Security Software Need to delete file from command prompt

[nottheguru]

I am not sure if this is the right place for this post but it seemed the most appropriate of all the forums.

Is it possible to boot to command prompt in xp and delete a file from the documents and settings folder. I have a worm/hijacker.... file in the that is the only one that Spybot SD can't fix because it is loaded in memory, which means I have to delete it before it loads. I guess correct or not: how do I delete it? I think it is the only culprit left of my all day nightmare since the file and 2 registry settings are all that SD comes up with.
files referenced in blue text (in log) have been deleted but the entry still appears.

file reference in red text (in log is the PITA that I can't get rid off)
BTW, I can't access add/remove programs or registry or anything else associated with the start button. I can only use task manager run command to find the files and delete them.
Please help!!!

Below is my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 7:43:50 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58eb0b4e-d01b-4ba0-be24-f0047c8113c4} - C:\WINDOWS\system32\kbdc32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [EmsaTimeSync] F:\SOFTWARE\TimeSynchronizer\TimeSynchronizer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: PinkNotes Plus v4.lnk = C:\Program Files\PNP4\pnplus4.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: taskmgr.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\winhealer.dll' missing
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179729745562
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dx8.dll
O20 - Winlogon Notify: kbdc32 - C:\WINDOWS\SYSTEM32\kbdc32.dll

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: ETlRQyOTU - {76269C01-DC8C-36AB-EA79-FAD284A950D2} - C:\WINDOWS\system32\zqp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Pink Notes Plus Master (pnp4mast) - Unknown owner - C:\Program Files\PNP4\Master\PNP4Mast.exe" /s (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

 

[Deus Ex Machina]

Simply boot up in "safe mode with command prompt support" by pressing F8 at OS menu during startup. Once you get the command prompt, change to the required directory and do a "rm" command on file.

If this doesn't work, booting from a CD definitely will.

 

[Choto Cheeta]

I would suggest

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

Delete this Entry... should not be there !!!

also if possible download, CCleaner to clean system junk...

apart from Junky entry, HijackThis didnt show any thing else... though I would also say that, install the IE 7 engine, even if u are not using IE (may be u are happy with FF or Opera) but install IE7 many programs use IE engine, and IE7 is safer than 6.0, where as Installing IE7 wont harm ur system....


as ThunderBolt said, u may boot in to safe mode with Command Promt, but in many case if u have a stronger virus, it wont let u still delete the file... so if safe mode doesnt work out, there is a nother Way,

Boot with Windows XP or 2000 or Windows 2k3 Server, Installation CD, now when asked to press, "R" to enter recovery console,, do it,

It will start a CLI interface which will allow to to access Files and folder... !!!

thank you...

P.S. if you are trying to remove or heal any Virus effected PC, it is recomned that u turn off the system restore

 

[XTerminator]

Well, you could try to use a software like regcleaner to remove the suspicious programs from booting up by removing them from the startup list and then later delete them when the computer boots up.
As mentioned above, turning off System Restore while removing viruses, worms etc helps a lot.

 

[nottheguru]

This has been a long and tedious process. between Spybot Sd and Ad-Aware SE and PC Security Shield everything has been deleted except for the win notify file that Choto Cheeta suggested i delete. thats the one Thunderbolt told me how to delete from command prompt but I couldn't because it said the sub directory of shared files coulnt ...internl... external blah blah blah. I just removed IE 6 because I couldnt stop the process in task manager. i rebooted and and the SOB still shows up in processes and the damned program is gone so im sure it has something to do with the winsys2f.dll
file in my shared folders. i'll try turning off system restore now that i have succesfully copied rundll32.exe back to the windows directory (the worm/trojan or whatever it is must have dleted it to keep mem from accessing my computer and other tools to fix this). little does the moron that wrote it know..... you cand elete files thru the run command of task manager, which did to the count of 32 files one by one. i used my wifes computer to compare files with casue i had a lot of files in windows that were created or modified at the time of infection. so i'll try all your suggestions and i WILL be back and so will the TAZ......

Thanks GUYS you're all GREATTTTTT.

 

[nottheguru]

does anyone know how to have spybot sd delete a file on startup?

according to this link Removing Smitfraud-c trojan infection :.: Vertebrate Silence it can be done but I havent found the option anywhere in v1.4, it does ask if sd can delete it and scan (or something like that) on next boot but it always reappears,

 

[Choto Cheeta]

on next boot but it always reappears,

This happens if u have the System Restore on, as Virus / Spyware hides in the System Volume Information folder which is used to store Restore Point and data, where as no AVS or security software gets rights to access that folder to modify the files there...

I would say that though will lose Restore point, but still Delete all previous restore points then run a Online Scan from Free Virus Scan - Kaspersky Lab



And always keep the system restore turned off wihle u are trying to scan or heal the PC...

 

[Choto Cheeta]

How to Turn off System restore !!!

How to turn off and turn on System Restore in Windows XP

 

[nottheguru]

I finally was able to get into system properties long enough to turn off system restore but it still came back. gave up on it and did a windows repair even though i will have to reinstall some software. no worries, no data is on that drive anyway.

 

[Choto Cheeta]

I finally was able to get into system properties long enough to turn off system restore but it still came back.

I did suggest u, "I would say that though will lose Restore point, but still Delete all previous restore points "

anyway, none of it matters now as did a re-install !!