Jump to content
Compatible Support Forums
Sign in to follow this  
gt93grad

Desperately need to delete a file

Recommended Posts

There's a DLL in my \windows\system32 directory (XP) called msephh.dll, and it contains the Backdoor-CFB virus. Very annoying. McAfee prompts me to delete or quarantine the file, but I get an Access Denied. I went to DOS to try to delete it, but I still get an access denied. I can't delete it in Explorer either. The weirdest thing: I reboot and load Safe mode. The DLL isn't there in Safe Mode!!! Someone on here mentioned Shift-Delete, but that doesn't work either. I even tried a System Restore (turning it off) option that I found at microsoft.com, but I still couldn't do it. How can I FORCE this file to be deleted?

Share this post


Link to post

First, bring up a Dos Prompt within windows.

Then, hit CTRL-SHIFT-ESC to bring up your task manager.

Find Explorer.exe, click on it to highlight it. Then, click the End Process button. Your windows desktop may act strangely and some icons may disappear. Pay no attention to that.

Click back into the Dos window and type cd \windows\system32 or whatever directory you are looking for. Use the command dir msephh.dll to be sure that the file is there then del msephh.dll

Type exit to leave the Dos window. Click on the start button Run then type explorer.exe or you can just reboot.

Share this post


Link to post

Thanks, but I did EXACTLY that, and I still get "Access denied" in DOS. (I'm very computer literate by the way.) Any other ideas?

Share this post


Link to post

I am not exactly certain you followed the instructions as printed since by disabling explorer.exe, in general, the protection is taken off of the files. In any case, there is apparently a process still holding onto this file that needs to be stopped prior to stopping explorer.exe in the task manager.

Sysinternals has two programs that will allow you to see what process is using what .dll. The graphic program is found here: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml and the "generic" version is here: http://www.sysinternals.com/ntw2k/freeware/handle.shtml

Using either of these tools should indicate what process is connected to the .dll. You can then unregister it or end it through the task manager. Then, try the trick of disabling exporer.exe and going through the Dos prompt to delete it.

A second approach would be to run regedit and do a find on this dll. If found or several instances are found, delete those values.

Reboot. This may release its being used and you can then delete it.

Share this post


Link to post

Try this..

 

 

From a command prompt type:

regsvr32 /u msephh.dll

 

Next, try to delete the file. If you still can't, then go into your registry and try to find any entries for this file and see what it is associated with. If you can, remove the entrie(s).

Reboot and try to delete again.

 

 

Share this post


Link to post

yet another way

 

right click/properties/security

remove all security rights (including system)

reboot

delete file

 

if the system doesnt have access then it can't load

Share this post


Link to post

Hey jerry atrik (yeah, I get the name), you said click/properties/security. Where is this?

Share this post


Link to post

find the file u want to delete and right click on it

then properties, then the security tab on top.

it shows a list of people and things with permissions

remove them all.

 

ps if a box pops up saying that inherited permissions rule

then hit that advanced button and uncheck the inherited permissions.

Share this post


Link to post

thnx for the kudos

since i daily fix web hijackings around here there, is always that one file that loads even during a safemode boot

 

the only way i figured out how to remove it easily is to deny the system permission to load.

Share this post


Link to post

Originally posted by jerry atrik:

Quote:
yet another way

 

right click/properties/security

remove all security rights (including system)

reboot

delete file

 

if the system doesnt have access then it can't load

 

Good call ou beat me to the punch.

 

Share this post


Link to post

Alec we used to have these Windows 2000 workstations that we had to install an older MS version of Maps.

 

This old version would overwrite a .dll file and would error every boot.

 

I couldn't delete it even in safe mode and finally denied access to system. Then in safe mode could delete it

 

Silly MS

Share this post


Link to post

Jerry atrik,

 

When I right click on the file and choose Properties, all I have is the general tab. The file is read only, but when I turn it off and apply, I get "An error occurred while applying attributes." Then I have the IGNORE, IGNORE ALL, RETRY, CANCEL options. I'm screwed either way.

Share this post


Link to post

Sampson, tried sysinternals, but the msephh.dll doesn't even show up in the list! McAfee keeps warning me about it constantly though.

Share this post


Link to post

PTS, tried the regsvr32, but got "Load library failed, access is denied." Will it ever end?

Share this post


Link to post

You have become the real guinea pig for this issue. So, if we can't get it to release, the explorer trick doesn't work, here is a program that might help: http://www.softwarepatch.com/software/moveonboot.html

It is called moveonboot. It is free. It really wasn't designed for this but essentially, you run the program, issue what you want to do to a file (move, rename, delete) then when you reboot and before Windows kicks in, it intervenes and does what you asked it to do to the file.

Share this post


Link to post

Sampson,

 

Thought I had it but the DLL keeps coming back. It appears to be gone, but then I get the Antivirus popup and it's back again.

 

Alec,

 

Sorry, I want to try your option, but I don't have the installation CD.

Share this post


Link to post

Actually, in trying to help I simply did a search in google for the problem he is having. What you see is what I saw. I made no claims that this would work, but he was welcome to try it. Nothing else had worked so far, so..... Anyway! Go lecture google.

Share this post


Link to post

Ok. When you are able to delete it using moveonboot, check to see what the creation date is. It looks to me that you are now able to actually delete this dll, but some other process is creating it when windows eventually comes up. I saw this in trying to eliminate eAcceleration's software once. You could uninstall the software, but it impedded itself in the registry, invented a popup stopper attached to IE (a BHO) and kept creating a dll that ran in the background. This may not have been created by the eAcceleration software on your machine, but it could be using some of the same tricks. In the meantime, go to PestPatrol http://www.pestpatrol.com/ and try to scan your machine. Since MacAfee is seeing something in association with this dll and alerting you, it means their definitions know of this thing. I know that some of these company's are not the most helpful, but it won't hurt to email them with your quandry about what this dll is.

Share this post


Link to post

This is what MacAfee had to say:

This detection is for a DLL component which may be installed automatically onto the victim's machine whilst visiting a website.

 

The filename of the DLL varies, for example:

 

* COMPCKP.DLL

* CTLAPA.DLL

* CTLJOH.DLL

* D3DKHE.DLL

* HLPJP.DLL

* HLPEO.DLL

* KBDJEF.DLL

* LOG.DLL

* MS.DLL

* MSA.DLL

* WIN.DLL

* WINLG.DLL

* WDM.DLL

 

Registry modifications are made such that the DLL is loaded at system startup. The name of the Registry key added may vary, but it always starts with '**', followed by 1-4 random characters. For example:

 

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run

"**xx" = RUNDLL32, %SysDir%\(DLL filename).DLL,StreamingDeviceSetup

 

The following Registry key modification will also present:

 

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

"AppInit_DLLs"="%SysDir%\(DLL filename).DLL"

 

This key is modified like this in order to load the DLL into other processes as they are run on the system. Because of this, removal with the specified DATs requires either a restart, or the scanning/cleaning to be performed in Safe Mode.

 

The DLL file is not malicious by itself but it may be used by a malicious program to export system information from the victim's machine.

 

Analysis is still ongoing and the description will be updated once we have finished.

Share this post


Link to post

quaf, tried that a long time ago. Access denied. Can't turn off the Read Only either. Access denied. Someone did a good job with this one.

 

Alec, yep, '93 Georgia Tech grad. Industrial Engineering. I live in Sandy Springs now, so not far from Marietta.

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×