• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 661
  • Last Modified:

Undeletable File - Any Suggestions?

In my many years of working in IT, this is the first time I've come across a file which I couldn't delete... eventually.

Either this is a first, or I'm going senile...

A customer's Win2K/NTFS machine was infected with spyware and Trojans and I eventually managed to get rid of pretty much everything apart from some spyware thing called TV Media and a dll file in System32 called MSLG.DLL - a trojan which AVG pointed out but couldn't do anything with.

The entries which start it up in the registry are immediately replaced when you try to remove them - even in safe mode.

Same thing with HijackThis - rescan after removing three entries and they are back again - even in Safe Mode!

Boot into command prompt mode and it still won't delete - it shows up as a Read Only, BUT you get an Access Denied error when you try to remove the Read Only status with attrib.

So I brought the drive home and put it into my clean XP machine (using USB2 external case so I didn't have to boot with it attached) and once again, AVG detects the dll but still won't remove it.

And, although it's no longer in memory, I still can't change the attributes or delete the damn file - I just get Access Denied.

This one has me stumped!

TenerifeBaz
0
tdk_man
Asked:
tdk_man
  • 4
  • 4
  • 2
  • +1
1 Solution
 
SheharyaarSaahilCommented:
Hello tdk_man =)

Access Denied error means, u dont have permissions ont he files,,, and deleting the registries create them again, can be also due to premission problem on the registry folders !!

So try taking their ownership and then check if u can delete them or not :)

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019

!! GOOD LUCK !!
0
 
tdk_manAuthor Commented:
Surely ownership comes into play when windows loads.

At the moment, the Win2K drive is sitting in my XP machine and I haven't booted off it. So, as Win2K isn't actually running, shouldn't XP just see all files as normal files? I can copy, rename and delete any other files without problem.

The URL you gave assumes that you are in Win2K, so I can't test it out until I return the drive tomorrow and boot into Win2K. I'd like to delete it now if possible.

As an aside, I've just tried MoveOnBoot and WhoLockMe but they both failed too.

I'm going to see if I can find any other delete file utils on trhe net in the meantime.

Thanks for the suggestion though...

TDK_Man
0
 
SheharyaarSaahilCommented:
>> The URL you gave assumes that you are in Win2K,
here are for WinXP.... its more easy if u are deleting them from another system :)

HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421

HOW TO: Set, View, Change, or Remove File and Folder Permissions in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
tdk_manAuthor Commented:
If I right click on it, AVG pops up a virus warning saying it's a Trojan horse BackDoor.Agent.BA.

No security tab appears - only 'General' and 'GiPo@Utilities' which is a delete undeletable files utility I installed - which incidentally also doesn't work! :)

The attributes box for read only is ticked and there is an advanced button which just gives you some indexing options.

Whatever you try to change on this panel results in an Access Is Denied error.

TDK_Man
0
 
SheharyaarSaahilCommented:
if u are using XP Pro, then goto Explorer>Tools>Folder Options>View and untick Simple File Sharing,,,, apply and now u shud get the Security tab !!

if its xp home, then boot into safemode and login as Administrator, in home edition only Administrator can access the security tab !!  :)
0
 
tdk_manAuthor Commented:
Thanks for that!

I've learnt something new about XP tonight if nothing else... :)

Anyway, it took a while because every time I right clicked on the damn file, the anti-virus warning kept popping up and the right-click menu kept disappearing!

Eventually I did get rid of it, (I hope) but for some strange reason, after deleting it, AVG still kept popping up saying it was still there.

I'm doing a full scan now just to confirm that it's definitely gone!

TDK_Man
0
 
pjcrooks2000Commented:
I get the feeling this wee bugger will be back.

If i am right I think it may well be a BHO (Browser Helper Object that is initialised with the Internet explorer.  It regenerates itself renaming itself too, or the DLL that keeps appearing is getting regenerated by another file somewhere.

Try running some programs to see if they bring anything up

cwshredder http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Spybot http://www.safer-networking.org/en/download/index.html
HiJackThis http://www.spychecker.com/program/hijackthis.html

Now i may be wide of the mark here but I did experience a wee nasty like this not so long back and it was a browser hijacker.  Once you do a scan of the machine with Hijack this it will generate a log file and you can upload this logfile to a website to be analysed, http://www.hijackthis.de/index.php?langselect=english

I hope this helps you

pjcrooks2000
0
 
rossfingalCommented:
0
 
tdk_manAuthor Commented:
Well, it's gone! Thanks for the pointers Shehar. :)

pj:

Like I said, the drive is connected as a slave in a different machine with a different OS, so anything registry related could not be the cause of the problem as my system is clean and the registry didn't contain the keys that the iffy system's registry did.

AVG, Spybot 1.3 (with Tea Timer), Stinger, CWShredder, half a dozen different 'delete file on reboot' programs and manually editing the registry when the drive was booted in the original machine resulted in the infection returning instantly (or the changes were never made)!

As Shehar correctly suggested, it appears that the newer trojans have the ability to create read only dropper files which are 'owned' by a user other than the administrator or the user logged on at the time of infection.

This means you cannot delete them or change their attributes in normal mode, safe mode, at the command prompt or even when the drive is a slave in another machine with a different OS!

So, beware... and store this thread in case you need it in the future. ;)

TDK_Man
0
 
pjcrooks2000Commented:
Sorry tdk_man i missed that, probbaly on account of it being 3am here now and perhaps i need ot close my eyes for a while.

I will certaily bear this in mond for the future anyway, cheers

pjcrooks2000
0
 
SheharyaarSaahilCommented:
gald it went TDK,,,, Cheers ^_^
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now