Solved

Can't get rid of Stcloader.exe Adware

Posted on 2004-04-25
7
6,791 Views
Last Modified: 2013-12-04
I have a Windows XP Operating System.  The Stcloader.exe Adware is sitting in the Windows System 32 folder.  When I try to delete it, it tells me to "Make sure that the disk is not full or write-protected and that the file is not currently in use."  I've closed all open windows and I still can't delete it.  It seems to be associated with something called Second Thought and MyPCSearch.  Thanks.  
0
Comment
Question by:jvt4787
7 Comments
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10911594
Hi jvt4787,

Use this tool and post the logfile:
http://209.133.47.200/~merijn/files/HijackThis.exe

You can also check it out yourself, try to figure out what is locking stcloader.exe.

Greetings,

LucF
0
 
LVL 8

Accepted Solution

by:
nader alkahtani earned 500 total points
ID: 10911871
start with Safe Mode
then retry or apply this to delete the file :


You Cannot Delete a File or a Folder
Applies To
This article was previously published under Q320081
SUMMARY
You may not be able to delete a file or a folder on an NTFS file system volume. This article describes why you may not be able to delete a file or a folder on an NTFS volume and how to address the different causes to resolve this issue.
MORE INFORMATION
NOTE: Internally, NTFS treats folders as a special type of file. Therefore, the word "file" in this article indicates either a file or folder.
Cause 1: The File Uses an ACL
You may not be able to delete a file if the file uses an Access Control List (ACL). To resolve this issue, change the permissions on the file. You may have to take ownership of the files to be able to change the permissions.

Administrators have the implicit ability to take ownership of any file even if they have not been explicitly granted any permission to the file. File owners have the implicit ability to modify file permissions even if they are not explicitly granted any permissions to the file. Therefore, you may have to take ownership of a file, give yourself permissions to delete the file, and then delete the file.


You Cannot Use Certain Security Tools to Display or Modify Permissions Because the File Has a Non-Canonical ACL
To work around this issue, use another tool (for example, a later build of Cacls.exe).

The Access Control Entries (ACEs) in an ACL have a certain preferred sequence depending on their type. For example, ACEs that deny access typically come before ACEs that grant access. However, nothing prevents a program from writing an ACL that has ACEs in any arbitrary sequence. In some earlier versions of Windows, issues occurred when Windows tried to read these "non-canonical" ACLs. In some situations, you cannot modify these ACLs correctly by using the Windows Explorer graphical security editor. This issue has been corrected in later versions of Windows. If you are experiencing this issue, use the most recent version of Cacls.exe. Even if you cannot display or edit an ACL in place, you can write a new ACL that permits you to gain access to the file.
Cause 2: The File Is Being Used
You may not be able to delete a file if the file is being used. To resolve this issue, determine the process that has the open handle, and then close that process.

Depending on how the file is opened (for example, it is open for exclusive access as opposed to shared access), you may not be able to delete a file that is in use. You can use a variety of tools to help you determine the processes that have open handles to files at any time.

For additional information about tools to help the processes that have open handles to files, click the article numbers below to view the articles in the Microsoft Knowledge Base:
242131 How to: Display a List of Processes That Have Files Open

172710 How to Use the OH Tool on the Windows NT 4.0 Resource Kit

The symptoms of this issue may vary. You may be able to use the delete command to delete a file, but the file is not actually deleted until the process that has the file open releases the file. Additionally, you may not be able to access the Security dialog box for a file that is pending deletion. To resolve this issue, determine the process that has the open handle, and then close that process.


Cause 3: File System Corruption Is Preventing Access to the File
You may not be able to delete the file if the file system is corrupted. To resolve this issue, run the Chkdsk utility on the disk volume to correct any errors.

Bad sectors on the disk, other faulty hardware, or software bugs can corrupt the file system and put files in a problematic state. Typical operations may fail in a variety of ways. When the file system detects corruption, it logs an event to the event log and you typically receive a message that prompts you to run Chkdsk. Depending on the nature of the corruption, Chkdsk may or may not be able to recover file data; however, Chkdsk returns the file system to an internally consistent state.

For additional information about using the Chkdsk utility, click the article numbers below to view the articles in the Microsoft Knowledge Base:
176646 Error Message: The File or Directory Is Corrupt...

187941 An Explanation of CHKDSK and the New /C and /I Switches

Cause 4: Files Exist in Paths That Are Deeper Than MAX_PATH Characters
You may not be able to open a file if there are issues with the file path.
Resolution 1: Use an Auto-Generated 8.3 Name to Access the File
To resolve this issue, you may want to use the auto-generated 8.3 name to access the file. This resolution may be the easiest resolution if the path is deep because the folder names are too long. If the 8.3 path is also too long or if 8.3 names have been disabled on the volume, go to Resolution 2.

For additional information about disabling 8.3 file names on NTFS volumes, click the article number below to view the article in the Microsoft Knowledge Base:
121007 How to Disable the 8.3 Name Creation on NTFS Partitions

Resolution 2: Rename or Move a Deep Folder
To resolve this issue, rename the folder so that the target files that are deeper than the MAX_PATH no longer exist. If you do so, start at the root folder (or any other convenient place), and then rename folders so that they have shorter names. If this step does not resolve this issue (for example, if a file is more than 128 folders deep), go to Resolution 3.
Resolution 3: Use a Network Share That Is As Deep As the Folder
If Resolution 1 or Resolution 2 is not convenient or does not resolve the issue, create a network share that is as deep in the folder tree as you can, and then rename the folders by accessing the share.
Resolution 4: Use a Tool That Can Traverse Deep Paths
Many Windows programs expect the maximum path length to be shorter than 255 characters; therefore, these programs only allocate enough internal storage to accommodate these typical paths. NTFS does not have this limit and it is capable of accommodating much longer paths.

You may experience this issue if you create a share at some point in your folder structure that is already fairly deep, and then create a deep structure below that points by using the share. Some tools that operate locally on the folder tree may not be able to traverse the entire tree starting from the root. You may have to use these tools in a special way so that they can traverse the share. (The CreateFile API documentation describes a method to traverse the entire tree in this situation.)

Typically, you can manage files by using the software that creates them. If you have a program that can create files that are deeper than MAX_PATH, you can typically use that same program to delete or manage the files. You can typically delete files that are created on a share by using the same share.
Cause 4: The File Name Includes a Reserved Name in the Win32 Name Space
If the file name includes a reserved name (for example, "lpt1") in the Win32 name space, you may not be able to delete the file. To resolve this issue, use a non-Win32 program to rename the file. You can use a POSIX tool or any other tool that uses the appropriate internal syntax to use the file.

Additionally, you may be able to use some built-in commands to bypass the typical Win32 reserved name checks if you use a particular syntax to specify the path to the file. For example, if you use the del command in Windows XP, you can delete a file named "lpt1" if you specify the full path to the file by using the following special syntax:
del \\?\c:\path_to_file\lpt1

For additional information about deleting files with reserved names under Windows NT and Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:
120716 How to Remove Files with Reserved Names in Windows

For additional information about deleting files with reserved names under Windows XP, click the article number below to view the article in the Microsoft Knowledge Base:
315226 How to Remove Files with Reserved Names in Windows XP

If you open a handle to a file by using the typical Win32 CreateFile mechanism, certain file names are reserved for old-style DOS devices. For backward compatibility, these file names are not allowed and they cannot be created by using typical Win32 file calls. However, this issue is not a limitation of NTFS.

You may be able to use a Win32 program to bypass the typical name checks that are performed when a file is created (or deleted) by using the same technique that you use to traverse folders that are deeper than MAX_PATH. Additionally, some POSIX tools are not subject to these name checks.
Cause 5: The File Name Includes an Invalid Name in the Win32 Name Space
You may not be able to delete a file if the file name includes an invalid name (for example, the file name has a trailing space or a trailing period or the file name consists of a space only). To resolve this issue, use a tool that uses the appropriate internal syntax to delete the file. You can use the "\\?\" syntax with some tools to operate on these files, for example:
del "\\?\c:\path_to_file_that contains a trailing space.txt "

The cause of this issue is similar to Cause 4. However, if you use typical Win32 syntax to open a file that has trailing spaces or trailing periods in its name, the trailing spaces or periods are stripped before the actual file is opened. Therefore, if you have two files in the same folder named "AFile.txt" and "AFile.txt " (note the space after the file name), if you try to open the second file by using standard Win32 calls, you open the first file instead. Similarly, if you have a file whose name is just " " (a space character) and you try to open it by using standard Win32 calls, you open the file's parent folder instead. In this situation, if you try to change security settings on these files, you either may not be able to do so or you may unexpectedly change the settings on different files. If this behavior occurs, you may think that you have permission to a file that actually has a restrictive ACL.
Combinations of Causes
In some situations, you may experience combinations of these causes, which can make the procedure to delete a file more complex. For example, if you log on as the computer's administrator, you may experience a combination of Cause 1 (you do not have permissions to delete a file) and Cause 5 (the file name contains a trailing character that causes file access to be redirected to a different or nonexistent file) and you may not be able to delete the file. If you try to resolve Cause 1 by taking ownership of the file and adding permissions, you still may not be able to delete the file because the ACL editor in the user interface cannot access the appropriate file because of Cause 6.

In this situation, you can use the Subinacl utility with the /onlyfile switch (this utility is included in the Resource Kit) to change ownership and permissions on a file that is otherwise inaccessible, for example:
subinacl /onlyfile "\\?\c:\path_to_problem_file" /setowner=domain\administrator /grant=domain\administrator=F

NOTE: This command is a single command line; it has been wrapped for readability.

This sample command line modifies the C:\path_to_problem_file file that contains a trailing space so that the domain\administrator account is the owner of the file and this account has full control over the file. You can now delete this file by using the del command with the same "\\?\" syntax.
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows Advanced Server, Limited Edition
Microsoft Windows Datacenter Server, Limited Edition
Microsoft Windows Server 2003, 64-Bit Datacenter Edition
Microsoft Windows Server 2003, 64-Bit Enterprise Edition
Microsoft Windows Server 2003, Datacenter Edition
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Standard Edition
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Small Business Server 2003, Premium Edition
Microsoft Windows Small Business Server 2003, Standard Edition


http://support.microsoft.com/?kbid=320081

this may help you

http://www.experts-exchange.com/Applications/Viruses/Q_20787922.html#9690411

http://spyblocker-software.com/IPB/index.php?&act=ST&f=5&t=537
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10913136
Hi!

Supposedly, Spybot Search & Destroy can remove this.
Info. at:
http://www.answersthatwork.com/Tasklist_pages/tasklist_s.htm
Download from:
http://www.safer-networking.org/index.php?page=download

You could also try Adaware, download from:
http://majorgeeks.com/download.php?det=506

Good luck!

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 12

Expert Comment

by:rossfingal
ID: 10913172
Hi!
Thought I'd add, you could download Hijack This first and post a log file that we could look at here.
Before you run it make sure all browser windows are closed.

Later!
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10913292
Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10914208
Try Ad-Aware as stated above, make sure you turn off System Restore before you attempt it's removal.
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
kill the process in task manager, close all IE windows, turn off system restore, run ad-aware.
-rich

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967144
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now