-
October 8th, 2001, 11:37 PM
#1
Member
How Do I delete this file
Please take a minute and help me PC_CILLIN informs me that I have a few files that are Back Orifice Trojan files.. I am unable to delete them pc_cillin is unable to clean or delete them as well I have tried going into the registry and modifing there value and that doesnt work either. whenver i try and delete the files it says access denied
mike m aka greyhairedwolf
Mike M aka greyhairedwolf
----------------------------------------------
Eight Words The Wiccan Rede Fulfills
\"An it harm none do what you will\"
----------------------------------------------
A mind is like a parachute it only works
WHEN OPEN
-
October 8th, 2001, 11:47 PM
#2
go to Moosoft.com and download the cleaner3.exe. It should detect and clean trojans on your computer. It also has realtime protection that moniters to see if a trojan is being installed
[gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange]
-
October 9th, 2001, 12:10 AM
#3
Deleting the Files
If your getting the "Access Denied" error that is probably because the files have registered themselves as services in Windows. Therefore, they are always in use and cannot be deleted while "in" Windows.
To Delete Them:
Try restarting in "MS-DOS Mode" and going to the directory they are located in and deleting them in DOS. After you are done deleting them type "win"
How to Delete in Dos:
(Just in case you don't know)
del "file.ext" (remove the quotes)
example: del test.txt
Good Luck, I hope this helps
Simon Templer
\"Your work is to discover your world and then with all your heart give yourself to it. \"
-The Buddha
-
October 9th, 2001, 03:08 AM
#4
If it's giving you an access denied error, then something probably has that file running. Try booting into safe mode and deleting the file that way. Only critical processes run in safe mode, so you should be able to delete them. If that doesn't work (and it should), boot into DOS and and try deleting them.
-
October 9th, 2001, 04:35 AM
#5
Junior Member
Well, buddy... First of all you have to see what kind of files are running.. see it by pressing ctrl+alt+del... try to figure out what each one of them make and you will fix the problem.
This doc can help you... read it and learn your own OS...
All Known and Unknown Autostarting Methods used for executing files ( like trojans )
1. Autostart folder
Everything in here will restart.
C:\windows\start menu\programs\startup {english}
This Autostart Directory is saved in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders Startup="C:\windows\start menu\programs\startup"
'So it could be easily changed by any program.
2. Win.ini
[windows]
load=file.exe
run=file.exe
3. System.ini [boot]
Shell=Explorer.exe trojanfile.exe
4. c:\windows\winstart.bat
'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts
everytime
5. Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by
windows
Example: (content of wininit.ini)
[Rename]
NUL=c:\windows\picture.exe
'This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This
requires no interactivity with the user and runs totaly stealth.
7. Autoexec.bat
Starts everytime at Dos Level.
Example:
Call C:\trojanfile.exe >nul
Will run trojanfile.exe and redirect any output to nothing,
so it will run totally stealth
8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*",
the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.
9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.
9. Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs
including Explorer.
Your registry should be full of NeverShowExt keys, simply delte the key to get the real
extension to show up.
10. Dosstart.pif
Right click on it and go to properties. You can specify a custom autoexec.bat and
config.sys when the computer is restarted in msdos mode.
See you...
-
October 9th, 2001, 08:13 AM
#6
Member
Thank YOU
T h a n k You To all who helped me by posting replies to my question. Many of those methods I had tried. The winner of the get those pesky files off of Mikey's Computer goes to Casper. Cleaner 3.0 managed to finally give them there eviction notice. BUT I WANT TO THANK EVERYONE WHO POSTED A REPLY TO HELP ME. I appreciate everyone who took the time to think of a way to give me a hand.
Mike Marlin aka Greyhairedwolf
Mike M aka greyhairedwolf
----------------------------------------------
Eight Words The Wiccan Rede Fulfills
\"An it harm none do what you will\"
----------------------------------------------
A mind is like a parachute it only works
WHEN OPEN
-
October 9th, 2001, 02:48 PM
#7
what u can do is take the back up of all your important files and then format C drive and reinstall your operating system. this will refresh your registries and also clean all the trojans which might be present on your system.
if u don't want to do this then go to tauscan there u can download the trojan scanner and fix your problem.
intruder.
-
October 9th, 2001, 04:46 PM
#8
Intruder, and what if the important files you're backing up, are infected?
-
October 9th, 2001, 06:13 PM
#9
Member
it doesn't matter if the files you backed up are infected bc when you restore they wont be running, they will be "dead" infections.
-
October 9th, 2001, 06:17 PM
#10
once you install the files back on they will become active again
[gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange]
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|