I cannot delete a infected file.

I have a Dell Inspiron 2650 and seems to run well. However, when I run McAfee Virus or Ad-Aware SE software I receive a pop-up McAfee notice that a file in Windows\System32 is infected with "backdoor-cfb". When I respond to the notice by indicating to delete the file I receive a reply that the file may not be quarentined or deleted.

I have none of the Registry changes the McAfee tells me are associated with this Trojan. I seem to only have a contaminated file that I can not delete.

I have run Highjack This v 1.99 and I can account for all enteries.

If I go into MyComputer to the location of the file, all I need to do is point the cursor to file (not even click on it) and McAfee pops-up telling me the file is infected.

I have tried changing the attributes of the file but window will not let me.

I have tried deleting it in SAFE mode but that does not help.

There must be a way to delete this unwanted file.

Can someone give me some ideas?

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I have followed all of the steps in the "Read me first" document and have attached my Hijack This log.

The file does not seem to be causing any problems, but it is there and I want it to go away. Every time I run McAfee it finds the file but it can not be deleted. McAfee says it is contaminated with backdoor-cfb. I have none of the characterists that McAfee attributes to this trojan, including the changes that normally would be made to my registry.

How can I delete this file.

 

Your HJT log is clean!

What file are you referring to?

Can you provide me with the exact filename and location?

 

The file is C:\Windows\system32\kbdjef.dll. It is 56 KB.

I have seached the register for this file looking for anything that could be using it, but find nothing. Access is denied I can not delete it.

 

Here is some information about this particular infection:

http://vil.mcafeesecurity.com/vil/content/v_126106.htm

Download Pocket KillBox

Now, Copy and Paste C:\WINDOWS\System32\kbdjef.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

After you reboot, see if the file remains.

 

I tried Pocket KillBox before submitting my original post. I did not copy and paste the file location but rather typed it in. If copy and paste makes a difference I will try that this eveing when at home with my laptop.

If I highlight the file name to copy it and McAfee is turned-on, then I will receive the contamination notice about the file.

 

After you Killbox this file it should be removed. Let me know!

 

When I go into my computer and find the file name, I highlight it and then right mouse button and click copy. When I go to KillBox and try to paste the file name, paste is not availalbe.

When I type the location and file name directly into KillBox and select delete upon reboot, and then reboot, the file has not been deleted. It did show-up in blue text below the file name window.

I have now tried everything that I can think of except reformating.

Isn't there some sort of trick to get to protected files?

 

Now, Copy and Paste C:\WINDOWS\System32\kbdjef.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

When I say copy and paste, I mean select C:\WINDOWS\System32\kbdjef.dll and press control c. Now, run Killbox and in the box where you type, click in the box and press Control V.

This will paste the location in there, if it doesnt show in blue then it probably doesnt exist.

Try this, also when you click delete on reboot check the option "End Explorer Shell While Killing File"

 

First the Control C and Ctrl V key strokes did not cut and paste for me. I tried them on a known "good" file and it still did not cut and paste.

I tried once again browsing for the file clicking on it so it shows in the file window. The file name shows up in blue just below the window. I selected delete on reboot and "End Explorer Shell While Killing File". I did this in normal mode and in Safe mode. The file will not go away.

I also have "restore turned-off".

I need some magic.

 

How To Cut (Copy) And Paste

http://forums.majorgeeks.com/showthread.php?t=26020


Okay close all browsers and kill the process using HJT. Then run the steps below.

At the command prompt if you goto the c:\windows\system32 folder and enter the following commands tell me what happens:

cacls C:\WINDOWS\System32\kbdjef.dll /g Everyone:f
<-- answer yes to any prompts for the above command
cd C:\WINDOWS\System32
attrib -r -h -s kbdjef.dll
del ikpipz.exe

dir /AH *.exe > kbdjef.dll
cacls kbdjef.dll /g Administrator:f
<-- answer yes to any prompts for the above command
attrib +r +h +s kbdjef.dll

exit

Tell me if all those command executed without any error messages. If not, tell me the errors.

 

This did not take me very far. I have inserted the error messages below in CAPS.


cacls C:\WINDOWS\System32\kbdjef.dll /g Everyone:f
<-- answer yes to any prompts for the above command

ACCESS IS DENIED

cd C:\WINDOWS\System32
attrib -r -h -s kbdjef.dll
ACCESS IS DENIED

del ikpipz.exe
BAD FILE NAME

dir /AH *.exe > kbdjef.dll
FILE NOT FOUND

cacls kbdjef.dll /g Administrator:f
<-- answer yes to any prompts for the above command

ACCESS DENIED

attrib +r +h +s kbdjef.dll

ACCESS DENIED


If you have other suggestions, I will try them.

 

I forgot to replace the ikpipz.exe with the correct one sorry about that.

Is there anyway you can take out the HDD and place it in another machine as a slave drive and then delete it this way?

 

If this was a desktop machine I could. But I do not feel very comfortable opening up a laptop to remove the hard drive and then trying to mount it in a desktop as a slave.

It is beginning to appear that my options are reformat or forget about the file. In the later case it does not appear to be doing anything except setting off red flags when I search for viruses. In which case I would like to have it removed.

I'll check back in case you or someone else thinks of a way to get at this file.

Thanks for all your effort.

 

Ahh! I forgot this was a laptop, sorry about that. Before you format let me get one last opinion no this. Hang in there a few minutes!

 

I have searched the register for the file but it did not show-up at all. I also tried running KillBox in safe mode with the option to unregister the dll selected. None of the characteristics that McAfee indicates as an indication that the computer is infected are present. The only reason I know the file is contaminated is that McAfee flags it during a scan. This is very frusterating to not be able to access this file in order to delete it.

 

The StartDreck address has changed, but it provides a redirect. However, the page is in German. I found it anyway.

I have ran the program and attached the log.

 

I have run register lite and cut and paste the line you provided. However, there was not line on the right that even remotely said "Applnit_Dlls".

 

When I cut and paste the line "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs " into the RegisterLite address window and hit Go, a Register display appears. The address now reads "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows". The last bit of information "\\AppInit_DLLs" is no longer there.

In the left hand display, the Windows folder is open, but there is no little + sign next to it.

 

Chaslang:


Your comment that there must be something in my registery because it is a default Windows registery key got me wondering. So I ran regedit and used "Find" to seach for the term "applnit_dlls". If came up empty for the entire registery.

What does this mean and what if anything can I try now to get this file off my computer?