Solved

how to delete some files?

Posted on 2007-12-04
5
407 Views
Last Modified: 2010-04-21
A file named swhmte82.sys in my system cannot be removed. It is located at winnt/system32/driver/. The registry entry related with it is at HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\swhmte82, the scary description is illustrated in the following two entries

Group        System Bus Extender
ImagePath System32\DRIVERS\swhmte82.sys

This whole registry entry can hardly be deleted, even in the windows safe mode. I once managed to delete it, then it is automatically recovered.

It automatically generates the following entries in the registry(several similar ones not given).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SWHMTE82 together with subentries.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce as

qp1jnicc   REG_EXPAND_SZ  %systemroot%\system32\Rundll32.exe %systemroot%\system32\qp1jnicc.dll,DllUnregisterServer
swhmte82 REG_EXPAND_SZ  %systemroot%\system32\Rundll32.exe %systemroot%\system32\swhmte82.dll,DllUnregisterServer

which can be deleted, but still are automatically recovered.

I checked the management tools and cannot see any service directly related either with swhmte82, or system bus.

My operation system is win2000. This is not crucial system component since the win2000 system on my friend's computer doesn't contain it, and his win xp also doesn't contain it. Google doesn't return any search results for it. Actually I have deleted both qp1jnicc.dll and swhmte82.dll and they are never recovered. One Trogan finder reported it to be a trogan. Several others I tried didn't complain about it.

Thanks for sharing lights on this issue ...

BTW, it seems similar story happens to internet explorer. When I try to delete the file, after a while it is automatically regenerated. Considering it is the notorious system binding with the operation system, I don't believe this is also the case here .... Anyway,  just a technical one, doesn't anybody have any idea on deleting iexplore.exe?
0
Comment
Question by:bsmile
  • 2
  • 2
5 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
Comment Utility
iexplore.exe is the Internet explorer if running from the Program Files folder.


About the qp1jnicc.dll and relevant reg entries;
You would probably need to removed the dll, service, and other reg entries in one go so it can't respawn, or maybe another driver is respawning it.

Try running this tool, and whatever leftover can be removed afterwards.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Attach the log as a "Code Snippet" so we can check it please.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Also, something no one should be without is a USB to IDE/Sata adapter, which will allow you to easily remove the HD, place it on the adapter and scan the HD on another PC, this way root-kits or other software from blocking your access to the files you'd like to delete. you won't be able to modify the registry in this state, however you can scan using updated AV and spyware tools to rid all traces of the bad files if they are detected.
you can do this also by removing the HD and placing it into a second PC as a secondary HD and scan, the usb adapter makes it a lot simpler. This is the adapter that I like, cheap, works well, and no software needed to install! http://www.newegg.com/Product/Product.aspx?Item=N82E16812119152
-rich
0
 

Author Comment

by:bsmile
Comment Utility
Thank both very much for your valuable comments. Combofix is so powerful that it really surprises me. Below are the log created by this program. Some modification is applied since some characters are not English. ...

***********************************************

ComboFix 07-12-02.7 - Administrator 2007-12-04 13:52:43.1 - [color=red][b]FAT32[/b][/color]x86
Executation location: C:\Documents and Settings\Administrator\desktop\ComboFix.exe
.

((((((((((((((((((((((((((((   Archive created between 2007-11-04 - 2007-12-04 )))))))))))))))))))))))))))))))))
.

2007-12-04 13:57 . 07-12-04 13:57     16,384    --a----t-    C:\WINNT\system32\Perflib_Perfdata_4cc.dat
2007-12-04 03:26 . 07-12-04 03:26     <DIR>    d--------    C:\Documents and Settings\Administrator\Application Data\skypePM
2007-12-04 03:26 . 07-12-04 03:26     32    --a------    C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-04 02:08 . 07-12-04 02:08     <DIR>    d--------    C:\FOUND.003
2007-12-03 22:30 . 07-12-03 22:30     <DIR>    d--------    C:\FOUND.002
2007-12-03 21:11 . 04-03-10 21:49     423,561    --a------    C:\WINNT\system32\drivers\TNET1130.sys
2007-12-03 21:11 . 04-03-10 21:13     84,644    --a------    C:\WINNT\system32\drivers\FwRad17.bin
2007-12-03 21:11 . 04-03-10 21:13     84,644    --a------    C:\WINNT\system\FwRad17.bin
2007-12-03 21:11 . 04-03-10 21:13     83,024    --a------    C:\WINNT\system32\drivers\FwRad16.bin
2007-12-03 21:11 . 04-03-10 21:13     83,024    --a------    C:\WINNT\system\FwRad16.bin
2007-12-03 21:10 . 07-12-03 21:10     <DIR>    d--------    C:\Program Files\Linksys
2007-12-03 21:10 . 03-05-14 16:01     62,673    -ra------    C:\WINNT\system32\drivers\odysseyIM3.sys
2007-12-03 21:09 . 07-12-03 21:09     <DIR>    d--------    C:\Program Files\Funk Software
2007-12-03 21:09 . 07-12-03 21:09     <DIR>    d--------    C:\Program Files\Common Files\Funk Software
2007-12-03 11:45 . 07-12-04 04:03     1,283,236    ---h-----    C:\WINNT\ShellIconCache
2007-12-03 03:02 . 07-12-03 03:02     <DIR>    d--------    C:\FOUND.001
2007-12-03 02:43 . 07-12-03 02:43     <DIR>    d--------    C:\Documents and Settings\Administrator\update
2007-12-03 02:37 . 07-12-03 02:37     <DIR>    d--------    C:\ERDNT
2007-12-03 02:14 . 07-12-03 02:14     <DIR>    d--------    C:\Documents and Settings\Administrator\reg
2007-12-02 20:36 . 07-12-02 20:36     <DIR>    d--------    C:\Program Files\Skype
2007-12-02 20:36 . 07-12-02 20:36     <DIR>    d--------    C:\Program Files\Common Files\Skype
2007-12-02 19:10 . 07-12-02 19:10     <DIR>    d--------    C:\Program Files\Microsoft ActiveSync
2007-12-02 18:35 . 07-12-02 18:35     75,264    --a------    C:\WINNT\system32\MSFLXGRD.oca
2007-12-02 18:35 . 07-12-02 18:35     64,512    --a------    C:\WINNT\system32\MSDATGRD.oca
2007-12-02 15:41 . 07-12-02 15:41     <DIR>    d--------    C:\Documents and Settings\Administrator\.jpi_cache
2007-12-02 15:41 . 07-12-02 15:41     <DIR>    d--------    C:\Documents and Settings\Administrator\.java
2007-12-02 14:38 . 07-12-02 14:38     <DIR>    d--------    C:\FOUND.000
2007-12-02 14:12 . 07-12-02 14:12     <DIR>    d--------    C:\Program Files\Common Files\Macromedia
2007-12-02 14:08 . 07-12-02 14:08     <DIR>    d--------    C:\Program Files\Macromedia
2007-12-02 13:50 . 07-12-02 13:50     <DIR>    d--------    C:\Documents and Settings\Administrator\Application Data\BITS
2007-12-02 13:49 . 07-12-02 13:49     <DIR>    d--------    C:\Program Files\FlashGet Network
2007-12-02 05:24 . 98-05-20 14:17     120,960    -ra------    C:\WINNT\system32\CRSWPP.DLL
2007-12-02 05:24 . 98-05-20 14:17     109,504    -ra------    C:\WINNT\system32\WPWIZDLL.DLL
2007-12-02 05:24 . 98-05-20 14:17     98,960    -ra------    C:\WINNT\system32\FTPWPP.DLL
2007-12-02 05:24 . 98-05-20 14:17     98,496    -ra------    C:\WINNT\system32\POSTWPP.DLL
2007-12-02 05:24 . 98-05-20 14:17     91,920    -ra------    C:\WINNT\system32\FPWPP.DLL
2007-12-02 05:24 . 98-05-20 14:17     50,816    -ra------    C:\WINNT\system32\PIPARSE.DLL
2007-12-02 05:21 . 07-12-02 05:21     94,208    --a------    C:\WINNT\system32\msdatl3.dll
2007-12-02 05:20 . 07-12-02 05:20     <DIR>    d--------    C:\Program Files\Web Publish
2007-12-02 05:20 . 98-05-20 14:17     145,360    -ra------    C:\WINNT\system32\WEBPOST.DLL
2007-12-02 04:58 . 07-12-02 04:58     <DIR>    d--------    C:\Program Files\ftcsetup
2007-12-02 04:31 . 07-12-02 04:31     <DIR>    d--------    C:\Program Files\FlashGet
2007-12-02 04:20 . 07-12-02 04:20     <DIR>    d--------    C:\Documents and Settings\Administrator\DoctorWeb
2007-12-02 04:18 . 07-12-02 04:18     <DIR>    d--------    C:\Program Files\Java Web Start
2007-12-02 04:18 . 07-12-02 04:18     <DIR>    d--------    C:\Documents and Settings\Administrator\.javaws
2007-12-02 04:17 . 07-12-02 04:17     <DIR>    d--------    C:\Program Files\Java
2007-12-02 04:17 . 07-12-02 04:17     <DIR>    d--h-----    C:\Program Files\InstallShield Installation Information
2007-12-02 04:17 . 07-12-02 04:17     <DIR>    d--------    C:\Program Files\Common Files\mozilla.org
2007-12-02 03:14 . 07-12-02 03:14     <DIR>    d--------    C:\Program Files\Media Player Classic
2007-12-01 22:34 . 07-12-01 22:34     <DIR>    d--------    C:\Program Files\Common Files\InstallShield
2007-12-01 22:17 . 07-12-01 22:17     <DIR>    d--------    C:\Program Files\Netscape
2007-12-01 21:33 . 07-12-01 21:33     <DIR>    d--------    C:\Program Files\RegCleaner
2007-11-20 00:13 . 07-11-20 00:13     256,512    --a------    C:\WINNT\myxp123.exe
2007-11-19 00:36 . 01-01-17 07:01     260,096    --a------    C:\RICHTX32.OCX
2007-11-19 00:36 . 00-12-06 00:00     211,968    --a------    C:\TABCTL32.OCX
2007-11-19 00:36 . 00-05-22 00:00     117,248    --a------    C:\MSINET.OCX
2007-11-18 23:39 . 07-11-19 15:01     66,261    --a------    C:\WINNT\system32\mskw.dat
2007-11-18 23:39 . 07-11-19 15:01     72    --a------    C:\WINNT\system32\gdi.hlp
2007-11-14 22:16 . 07-11-14 11:59     106,496    --a------    C:\WINNT\system32\sbtats.dll
2007-11-14 21:08 . 07-11-14 21:08     1    --a------    C:\WINNT\ssopk.ids
2007-11-14 17:34 . 02-05-15 16:16     462,848    --a------    C:\WINNT\system32\msaatext.dll
2007-11-14 17:34 . 02-05-15 16:16     360,448    --a------    C:\WINNT\system32\oleacc.dll
2007-11-14 17:34 . 02-05-15 16:16     360,448    --a------    C:\WINNT\system32\dllcache\oleacc.dll
2007-11-14 17:34 . 02-05-15 16:16     356,352    --a------    C:\WINNT\system32\oleaccrc.dll
2007-11-14 17:34 . 02-05-15 16:16     356,352    --a------    C:\WINNT\system32\dllcache\oleaccrc.dll
2007-11-09 00:16 . 07-11-07 15:55     106,496    --a------    C:\WINNT\system32\bstef.dll
2007-11-09 00:11 . 07-11-09 00:11     24,576    --a------    C:\WINNT\my_70201.exe
2007-11-08 23:42 . 07-11-08 23:42     80    --a------    C:\WINNT\-5773125-91

.
((((((((((((((((((((((((((((((((((((   Archives modified within 3 months  )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 10:17    95,440    ----a-w    C:\WINNT\NSUninst.exe
2007-12-02 10:17    95,440    ----a-w    C:\WINNT\GREUninstall.exe
2007-10-28 05:37    114,048    ----a-w    C:\WINNT\system32\drivers\snapman.sys
2007-10-28 04:40    37,888    ----a-w    C:\WINNT\system32\setupnt.dll
2007-10-27 10:33    24,576    ----a-w    C:\WINNT\my_70302.exe
2007-10-27 06:56    ---------    d-----w    C:\Documents and Settings\Administrator\Application Data\Ahead
2007-10-27 06:32    602,112    ----a-w    C:\WINNT\system32\paupempdbyssn.dll
2007-10-27 06:32    45,056    ----a-w    C:\WINNT\system32\skype.exe
2007-10-27 06:17    ---------    d-----w    C:\Documents and Settings\Administrator\Application Data\FinalBurner .ISO
2007-10-27 06:15    ---------    d-----w    C:\Documents and Settings\Administrator\Application Data\FinalBurner DATA
2007-10-21 07:38    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\FileOpen
2007-10-15 09:07    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-25 07:16    45,056    ----a-w    C:\WINNT\system32\icpb.dll
2003-12-31 02:00    32,528    ----a-w    C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((((((((   important registry entries  )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*notice* blank or valid registry entries are not shown.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-12-30 20:00  C:\WINNT\system32\internat.exe]
"Wife Control System"="C:\Program Files\Microsoft Visual Studio\VB98\liuj\Wife Control System.exe" [07-12-02 18:36 ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07-08-31 16:46 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Trogan firewall"="C:\Program Files\ftcsetup\Trojanwall.exe" [06-04-30 17:31 ]
"Windows???í·à?e??"="C:\Program Files\ftcsetup\Trojanwall.exe" [06-04-30 17:31 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"qp1jnicc"="C:\WINNT\system32\Rundll32.exe" [03-12-30 20:00 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="Internat.exe" [03-12-30 20:00  C:\WINNT\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-12-31 04:00 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetFolders"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoShellSearchButton"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"NoSetFolders"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= C:\Documents and Settings\Administrator\My Documents\My Skype Received Files\green_1012.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^ ËÜU^ ^/¨^~¯QQ.lnk]
backup=C:\WINNT\pss\~¯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^ ËÜU^ ^/¨^Acrobat Assistant.lnk]
backup=C:\WINNT\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^ ËÜU^ ^/¨^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^ ËÜU^ ^/¨^TMExLogon.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^ ËÜU^ ^/¨^TSBxLogon.lnk]
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internat.exe]
            internat.exe
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
            C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE -turbo
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
            C:\Program Files\MSN Messenger\msnmsgr.exe /background
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
            C:\toshiba\ivp\ISM\pinger.exe /run
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
            C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDspOff]
            Tdspoff.exe B
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
            C:\Program Files\Common Files\Real\Update_OB\realsched.exe  -osboot
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
            TPWRTRAY.EXE
           
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YAMAHA DS-XG Launcher]
00-03-23 20:07     278528    --a------    C:\WINNT\dslaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
gbwr

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
*Newly Created Service* - SWHMTE82
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 13:57:54
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scan hidden program ...

scan hidden process ...

scan hidden archives ...

scan done
hidden archive(”H): 0

**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BusLogic]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C:]
"ImagePath"=dword:00000002
.
Done: 2007-12-04 13:58:35 - machine was rebooted
.
    --- E O F ---

0
 

Author Closing Comment

by:bsmile
Comment Utility
There other chances that combofix.exe doesn't work. why?!
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Sorry to have missed to analyze the logs, I somehow missed this thread.
Combofix doesn't always remove bad files, it will only remove bad files that it recognized as bad, so some bad files and bad reg entries showing in the logfile would have to be removed using its CFScript function.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now