Solved

undeleteable file

Posted on 2003-10-21
15
1,606 Views
Last Modified: 2010-04-11
Ive tried 5 different programs to remove spyware from my computer. They found and deleted some but missed others. I have found(by virture of Internet security) other files that try to access the internet but I cant delete them! I tried the attrib command -r but it still won't allow the files to be deleted! How do they do that? Is there a way to erase these files and folders?
Thanks,
Paul
0
Comment
Question by:annas
  • 4
  • 3
  • 3
  • +3
15 Comments
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
0
 

Author Comment

by:annas
Comment Utility
I'm afraid that was too easy! the instruction said #1 turn off simple file sharing. those instructions didn't match up with the layout of mycomputer in XP anyway. there was no "tools folder" or any other tabs.
I decided to try to take ownership of the folder anyway. Right-clicked -properties-advanced got just one dialog box no tabs. No security tab and no owner tab.

In short none of the instructions pertained to my OS at all!
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
what OS is yours ?

Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
0
 
LVL 7

Expert Comment

by:Focusyn
Comment Utility
mOst spyware files that cannot be deleted are in use.  You will not see them in your processes list because they register themselves as system services rather than executable processes.  For many of them, you can go to your services.msc console and stop their services, then they can be deleted.
0
 

Author Comment

by:annas
Comment Utility
I have WinXp Pro. What is services.msc console
0
 
LVL 4

Expert Comment

by:Kokoglen
Comment Utility
Boot into safe mode.  (press f8 once per second repeatedly during bootup to get the menu - its only available for a short period, so you might miss it.)
Take ownership of the files and reset the permissions on everything so that you explicitly have full control.  Then try and delete it from the directory.  ALSO, look in the registry, (regedit.exe) and do a search for the file name.  If you find it, erase the entry.

BE WARNED.  If this file is needed by the operating system you can really screw yourself up.  Registry editing is not for the feignt of heart.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:annas
Comment Utility
taking ownership of files is what has me defeated right now Every link  to every tutorial leads to a tutorial that doesn't work. Spyware Nuker is one of the worst ones. as long as I have there webpage on I can type normally. but otherwise i can't. the typing is slow and suddleny without warning, jumps to uppercase. judging from what they say on their webpage, I know its them. they say "does your computer slow down...etc, it may have spyware on it. Their webpage open in a new window and I'm often unaware of it. I would like to eliminate them but i don't know how. This sort of thing should be a federal crime!
Paul
0
 
LVL 4

Expert Comment

by:Kokoglen
Comment Utility
Just to make sure, did you use ad-aware yet?
0
 
LVL 2

Expert Comment

by:sh00t3r
Comment Utility
the 100% guaranteed way to remove spyware/virii/etc

format C:

0
 
LVL 7

Expert Comment

by:Focusyn
Comment Utility
>>I have WinXp Pro. What is services.msc console <<


If you enter services.msc in Start->Run you will get a service control console.
0
 

Author Comment

by:annas
Comment Utility
focusyn, I brought up services.msc. As far as I can tell everything is proper. There was something called scriptblocker that *wasn't* running and I thought it might be a good thing to turn it on, so I did After I went to the site for spyware nuker my typing is not sluggish anymore, and I've had no further trouble from them. I found a key in the registry that said "Domains" thre must have been thousands of subkeys under it, all bearing ad sounding names. It was impossible deleting them one by one so i deleted the key "Domains". I think the spware must have created this key.

 One problem I can't get rid of though is the text box and search button that startium.com has placed in IE6. I went to the site and posted a protest but it probley be ignored.

I don't see where the $79 program "Internet Security" has brought me any security at all. I had it set to block all traffic but they came through anyway.
0
 
LVL 4

Expert Comment

by:Kokoglen
Comment Utility
The most sure-fire way to make sure you are clean is to clean install the OS.  However, barring that you can get rid of things through the registry.

Here are some additional techniques.  Get TweakUI and look at what services start...track down everything, find out what it is, and where its from.  Backup the registry and delete keys that you think are not wanted.  Use the task manager to list the running processes...find them all and make sure you know what each one is.

I find the clean reinstall is faster, but if you dont want that, then this is the methodology.
0
 

Expert Comment

by:DigitalMechanic
Comment Utility
Sometimes virus / trojan installed itself as service, virus scanners usually cant delete these files.
If  you know the infectious file's name, note it down, open Task Manager (Ctrl + Alt + Delete , then select Task Manager)

look for it in the list, if you find it, let say its called "iamvirus.exe", right click on it and select 'End Process Tree'
if that fails, go into Control Panel and find your way to Administrative Tools , then Service, sort the services
by its staus, eg. Started, Stopped, using the column name on the top, now, go through the started services
which you would suspect it to be the troubled ones.  You may have to double click on each one of them and
see the actual file name.

I had this keylogger installed on my machine as service, I couldnt delete or stop it no matter what i do, until
I went into the Service window, stopped it, and removed it.

Cheers.
0
 
LVL 7

Accepted Solution

by:
Focusyn earned 125 total points
Comment Utility
THe startium toolbar installs and registers it's own DLL's
You must manually go and unregister the DLLs with regsvr32
Th DLLs are:
C\windows\downloaded program files\bbarwnd.dll
c:\windows\downloaded program files\letssearchie.dll

***Kill the processes***
First thing you want to do is close all internet explorer windows, go in the task mabnager under processes and kill all instances of "letssearch.exe" and/or "uptodate.exe"

***Unregister the DLLs***
go to STart->Run and enter:
RegSvr32 /u C\windows\downloaded program files\bbarwnd.dll
and then
RegSvr32 /u c:\windows\downloaded program files\letssearchie.dll
This will unregister the two dlls, which are the control files for adding the garbage to Internet Explorer.  

***Clean up the registry***
Then run regedit and delete the following keys:
HKEY_CLASSES_ROOT\browseraidtoolbar.ieshower.1
HKEY_CLASSES_ROOT\browseraidtoolbar.ietoolbar
HKEY_CLASSES_ROOT\browseraidtoolbar.ietoolbar.1
HKEY_CLASSES_ROOT\clsid\{2a167e61-d100-450d-a1b0-6eaf394bcb87}
HKEY_CLASSES_ROOT\clsid\{337d0c1d-4053-4fab-af2b-45c2f7b0faa6}
HKEY_CLASSES_ROOT\clsid\{4a2563c7-fc68-4ee8-a11c-2022ebcc1b0f}
HKEY_CLASSES_ROOT\clsid\{6d55490c-1bd4-4790-ba31-84d261316e28}
HKEY_CLASSES_ROOT\clsid\{7313bfd0-62c4-40f4-8041-3fbdbc80ac07}
HKEY_CLASSES_ROOT\clsid\{80672997-d58c-4190-9843-c6c61af8fe97}
HKEY_CLASSES_ROOT\clsid\{85c2c2a1-3f20-4ead-adc3-bd3217391543}
HKEY_CLASSES_ROOT\clsid\{8a7d38be-849d-478f-a7cf-55ec95722358}
HKEY_CLASSES_ROOT\clsid\{f20ae630-6de2-43ca-a988-7cd40c36ef0b}
HKEY_CLASSES_ROOT\interface\{2a167e61-d100-450d-a1b0-6eaf394bcb87}
HKEY_CLASSES_ROOT\interface\{4a2563c7-fc68-4ee8-a11c-2022ebcc1b0f}
HKEY_CLASSES_ROOT\interface\{8a7d38be-849d-478f-a7cf-55ec95722358}
HKEY_CLASSES_ROOT\typelib\{7313bfd0-62c4-40f4-8041-3fbdbc80ac07}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{f20ae630-6de2-43ca-a988-7cd40c36ef0b}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{07b7f771-1b8e-4b7b-823e-ffac1732aa9e}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{337d0c1d-4053-4fab-af2b-45c2f7b0faa6}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\letssearch
HKEY_CLASSES_ROOT\browseraidtoolbar.helper
HKEY_CLASSES_ROOT\browseraidtoolbar.helper.1
HKEY_CLASSES_ROOT\browseraidtoolbar.ieshower

***Delete the files***
Now go through Windows Explorer and delete the following list of files:
c:\Windows\downloaded program files\bbarwnd.dll
c:\Windows\downloaded program files\conflict.1\letssearch.exe
c:\Windows\downloaded program files\letssearch.exe
c:\Windows\downloaded program files\letssearchie.dll
c:\Windows\downloaded program files\lstoolbarconfig.inf
c:\Windows\uptodate.exe
 Find the directory called "letssearch" which should be in C:\Program Files\ and delete it as well

***rejoice***
Enjoy a computer without their POS software mucking it up


0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now