• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1632
  • Last Modified:

undeleteable file

Ive tried 5 different programs to remove spyware from my computer. They found and deleted some but missed others. I have found(by virture of Internet security) other files that try to access the internet but I cant delete them! I tried the attrib command -r but it still won't allow the files to be deleted! How do they do that? Is there a way to erase these files and folders?
  • 4
  • 3
  • 3
  • +3
1 Solution
annasAuthor Commented:
I'm afraid that was too easy! the instruction said #1 turn off simple file sharing. those instructions didn't match up with the layout of mycomputer in XP anyway. there was no "tools folder" or any other tabs.
I decided to try to take ownership of the folder anyway. Right-clicked -properties-advanced got just one dialog box no tabs. No security tab and no owner tab.

In short none of the instructions pertained to my OS at all!
what OS is yours ?

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

mOst spyware files that cannot be deleted are in use.  You will not see them in your processes list because they register themselves as system services rather than executable processes.  For many of them, you can go to your services.msc console and stop their services, then they can be deleted.
annasAuthor Commented:
I have WinXp Pro. What is services.msc console
Boot into safe mode.  (press f8 once per second repeatedly during bootup to get the menu - its only available for a short period, so you might miss it.)
Take ownership of the files and reset the permissions on everything so that you explicitly have full control.  Then try and delete it from the directory.  ALSO, look in the registry, (regedit.exe) and do a search for the file name.  If you find it, erase the entry.

BE WARNED.  If this file is needed by the operating system you can really screw yourself up.  Registry editing is not for the feignt of heart.
annasAuthor Commented:
taking ownership of files is what has me defeated right now Every link  to every tutorial leads to a tutorial that doesn't work. Spyware Nuker is one of the worst ones. as long as I have there webpage on I can type normally. but otherwise i can't. the typing is slow and suddleny without warning, jumps to uppercase. judging from what they say on their webpage, I know its them. they say "does your computer slow down...etc, it may have spyware on it. Their webpage open in a new window and I'm often unaware of it. I would like to eliminate them but i don't know how. This sort of thing should be a federal crime!
Just to make sure, did you use ad-aware yet?
the 100% guaranteed way to remove spyware/virii/etc

format C:

>>I have WinXp Pro. What is services.msc console <<

If you enter services.msc in Start->Run you will get a service control console.
annasAuthor Commented:
focusyn, I brought up services.msc. As far as I can tell everything is proper. There was something called scriptblocker that *wasn't* running and I thought it might be a good thing to turn it on, so I did After I went to the site for spyware nuker my typing is not sluggish anymore, and I've had no further trouble from them. I found a key in the registry that said "Domains" thre must have been thousands of subkeys under it, all bearing ad sounding names. It was impossible deleting them one by one so i deleted the key "Domains". I think the spware must have created this key.

 One problem I can't get rid of though is the text box and search button that startium.com has placed in IE6. I went to the site and posted a protest but it probley be ignored.

I don't see where the $79 program "Internet Security" has brought me any security at all. I had it set to block all traffic but they came through anyway.
The most sure-fire way to make sure you are clean is to clean install the OS.  However, barring that you can get rid of things through the registry.

Here are some additional techniques.  Get TweakUI and look at what services start...track down everything, find out what it is, and where its from.  Backup the registry and delete keys that you think are not wanted.  Use the task manager to list the running processes...find them all and make sure you know what each one is.

I find the clean reinstall is faster, but if you dont want that, then this is the methodology.
Sometimes virus / trojan installed itself as service, virus scanners usually cant delete these files.
If  you know the infectious file's name, note it down, open Task Manager (Ctrl + Alt + Delete , then select Task Manager)

look for it in the list, if you find it, let say its called "iamvirus.exe", right click on it and select 'End Process Tree'
if that fails, go into Control Panel and find your way to Administrative Tools , then Service, sort the services
by its staus, eg. Started, Stopped, using the column name on the top, now, go through the started services
which you would suspect it to be the troubled ones.  You may have to double click on each one of them and
see the actual file name.

I had this keylogger installed on my machine as service, I couldnt delete or stop it no matter what i do, until
I went into the Service window, stopped it, and removed it.

THe startium toolbar installs and registers it's own DLL's
You must manually go and unregister the DLLs with regsvr32
Th DLLs are:
C\windows\downloaded program files\bbarwnd.dll
c:\windows\downloaded program files\letssearchie.dll

***Kill the processes***
First thing you want to do is close all internet explorer windows, go in the task mabnager under processes and kill all instances of "letssearch.exe" and/or "uptodate.exe"

***Unregister the DLLs***
go to STart->Run and enter:
RegSvr32 /u C\windows\downloaded program files\bbarwnd.dll
and then
RegSvr32 /u c:\windows\downloaded program files\letssearchie.dll
This will unregister the two dlls, which are the control files for adding the garbage to Internet Explorer.  

***Clean up the registry***
Then run regedit and delete the following keys:
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{f20ae630-6de2-43ca-a988-7cd40c36ef0b}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{07b7f771-1b8e-4b7b-823e-ffac1732aa9e}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{337d0c1d-4053-4fab-af2b-45c2f7b0faa6}

***Delete the files***
Now go through Windows Explorer and delete the following list of files:
c:\Windows\downloaded program files\bbarwnd.dll
c:\Windows\downloaded program files\conflict.1\letssearch.exe
c:\Windows\downloaded program files\letssearch.exe
c:\Windows\downloaded program files\letssearchie.dll
c:\Windows\downloaded program files\lstoolbarconfig.inf
 Find the directory called "letssearch" which should be in C:\Program Files\ and delete it as well

Enjoy a computer without their POS software mucking it up


Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now