I have a trojan file I can't delete, I am using Windows 2000 5.00.2195
Service pack 4. The problem seems to be that when I try to delete this
file I can't because Windows believes it is in use. So both Windows
Exporer and DOS do not permit me to delete the file. I have tried to
delete relevant hkey using regedit in DOS but still this persists.
I think what I need to know is how to start DOS without turning on
Windows. I have no Windows disks. Can anyone help??
   
Here is the file and virus description:
C:\WINNT\system32\ctrlpan.dll
File is infected with " is a destructive program" trojan.

Hello computer_illiterate-ga ,

Thank you for your question.

The Trojan appears to be the Trojan.Bookmarker.B. You just need to
follow a procedure to delete these files as noted on the Symantec
site. You'll find a very thorough description of the procedure here:

http://www.sarc.com/avcenter/venc/data/trojan.bookmarker.b.html


It will help to have a good AntiVirus program with current defintions,
but these intrcutions should allow you to remove this even without
that. Very briefly, the procedure is as follows:

"...Disable System Restore (Windows Me/XP). 
Update the virus definitions. 
Run a full system scan and record the file names detected as Trojan.Bookmarker.B. 
Restart the computer in Safe mode. 
Search for the detected .dll file (Usually Ctrlpan.dll). 
Rename the file and the extension. 
Restart the computer in Safe mode. 
Delete the value that was added to the registry. 
Run a full system scan and delete the files detected as Trojan.Bookmarker.B. 
Reset the Internet Explorer Home page. 
Reset the Internet Explorer Search page. 
Remove the links from the Favorites folder. 
Removing DNS entries added to Windows hosts file..."

Do read the entire document at Symantec to see what has been modified
on your computer and exactly how to follow the instructions.

Caughtinthexfire claims that CoolWeb Shredder will remove this and
this program has an exellent reputation:
http://caughtinthexfire.mu.nu/archives/010496.php

"...CTRLPAN.DLL...
Wanna get rid of it and the stupid thing that's causing it?
Go here.

Run it. Follow the prompts. It's free and it works. 

I ran that and Adaware and I don't get that **** anymore..."

McAfee claims that running their latest version of their AntiVirus
with current definitons will remove this Trojan as well:
http://vil.nai.com/vil/content/v_100973.htm

"...Removal Instructions  
Use current engine and DAT files for detection. 

Due to the nature in which this trojan modifies the system such that
the DLL is loaded by other (legitimate) programs on the machine,
simple deletion of CTRLPAN.DLL is not possible (access denied).
Restarting the machine in Safe Mode does not solve this issue..."


And techguy.com also has a good article on this:
http://forums.techguy.org/archive/index.php/t-202697.html

The method listed below is highly successful with many Trojans and
browser hijackers such as this and also should identify if anything
else may be infecting your machine

"...it's a cws hijacker so 

Download and unzip or install these programs/applications if you
haven't already got them. If you have them, then make sure they are
updated and configured as described

CWshredder from http://www.merijn.org/cwschronicles.html 
Spybot - Search & Destroy from http://security.kolla.de
AdAware 6 from http://www.lavasoft.de/support/download/ 

then 
Run CWSHREDDER, check you have the current version, press check for
update and let it update
Close all browser windows, click on the cwshredder.exe then click
"FIX" (Not "Scan only") and let it do it's thing.
and make sure you follow the advice about the security updates listed
at the bottom of the page, in order to prevent re-infection, otherwise
you will be continually reinfected
the patches are :
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
*Note: The simplest way to make sure you have all the security patches
is to go to Windows update
(http://v4.windowsupdate.microsoft.com/en/default.asp) and install all
"Critical Updates & service Packs"

then reboot & 
Run Sybot S&D

After installing, first press Online, press search for updates, then
tick the updates it finds, then press download updates. Beside the
download button is a little down pointed arrow, select one of the
servers listed. If it doesn't work or you get an error message then
try a different server

Next, close all Internet Explorer and OE windows, press 'Check for
Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot & 

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file
by using the "webupdate".
the current ref file should read 01R256 09.02.2004 

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options
on: "Scan within archives" ,"Scan active processes","Scan registry",
"Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan
my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and
tick "Unload recognized processes during scanning"
...........then........"Cleaning engine" and "Let windows remove files
in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan itīs just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.
.(Right-click the window and choose"select all" from the drop down
menu) then press next and then say yes to the prompt, do you want to
remove all these entries.

reboot again 

then post a new hijackthis log to check what is left
***********************************************************************************

go to http://www.merijn.org/files/hijackthis.zip , and download 'Hijack This!'. 

Unzip it and make sure it is unzipped & placed into it's own folder,
not a temporary folder. Then doubleclick the Hijackthis.exe.

Click the "Scan" button, when the scan is finished the scan button
will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then
click on "Edit > Copy" then Paste the log back here in a reply.

It will possibly show issues deserving our attention, but most of what
it lists will be harmless or even required,
so do NOT fix anything yet.

Someone here will be happy to help you analyze the results.

--------------------------------------------------------------------------------..."


The above methods should help you get through this.


Search Strategy:

ctrlpan.dll


I trust my research has provided you with several possible solutions
to removing this problem. If a link above should fail to work or
anything require further explanation or research, please do post a
Request for Clarification prior to rating the answer and closing the
question and I will be pleased to assist further.

Regards,

-=clouseau=-