My XP Pro PC have a file named "dllav.dll" located at C:\Windows\msagent. This file was infected by adware, and causing popups. Very annoying. When I goes to this "msagent" folder and try to delete it, it keeps saying "Cannot delete dllav: It is being used by another person or program. Close any programs that might be using the file and try again"
I have tried go to Safe Mode, but still cannot. Tried in Safe Mode with command prompt, type "del c:\windows\msagent\dllav.d
Some experts please help me to delete this file!! By the way, is there any way I can check what program is using this stupid file? And anyone know what is the folder msagent for?? Is it related to microsoft office?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
The "msagent" directory itself is a valid part of Windows, so don't delete other files there. It is used to display those animated icons (such as the dog when you do a search for files, or the Office paper-clip). See:
http://www.microsoft.com/m
OK, I can see why some people may not consider that feature all that useful :)
To check what program might be using a file, you can use FileMon:
http://www.sysinternals.co
However, it is for somewhat advanced users. It is probably much better initially to run HijackThis amd see what might be infecting your system.
Greetings, letsk77!
To go along with what r-k said, download HijackThis
http://www.hijackthis.de/
Run the program and you will find many entries. Most are OK. Post the log at the Hijackthis forum and clcik Anaylze, Save. Post a link to the saved list here.
In the analyzed log, have HJT remove all items marked "Nasty" and "Unnecessarily".
Look at the items marked "Possibly Nasty" and "Unknown". If you do not recognized them, have HJT delete them.
Cheers!
Thanks r-k. Below is the log for HJT scan, and I can see one of the line is
O20 - Winlogon Notify: dllav - C:\WINDOWS\msagent\dllav.d
which is the file I want to delete (dllav.dll). So what next? Should I try check this box O20 and "Fix checked"?
By the way, i can't see the security tab coz I'm using XP pro, but when I go to Tool>Folder Options, I can see my "Use simple file sharing" option is not checked already.
--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:06:48 AM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtr
C:\WINDOWS\system32\hkcmd.
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_02\bin
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\CyberLink\PowerDVD\P
C:\WINDOWS\system32\ctfmon
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MICROS~2\Offic
C:\Program Files\Microsoft Office\Office10\WINWORD.EX
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\it2\Desktop\Hijac
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-3
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IM
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PI
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TI
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TI
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\P
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [5rHNeh6jQ] C:\WINDOWS\deiqby.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD Ghost\DVDGhost.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office PRO\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0
O16 - DPF: {644E432F-49D3-41A1-8DD5-E
O20 - Winlogon Notify: dllav - C:\WINDOWS\msagent\dllav.d
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_serv
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Here is a link to the analyzed log
http://hijackthis.de/logfi
Have HJT remove all items marked and "Unnecessarily".
Look at the items marked "Possibly Nasty" and "Unknown". If you do not recognized them, have HJT delete them.
At least one of the unknown is the file you referred to. Look at the other unkown items.
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A
Have HJT remove this BHO and any other ones you find.
Actually, that dllav.dll occurs in two places in your HijackThis log. Use HiJackThis to try and fix both those entries.
Then, reboot, and run HijackThis again, and see if the entries are still gone. If so, you should be able to delete the dllav.dll file itself.
As an aside: Are you saying that you have XP Pro, and you have un-checked the "simple file sharing" option, and you still don't see a security tab when you look at the Properties of any file?
thanks war1. I didn't see any "remove" or "delete" button, only "fix checked". Is that how you delete the checked file? I tried to check the two "Unnecessarily" toolbar, and two "unknown" BHO dllav and Winlogon dllav file. When I click at "fix checked", it only delete the two toolbar
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-3
The BHO and Winlogon file still appear after I reboot and scan again:
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A
O20 - Winlogon Notify: dllav - C:\WINDOWS\msagent\dllav.d
To r-k, yes, I didn't see the security tab, so I go to the folder option hoping to uncheck the "use simple file sharing" check box. But when I open the folder option, i found that it was already unchecked!
further assistance needed! Thank you!
I would suggest downloading and using Killbox to try and get rid of that file. You can download from: http://www.scancomplete.co
Instructions for using it are also there.
There is a slight chance the file may come back even after that. So reboot and see if it does come back. In that case post back for further advice.
Re. the missing Security Tab, it might be that your disk is formatted not for NTFS, but FAT32. When you get a chance, can you confirm that by opening "My Computer", then right-click on the C: drive and select "Properties". Under the "General" tab, the item "File System" should show what type of disk format you have. NTFS allows setting permissions on files, FAT and FAT32 do not.
r-k, yes, my file system is FAT32, not NTFS. Ok, i'll try the Killbox
war1, i tried before go into Safe Mode to delete it, but it still give me same message "...it is being used by another person or program...". You mean after use the HJT to fix the file, I try to go Safe mode and delete again?? Somehow I feel that the result will still be the same. But I'll still try it though.
war1, i tried but failed. I tried both "Safe Mode" and "Safe Mode with Command Prompt". In Safe Mode, it gives me same message "some other program using it...". In Safe Mode with Command Prompt, it says "cannot delete the file".
By the way, I use the Filemon.exe that r-k recommend, and I can see it is this program Winlogon.exe that using the stupid dllav.dll file. Below is the log.
WINLOGON.EXE:504 OPEN C:\WINDOWS\msagent\dllav.d
WINLOGON.EXE:504 QUERY INFORMATION C:\WINDOWS\msagent\dllav.d
WINLOGON.EXE:504 QUERY INFORMATION C:\WINDOWS\msagent\dllav.d
WINLOGON.EXE:504 QUERY INFORMATION C:\WINDOWS\msagent\dllav.d
WINLOGON.EXE:504 CLOSE C:\WINDOWS\msagent\dllav.d
I can see every few minutes it will go through this process "Winlogon.exe Open dllav.dll> Query dllav.dll> Close dllav.dll". I checked on this winlogon.exe, and i found that this is crucial for windows system. I tried to rename this winlogon.exe to winlogon.ex1, I cannot reboot into my windows anymore!!! Luckily I have the XP Pro CD, and able to go into the command prompt, and rename back to .exe.
Seems like i can't do anything to this winlogon.exe. Then how am I going to stop this file from using the stupid dllav.dll, and hence let me delete it???
Don't delete or rename Winlogon.exe, that is a crucial Windows file. Instead try one of the following:
(1) Boot into safe mode with command prompt. Then CD to the \windows\msagent folder, a nd delete the file as follows:
cd \windows\msagent
atrrib -s -h dllav.dll
del dllav.dll
and then reboot.
OR
(2) Open the Registry editor (Start -> Run -> regedit), then browse on over to the following key:
HKEY_LOCAL_MACHINE\SOFTWAR
within that if you open each subkey, you will find one that references dllav.dll. Delete that sub-key. Don't delete the wrong key!
Next, still within Regedit, lolcate the following key:
HKEY_LOCAL_MACHINE\SOFTWAR
and within that, there should be a sub-key named: {B8B55274-0F9A-41E5-9067-A
Finally, reboot, and after that you should be able to delete the dllav.dll file.
There is also a third way, which I can suggest if all the above haven't fixed it yet.
r-k, i hate to say...actually i tried both ways before you tell me. The Safe mode with command prompt, I did use the attrib -r -h -s dllav.dll before using del dllav.dll. But it still give me "The process cannot access the file because it is being used by another process".
Regedit thing, I search through the whole registry (F3 F3 F3) for this "dllav.dll" file. I backup every key and then delete it. But whenever after I reboot, those deleted registry key will be back into the same place!!! Below are the keys I delete:
[HKEY_CLASSES_ROOT\CLSID\{
[HKEY_LOCAL_MACHINE\SOFTWA
[HKEY_LOCAL_MACHINE\SOFTWA
Right after I delete these keys, I go to the directory c:\windows\msagent hoping to delete the dllav.dll, after it gives me "another program using it" message, i went back to check the registry, it is again inside the same location.
I notice that in the keys you deleted, it does not include the second one I suggested:
>>>
Next, still within Regedit, lolcate the following key:
HKEY_LOCAL_MACHINE\SOFTWAR
and within that, there should be a sub-key named: {B8B55274-0F9A-41E5-9067-A
<<<
You have to delete both keys, otherwise one will recreate the other. The other key to delete is:
>>>
[HKEY_LOCAL_MACHINE\SOFTWA
<<<
You have to delete both keys, then reboot, then delete the dllav.dll file itself from disk.
However, if the above does not fix it, then it is possible there is another program running that is recreating these keys. I noticed a program named SOUNDMAN.EXE running, which is a bit suspicious. Can you locate it in the c:\windows folder, right-click on it, select "Properties", then the "Version" tab. It should tell you who the author of that program is. Please post it here.
Second, can you do the following:
Open a Command Window, then:
> tasklist /svc > list.txt
this will save a list of running processes in a text file named list.txt. Please use Notepad to cut and paste that list here. Thanks.
I did delete the explorer browser helper key also, but still the dllav.dll was re-created.
Soundman.exe version tab info is as follows:
Version: 5.1.0.0
Description: Realtek Sound Manager
Other information
Comment: Realtek AC97 Audio Sound Manager
Company: Realtek Semiconductor Corp
File Version: 5.1.00
Internal Name: ALSM Tray
Language: English (United States)
Original File Name: ALSMTray.exe
Product Name: Realtek Sound Manager
Product Version: 5.1.00
Tasklist info is as follows:
Image Name PID Services
========================= ======
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 320 N/A
CSRSS.EXE 480 N/A
WINLOGON.EXE 504 N/A
SERVICES.EXE 548 Eventlog, PlugPlay
LSASS.EXE 560 PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 700 DcomLaunch, TermService
SVCHOST.EXE 768 RpcSs
SVCHOST.EXE 836 AudioSrv, BITS, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibi
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,wscsvc,
wuauserv, WZCSVC
SVCHOST.EXE 892 Dnscache
SVCHOST.EXE 924 LmHosts, RemoteRegistry, SSDPSRV, WebClient
ccSetMgr.exe 1084 ccSetMgr
ccEvtMgr.exe 1152 ccEvtMgr
SPOOLSV.EXE 1280 Spooler
DefWatch.exe 1604 DefWatch
MDM.EXE 1640 MDM
Rtvscan.exe 1704 Symantec AntiVirus
ALG.EXE 188 ALG
EXPLORER.EXE 1376 N/A
SOUNDMAN.EXE 1580 N/A
igfxtray.exe 1712 N/A
hkcmd.exe 1680 N/A
gcasServ.exe 1600 N/A
jusched.exe 1792 N/A
ccApp.exe 1928 N/A
VPTray.exe 1092 N/A
PDVDServ.exe 604 N/A
msnmsgr.exe 956 N/A
CTFMON.EXE 336 N/A
gcasDtServ.exe 248 N/A
IEXPLORE.EXE 2440 N/A
OUTLOOK.EXE 2628 N/A
winword.exe 2756 N/A
IEXPLORE.EXE 3388 N/A
cmd.exe 3708 N/A
wmiprvse.exe 3912 N/A
tasklist.exe 208 N/A
The SOUNDMAN.EXE is a legit application, so you can leave that alone.
Interestingly, there seems to be nothing wrong with anything you've sent except those two registry entries that are referencing dllav.dll, i.e:
HKEY_LOCAL_MACHINE\SOFTWAR
and
HKEY_LOCAL_MACHINE\SOFTWAR
I would have expected that if you delete both of these entries, and then reboot, it should then allow you to delete dllav.dll itself. However, your experience is otherwise (are you quite sure you deleted _both_ before rebooting?)
Given that, you can try the next step, which is to start your computer from the XP CD in "recovery console mode", then delete dllav.dll, then start in normal mode.
The steps for entering recovery console mode are described here:
http://www.wown.com/j_helm
Basically you end up in a DOS-like window, after which you can use "cd..." to move to the windows/masagent folder, then delete the file, i.e.:
cd \windows\msagent
attrib -s -h -r dllav.dll
del dllav.dll
and then reboot in normal mode.
After that you can check whether the file is really gone. Hopefully it will be.
I'm sure I delete the things you asked me to. In fact, you asked me to delete two place in regedit, but I found several more other places that has dllav.dll and {B8B55274-0F9A-41E5-9067-A
I search through the whole registry for {B8B55274-0F9A-41E5-9067-A
[HKEY_CLASSES_ROOT\CLSID\{
[HKEY_CLASSES_ROOT\MSEvent
@="{B8B55274-0F9A-41E5-906
[HKEY_CURRENT_USER\Softwar
[HKEY_LOCAL_MACHINE\SOFTWA
@="MSEvents Object"
"AppID"=""
[HKEY_LOCAL_MACHINE\SOFTWA
@="{B8B55274-0F9A-41E5-906
[HKEY_LOCAL_MACHINE\SOFTWA
[HKEY_USERS\S-1-5-21-16444
I search through the whole registry for dllav.dll, and it was found in below places:
[HKEY_CLASSES_ROOT\CLSID\{
@="C:\\WINDOWS\\msagent\\d
"ThreadingModel"="apartmen
[HKEY_LOCAL_MACHINE\SOFTWA
@="C:\\WINDOWS\\msagent\\d
"ThreadingModel"="apartmen
[HKEY_LOCAL_MACHINE\SOFTWA
"Asynchronous"=dword:00000
"DllName"="C:\\WINDOWS\\ms
"Impersonate"=dword:000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
I basically delete ALL THESE, reboot, go to my computer C > WINDOWS > MSAGENT, click at dllav.dll, hit delete key, it still gives me the "other program using it", and when I go to regedit, ALL THESE back to the original place!!
Since it has something to do with winlogon.exe, is it because whenever I key in password and hit enter, all these keys is re-generate?? Coz whenever I start my XP, eventually i'll come to the choose user screen. I click at my user account, a password field will appear and i'll need to key in password. Is this process done by winlogon.exe?? Is this anything related to the issue??
Yes, the key:
HKEY_LOCAL_MACHINE\SOFTWAR
means that whenever you log-in, that particular program is called, so it becomes "in use" whenever you're logged in, and so cannot delete it.
Did you try my other tip about starting from the CD and then deleting the file? That should always work.
letsk77:
Hope you haven't given up. Try the following:
Start your computer from the XP CD in "recovery console mode", then delete dllav.dll, then start in normal mode.
The steps for entering recovery console mode are described here:
http://www.wown.com/j_helm
Basically you end up in a DOS-like window, after which you can use "cd..." to move to the windows/masagent folder, then delete the file, i.e.:
cd \windows\msagent
attrib -s -h -r dllav.dll
del dllav.dll
and then reboot in normal mode.
After that you can check whether the file is really gone. Hopefully it will be.
busy this few days. I think I tried that before as well. Remember, during the time when I rename the 'winlogon.exe' to winlogon.ex1, after I reboot, it keeps rebooting and won't reach the "logon" screen. I have no choice but use the XP CD to goes to the "DOS-like" windows to rename back the winlogon.exe. So since i'm there, i tried to delete the dllav.dll. But after I reboot back into the windows, i found that the file is not deleted.
Perhaps i'll try again later. But not these few days. Too busy on something else. Thanks for your assistance first. Appreciated much!
It looks like there is some "hidden" process that is creating that file even after you delete it. I would suggest trying RootkitRevealer from:
http://www.sysinternals.co
and scan your hard drives. If not sure how to interpret the output, cut and paste it here.
r-k, you said ""hidden" process that is creating that file even after you delete it", but i think i never tried deleted it successfully even once. Everytime when I tried to delete either it gives me "another program using it" or in DOS "The process cannot access the file...". The thing I manage to delete is those registry key, but the key was regenerate after reboot (some of them was regenerate after I hit "delete" on that file).
The RootKitRevealer i'll try later. Also, the hard shut down suggest by war1. But war1, again, I can't delete it even in DOS.
If you follow my tip above about booting in "recovery console" mode from the CD, then you definitely will be able to delete it. I am repeating that here:
Start your computer from the XP CD in "recovery console mode", then delete dllav.dll, then start in normal mode.
The steps for entering recovery console mode are described here:
http://www.wown.com/j_helm
Basically you end up in a DOS-like window, after which you can use "cd..." to move to the windows/masagent folder, then delete the file, i.e.:
cd \windows\msagent
attrib -s -h -r dllav.dll
del dllav.dll
and then reboot in normal mode.
After that you can check whether the file is still gone. Hopefully it will be.
There's a program called IsUsedBy by MST Software (www.mstsoftware.com). You can download the trial version, drag the file into the program, and it will tell you what process(s) are using the file. Not sure if this will help you, but I've found it handy in a few instances. If there is some program watching the file to see if it is ever deleted, this should detect it.
FETI
If all else fails, try this one:
http://www.diamondcs.com.a
r-k, finally i deleted in the recovery console. But I don't understand, i tried that before, but this time ok.
caza13, i did try the dellater.exe. I download the file, unzip it, then open the RUN menu, drag the dellater.exe into that run box, and then type full path file name behind it. Basically it looks like "C:\Documents and Settings\it2\desktop\temp\
After i click RUN, it says "the file was marked to be deleted on reboot". After I restart, i go back to that location (C:\windows\msagent), i saw that the file is still there. But when i try to run the same command again in the RUN, it gives me "file not found". After yours is fail, then only i try r-k suggestion again. And weird enough, this time succeeded!
Thanks for all your effort!!!
I'm glad that you finally got that file deleted. I have tried the DelLater program on my own computer, and it seems to work. I haven't yet had the opportunity to try it on a file that couldn't be deleted by other means. Since it must be run from a command prompt, I created a special folder in the root folder of the drive to store the dllater.exe file in order to keep the path short.
Business Accounts
Answer for Membership
by: r-kPosted on 2005-07-18 at 07:35:09ID: 14466530
Here is what you can do to prevent that file from running:
(1) Right click on the file in Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Close all windows.
(6) Reboot.
This will render that file harmless and prevent it from running.
If you're running XP Pro and can't see the Security tab, select (in Windows Explorer), Tools -> Folder options -> View and un-check "Use Simple File Sharing"
Then, you still need to examine your computer and clean it up a bit. Suggest you get HijackThis from http://www.hijackthis.de/ and scan you system. Post the log back to that site for analysis, then post a link here to the saved analyzed log (not the entire log).