Solved

Undeletable File - Any Suggestions?

Posted on 2004-10-04
11
657 Views
Last Modified: 2010-04-11
In my many years of working in IT, this is the first time I've come across a file which I couldn't delete... eventually.

Either this is a first, or I'm going senile...

A customer's Win2K/NTFS machine was infected with spyware and Trojans and I eventually managed to get rid of pretty much everything apart from some spyware thing called TV Media and a dll file in System32 called MSLG.DLL - a trojan which AVG pointed out but couldn't do anything with.

The entries which start it up in the registry are immediately replaced when you try to remove them - even in safe mode.

Same thing with HijackThis - rescan after removing three entries and they are back again - even in Safe Mode!

Boot into command prompt mode and it still won't delete - it shows up as a Read Only, BUT you get an Access Denied error when you try to remove the Read Only status with attrib.

So I brought the drive home and put it into my clean XP machine (using USB2 external case so I didn't have to boot with it attached) and once again, AVG detects the dll but still won't remove it.

And, although it's no longer in memory, I still can't change the attributes or delete the damn file - I just get Access Denied.

This one has me stumped!

TenerifeBaz
0
Comment
Question by:tdk_man
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
ID: 12222523
Hello tdk_man =)

Access Denied error means, u dont have permissions ont he files,,, and deleting the registries create them again, can be also due to premission problem on the registry folders !!

So try taking their ownership and then check if u can delete them or not :)

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019

!! GOOD LUCK !!
0
 
LVL 1

Author Comment

by:tdk_man
ID: 12222736
Surely ownership comes into play when windows loads.

At the moment, the Win2K drive is sitting in my XP machine and I haven't booted off it. So, as Win2K isn't actually running, shouldn't XP just see all files as normal files? I can copy, rename and delete any other files without problem.

The URL you gave assumes that you are in Win2K, so I can't test it out until I return the drive tomorrow and boot into Win2K. I'd like to delete it now if possible.

As an aside, I've just tried MoveOnBoot and WhoLockMe but they both failed too.

I'm going to see if I can find any other delete file utils on trhe net in the meantime.

Thanks for the suggestion though...

TDK_Man
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12222779
>> The URL you gave assumes that you are in Win2K,
here are for WinXP.... its more easy if u are deleting them from another system :)

HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421

HOW TO: Set, View, Change, or Remove File and Folder Permissions in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 1

Author Comment

by:tdk_man
ID: 12222860
If I right click on it, AVG pops up a virus warning saying it's a Trojan horse BackDoor.Agent.BA.

No security tab appears - only 'General' and 'GiPo@Utilities' which is a delete undeletable files utility I installed - which incidentally also doesn't work! :)

The attributes box for read only is ticked and there is an advanced button which just gives you some indexing options.

Whatever you try to change on this panel results in an Access Is Denied error.

TDK_Man
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12222869
if u are using XP Pro, then goto Explorer>Tools>Folder Options>View and untick Simple File Sharing,,,, apply and now u shud get the Security tab !!

if its xp home, then boot into safemode and login as Administrator, in home edition only Administrator can access the security tab !!  :)
0
 
LVL 1

Author Comment

by:tdk_man
ID: 12222953
Thanks for that!

I've learnt something new about XP tonight if nothing else... :)

Anyway, it took a while because every time I right clicked on the damn file, the anti-virus warning kept popping up and the right-click menu kept disappearing!

Eventually I did get rid of it, (I hope) but for some strange reason, after deleting it, AVG still kept popping up saying it was still there.

I'm doing a full scan now just to confirm that it's definitely gone!

TDK_Man
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12223214
I get the feeling this wee bugger will be back.

If i am right I think it may well be a BHO (Browser Helper Object that is initialised with the Internet explorer.  It regenerates itself renaming itself too, or the DLL that keeps appearing is getting regenerated by another file somewhere.

Try running some programs to see if they bring anything up

cwshredder http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Spybot http://www.safer-networking.org/en/download/index.html
HiJackThis http://www.spychecker.com/program/hijackthis.html

Now i may be wide of the mark here but I did experience a wee nasty like this not so long back and it was a browser hijacker.  Once you do a scan of the machine with Hijack this it will generate a log file and you can upload this logfile to a website to be analysed, http://www.hijackthis.de/index.php?langselect=english

I hope this helps you

pjcrooks2000
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12223275
0
 
LVL 1

Author Comment

by:tdk_man
ID: 12223343
Well, it's gone! Thanks for the pointers Shehar. :)

pj:

Like I said, the drive is connected as a slave in a different machine with a different OS, so anything registry related could not be the cause of the problem as my system is clean and the registry didn't contain the keys that the iffy system's registry did.

AVG, Spybot 1.3 (with Tea Timer), Stinger, CWShredder, half a dozen different 'delete file on reboot' programs and manually editing the registry when the drive was booted in the original machine resulted in the infection returning instantly (or the changes were never made)!

As Shehar correctly suggested, it appears that the newer trojans have the ability to create read only dropper files which are 'owned' by a user other than the administrator or the user logged on at the time of infection.

This means you cannot delete them or change their attributes in normal mode, safe mode, at the command prompt or even when the drive is a slave in another machine with a different OS!

So, beware... and store this thread in case you need it in the future. ;)

TDK_Man
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12223356
Sorry tdk_man i missed that, probbaly on account of it being 3am here now and perhaps i need ot close my eyes for a while.

I will certaily bear this in mond for the future anyway, cheers

pjcrooks2000
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12224830
gald it went TDK,,,, Cheers ^_^
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 Task Scheduler fears and concerns 8 65
Explain Man-in-the-middle attacks on Common Names 3 31
ransomware backup 8 139
VPN Exposure 19 42
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question