I ran a virus scan using Norton Anti-Virus. It found these infected files:
WINDOWS/SYSTEM/HKSDLL.DLL
WINDOWS/SYSTEM/KERN32.EXE
WINDOWS/INETD.EXE
Norton was unable to delete them, quarantine them or repair them. I tried deleting them using Windows Explorer, but it said that Windows was currently using them. I tried opening the DOS prompt and deleting them there, but I was told “ACCESS DENIED”.
How do I get rid of these things?
You might be able to boot your machine without going into Windows, then copy over these files from your original Windows disks. Or you might need to reinstall Windows.
[sub]I hope you back up your data[/sub]
Hope this helps, Johnny.
In the DOS window use the attrib -r command to get make them non read only.
Like this : C:>attrib C:WINDOWS/SYSTEM/HKSDLL.DLL -r
Then you will be able to delete it, but WINDOWS WILL PROBABLY NOT RUN ANYMORE.
You can try extracting the files you need to replace from the CAB files on your windows CD, but you might need to reinstall windows.
You did not say which version of Windows you use… For Win95 and Win98, while in Windows reboot in MSDos mode. Or, reboot and hit F8 repeatedly during bootup until you get a menu, then select command prompt.
No matter how you do it, boot into Dos mode and the command prompt. Then use C:>attrib C:WINDOWS/SYSTEM/HKSDLL.DLL -r (mentioned by a previous poster) to remove the “read only” attribute. Do the same with each file. Now you can delete them.
I’m not sure if these files are valid windows files. Just in case, try to extract the files from your cab files to a floppy disk or an empty folder/directory BEFORE you delete the infected files. You can then copy them back to their proper locations if needed, hopefully without having to reinstall windows.
You can boot from a floppy and use the same procedure, but you need to have the file “attrib.exe” on the diskette.
Then the command would be
a:>attrib C:WINDOWS/SYSTEM/HKSDLL.DLL -r
The boot diskette method will also work with Windows ME.
Hope this helps…
Ringo: The link is a blank page.
I used the “find files and folders” on the start button menu and did not find any of the files (nor CAB*) on the CD that says “Microsoft Windows 98 for PCs without Windows” or the one that says “Gateway System Restoration CD”. Where do I get the “replacement” files?
Also, the three files I listed above all have create dates of 11/03/2001 at about 3:43 PM. I know I was able to use Windows before then! What do these files do? What’s in them? Why were they “being used by Windows” when I tried to delete them if they were just created this month?
I’m very careful about openning attachments. Nothing that has “.exe” in it. I did get some .pif and .scr attachments from someone semi-known to me on 11/03. I did try to open them, but was unable to. I’ll bet that’s where the viruses came from!
mblackwell: If I delete those three files, you say Windows will probably not run. If it ran before they were created on the 3rd, why wouldn’t it run after the files are deleted?
Try this one {I don’t know how I goobered up the first one, but I’m almost sure it was me):
Ringo: Okay I have the page. I deleted the C:\WINDOWS\INETD.EXE so that the line now says “run=”.
I’m looking for the “runonce” file so I can delete the kern32.exe line… Okay I’ve found it. The instructions on the page you linked said “To access the registry, click Start | Run and type REGEDIT. Locate the RunOnce key and delete the value, kernel32 = kern32.exe.” The problem is that I don’t see the line. Regedit looks like Windows Explorer. Do I just delete the file? Or is there a way to edit the text as directed? If so, where?
Once I get rid of that, I can re-boot in DOS and delete the three files.
Thanks.
Once you run regedit, click on HKEY_LOCAL_MACHINE, then find software, etc, etc.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
kernel32 = kern32.exe
Thanks, jthomas. I saw that on the page but I couldn’t find the text to edit. I figured out that my right-clicking on kern32 (or was it kernel32?) there is a box called “value”. I clicked on that and deleted it. I re-booted in DOS and deleted the files. I’ve re-booted in Windows and the files are still gone.
Now I need to update my Norton Anti-Virus to make sure the virus doesn’t come back.
Thanks to everyone for the assist.