Unable to remove dlls placed by Trojan

External Since: Oct 05, 2004 Posts: 2

I have been wrestling with a Trojan on my venerable old Win 98
machine. I have removed the Trojan using Norton. Ran Hijack This and
ADWare and it all looks clean. I am still getting a "No internet
connection available" dialog when I boot. Killing RunDll seems to
stop it.

Today's specific problem: I has identified a couple of dlls in
c:\windows\system\ that were placed there at the time when we got the
Trojan. One is NtNDI.DLL produced by NicTech. When I try to delete
them in Windows I get a message that Windows is using them. I boot in
Dos and I can't see them. So I run attrib. They are set to rsh. I
cannot delete them. It try to use attrib to turn off the hidden
attribute -h. I get a message saying Attribute not set on NdNDI.dll.
Now what ?

Maybe I should check the file date on attrib? Could it have been
replaced?

I tried booting from a floppy but I can't get it to load.

Llew

External Since: Oct 06, 2004 Posts: 4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Llew Williams regaled us with the following:

> I have been wrestling with a Trojan on my venerable old Win 98
> machine. I have removed the Trojan using Norton. Ran Hijack This and
> ADWare and it all looks clean. I am still getting a "No internet
> connection available" dialog when I boot. Killing RunDll seems to
> stop it.
>
> Today's specific problem: I has identified a couple of dlls in
> c:\windows\system\ that were placed there at the time when we got the
> Trojan. One is NtNDI.DLL produced by NicTech. When I try to delete
> them in Windows I get a message that Windows is using them. I boot in
> Dos and I can't see them. So I run attrib. They are set to rsh. I
> cannot delete them. It try to use attrib to turn off the hidden
> attribute -h. I get a message saying Attribute not set on NdNDI.dll.
> Now what ?
>
> Maybe I should check the file date on attrib? Could it have been
> replaced?
>
> I tried booting from a floppy but I can't get it to load.
>
> Llew

Remove the system attribute on that file before trying to remove the hidden
or readonly attributes...

Yes, attrib *could* have been replaced but I would try the above before
worrying about that.

Also, be certain to choose "safe mode command prompt only" so that *nothing*
is loaded at boot and you are dropped immediately to the command prompt.

- --
Skorpion [skorpion at suespammers dot org]
"Don't attribute to malice that which can be adequately explained by
stupidity."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBYsYPcTBCVvf50kkRApB5AKDDEkPwIvNTI0/18a35As7kjMTR/gCZAfEB
P6AXEL1WoaD+VdvMQjh/NnY=
=+vGm
-----END PGP SIGNATURE-----