. I'll give the fixes you mentioned a shot when I get back home - thanks for the tips; I was beginning to despair!
Scooby (and anyone else still being plagued) - I have discovered that TrendMicro has issued a specific fix for this problem that kills the class of trojans that has been under discussion here. I found it at:
https://beta.activeupdate.trendmicro.com/fixtool/fixagentv1.0007.zip
I tried it yesterday on my system and it worked like a charm. Of course it goes without saying that you need to run every piece of anti-virus software you can get your hands on afterwards to clean up the junk left behind by the trojan (I found three registry entries and a directory file that had been invisible to me beforehand - and not always where you would expect them to be, either).
Good luck.
Richard
https://beta.activeupdate.trendmicro.com/fixtool/fixagentv1.0007.zip
I tried it yesterday on my system and it worked like a charm. Of course it goes without saying that you need to run every piece of anti-virus software you can get your hands on afterwards to clean up the junk left behind by the trojan (I found three registry entries and a directory file that had been invisible to me beforehand - and not always where you would expect them to be, either).
Good luck.
Richard