can't delete file...task running

cjkitticjkitti
edited July 2004 in Spyware & Virus Removal
Hi Again...i'm going though the changes that i was advised to make after prime suspect reviewed my log. I have a couple problems, first, there is a task running that makes me unable to delete the C:\windows\nem219.dll file that i'm suppossed to delete. Can you tell me which process to end? Second, can you tell me where to find the two lines below? Thanks again, this is a great site!

R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F0 - system.ini:Shell =

Comments

  • csimoncsimon Acadiana Icrontian
    edited July 2004
    you may be able to end the task thru task manager ...once you find that file running in task manager you would simply highlight the file and press "end task" then delete it.
    But you may have to try that in safe mode ...try it and if it is stubborn give it a few trys and give it a little time to end. If it simply won't end go to safe mode and try it again. Let's see what happens.
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited July 2004
    cjkitti wrote:
    Hi Again...i'm going though the changes that i was advised to make after prime suspect reviewed my log. I have a couple problems, first, there is a task running that makes me unable to delete the C:\windows\nem219.dll file that i'm suppossed to delete. Can you tell me which process to end? Second, can you tell me where to find the two lines below? Thanks again, this is a great site!

    R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    F0 - system.ini:Shell =

    The numbers in {}'s are a CLSID code. Take them, highlight them (just the numbers), Presss CTRL-C on keyboard, open regedt32.exe from start|run, and paste the numbers into the box for finding. That will let you search by CLSID number. Then you can kill the CLSID key matching this and any keys referenceing that CLSID. The first key you find is likely to be a HEX KEY LOCAL MACHINE subkey, possibly in the software subtree there.

    CLSID can be understood as Computer\Local Software ID for most practical intents and purposes. It is unique to a program or malware app core code object, and dehooking with a specifc CLSID huntdown and delete using find and then find next is one way I remove the activated protection for stubborn malware things-- restart after, then kill the application by removing it as a file (IT will no longer be protected as a system registered process or be running and therefore no longer be stubborn to remove file). Look at the value pane in regedt32 as you go, the first key hit with find should have the location of the file, write down the pathing if any and if you will, post it here from your notes, ok??? Let the regedt32 make a backup first, ok??? Do this as admin login in safe mode startup if this is XP Pro or 2000 Pro.

    To be honest, the system.ini:Shell= can be good or bad, in terms of it being malware or not, in XP Pro after Service Pack 1a and security updates. I would kill the R3 yes, and hunt down any tracking and data mining cookies with SpyBot S&D and HJT and kill those. Playing with the F0 thing is a bit too ambiguous for me, there ARE entries that need to have that string in them that are legit. DEFINITELY, before you play with registry entries containing that make a good backup of registry.
  • cjkitticjkitti
    edited July 2004
    Thanks alot guys! Was able to delete nem219.dll in safe mode. Strange about FO - system.ini: Shell =, because everytime i turn on the comp. i get a big box from notepad and it says something like that, something about shell32???Don't know if connected. I just click the red x off...
Sign In or Register to comment.