Solved

Undeletable File - Any Suggestions?

Posted on 2004-10-04
11
653 Views
Last Modified: 2010-04-11
In my many years of working in IT, this is the first time I've come across a file which I couldn't delete... eventually.

Either this is a first, or I'm going senile...

A customer's Win2K/NTFS machine was infected with spyware and Trojans and I eventually managed to get rid of pretty much everything apart from some spyware thing called TV Media and a dll file in System32 called MSLG.DLL - a trojan which AVG pointed out but couldn't do anything with.

The entries which start it up in the registry are immediately replaced when you try to remove them - even in safe mode.

Same thing with HijackThis - rescan after removing three entries and they are back again - even in Safe Mode!

Boot into command prompt mode and it still won't delete - it shows up as a Read Only, BUT you get an Access Denied error when you try to remove the Read Only status with attrib.

So I brought the drive home and put it into my clean XP machine (using USB2 external case so I didn't have to boot with it attached) and once again, AVG detects the dll but still won't remove it.

And, although it's no longer in memory, I still can't change the attributes or delete the damn file - I just get Access Denied.

This one has me stumped!

TenerifeBaz
0
Comment
Question by:tdk_man
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
Comment Utility
Hello tdk_man =)

Access Denied error means, u dont have permissions ont he files,,, and deleting the registries create them again, can be also due to premission problem on the registry folders !!

So try taking their ownership and then check if u can delete them or not :)

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019

!! GOOD LUCK !!
0
 
LVL 1

Author Comment

by:tdk_man
Comment Utility
Surely ownership comes into play when windows loads.

At the moment, the Win2K drive is sitting in my XP machine and I haven't booted off it. So, as Win2K isn't actually running, shouldn't XP just see all files as normal files? I can copy, rename and delete any other files without problem.

The URL you gave assumes that you are in Win2K, so I can't test it out until I return the drive tomorrow and boot into Win2K. I'd like to delete it now if possible.

As an aside, I've just tried MoveOnBoot and WhoLockMe but they both failed too.

I'm going to see if I can find any other delete file utils on trhe net in the meantime.

Thanks for the suggestion though...

TDK_Man
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> The URL you gave assumes that you are in Win2K,
here are for WinXP.... its more easy if u are deleting them from another system :)

HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421

HOW TO: Set, View, Change, or Remove File and Folder Permissions in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
0
 
LVL 1

Author Comment

by:tdk_man
Comment Utility
If I right click on it, AVG pops up a virus warning saying it's a Trojan horse BackDoor.Agent.BA.

No security tab appears - only 'General' and 'GiPo@Utilities' which is a delete undeletable files utility I installed - which incidentally also doesn't work! :)

The attributes box for read only is ticked and there is an advanced button which just gives you some indexing options.

Whatever you try to change on this panel results in an Access Is Denied error.

TDK_Man
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
if u are using XP Pro, then goto Explorer>Tools>Folder Options>View and untick Simple File Sharing,,,, apply and now u shud get the Security tab !!

if its xp home, then boot into safemode and login as Administrator, in home edition only Administrator can access the security tab !!  :)
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 1

Author Comment

by:tdk_man
Comment Utility
Thanks for that!

I've learnt something new about XP tonight if nothing else... :)

Anyway, it took a while because every time I right clicked on the damn file, the anti-virus warning kept popping up and the right-click menu kept disappearing!

Eventually I did get rid of it, (I hope) but for some strange reason, after deleting it, AVG still kept popping up saying it was still there.

I'm doing a full scan now just to confirm that it's definitely gone!

TDK_Man
0
 
LVL 8

Expert Comment

by:pjcrooks2000
Comment Utility
I get the feeling this wee bugger will be back.

If i am right I think it may well be a BHO (Browser Helper Object that is initialised with the Internet explorer.  It regenerates itself renaming itself too, or the DLL that keeps appearing is getting regenerated by another file somewhere.

Try running some programs to see if they bring anything up

cwshredder http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Spybot http://www.safer-networking.org/en/download/index.html
HiJackThis http://www.spychecker.com/program/hijackthis.html

Now i may be wide of the mark here but I did experience a wee nasty like this not so long back and it was a browser hijacker.  Once you do a scan of the machine with Hijack this it will generate a log file and you can upload this logfile to a website to be analysed, http://www.hijackthis.de/index.php?langselect=english

I hope this helps you

pjcrooks2000
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
0
 
LVL 1

Author Comment

by:tdk_man
Comment Utility
Well, it's gone! Thanks for the pointers Shehar. :)

pj:

Like I said, the drive is connected as a slave in a different machine with a different OS, so anything registry related could not be the cause of the problem as my system is clean and the registry didn't contain the keys that the iffy system's registry did.

AVG, Spybot 1.3 (with Tea Timer), Stinger, CWShredder, half a dozen different 'delete file on reboot' programs and manually editing the registry when the drive was booted in the original machine resulted in the infection returning instantly (or the changes were never made)!

As Shehar correctly suggested, it appears that the newer trojans have the ability to create read only dropper files which are 'owned' by a user other than the administrator or the user logged on at the time of infection.

This means you cannot delete them or change their attributes in normal mode, safe mode, at the command prompt or even when the drive is a slave in another machine with a different OS!

So, beware... and store this thread in case you need it in the future. ;)

TDK_Man
0
 
LVL 8

Expert Comment

by:pjcrooks2000
Comment Utility
Sorry tdk_man i missed that, probbaly on account of it being 3am here now and perhaps i need ot close my eyes for a while.

I will certaily bear this in mond for the future anyway, cheers

pjcrooks2000
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
gald it went TDK,,,, Cheers ^_^
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now