Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Undeletable File - Any Suggestions?

Posted on 2004-10-04
11
656 Views
Last Modified: 2010-04-11
In my many years of working in IT, this is the first time I've come across a file which I couldn't delete... eventually.

Either this is a first, or I'm going senile...

A customer's Win2K/NTFS machine was infected with spyware and Trojans and I eventually managed to get rid of pretty much everything apart from some spyware thing called TV Media and a dll file in System32 called MSLG.DLL - a trojan which AVG pointed out but couldn't do anything with.

The entries which start it up in the registry are immediately replaced when you try to remove them - even in safe mode.

Same thing with HijackThis - rescan after removing three entries and they are back again - even in Safe Mode!

Boot into command prompt mode and it still won't delete - it shows up as a Read Only, BUT you get an Access Denied error when you try to remove the Read Only status with attrib.

So I brought the drive home and put it into my clean XP machine (using USB2 external case so I didn't have to boot with it attached) and once again, AVG detects the dll but still won't remove it.

And, although it's no longer in memory, I still can't change the attributes or delete the damn file - I just get Access Denied.

This one has me stumped!

TenerifeBaz
0
Comment
Question by:tdk_man
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
ID: 12222523
Hello tdk_man =)

Access Denied error means, u dont have permissions ont he files,,, and deleting the registries create them again, can be also due to premission problem on the registry folders !!

So try taking their ownership and then check if u can delete them or not :)

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019

!! GOOD LUCK !!
0
 
LVL 1

Author Comment

by:tdk_man
ID: 12222736
Surely ownership comes into play when windows loads.

At the moment, the Win2K drive is sitting in my XP machine and I haven't booted off it. So, as Win2K isn't actually running, shouldn't XP just see all files as normal files? I can copy, rename and delete any other files without problem.

The URL you gave assumes that you are in Win2K, so I can't test it out until I return the drive tomorrow and boot into Win2K. I'd like to delete it now if possible.

As an aside, I've just tried MoveOnBoot and WhoLockMe but they both failed too.

I'm going to see if I can find any other delete file utils on trhe net in the meantime.

Thanks for the suggestion though...

TDK_Man
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12222779
>> The URL you gave assumes that you are in Win2K,
here are for WinXP.... its more easy if u are deleting them from another system :)

HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421

HOW TO: Set, View, Change, or Remove File and Folder Permissions in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 1

Author Comment

by:tdk_man
ID: 12222860
If I right click on it, AVG pops up a virus warning saying it's a Trojan horse BackDoor.Agent.BA.

No security tab appears - only 'General' and 'GiPo@Utilities' which is a delete undeletable files utility I installed - which incidentally also doesn't work! :)

The attributes box for read only is ticked and there is an advanced button which just gives you some indexing options.

Whatever you try to change on this panel results in an Access Is Denied error.

TDK_Man
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12222869
if u are using XP Pro, then goto Explorer>Tools>Folder Options>View and untick Simple File Sharing,,,, apply and now u shud get the Security tab !!

if its xp home, then boot into safemode and login as Administrator, in home edition only Administrator can access the security tab !!  :)
0
 
LVL 1

Author Comment

by:tdk_man
ID: 12222953
Thanks for that!

I've learnt something new about XP tonight if nothing else... :)

Anyway, it took a while because every time I right clicked on the damn file, the anti-virus warning kept popping up and the right-click menu kept disappearing!

Eventually I did get rid of it, (I hope) but for some strange reason, after deleting it, AVG still kept popping up saying it was still there.

I'm doing a full scan now just to confirm that it's definitely gone!

TDK_Man
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12223214
I get the feeling this wee bugger will be back.

If i am right I think it may well be a BHO (Browser Helper Object that is initialised with the Internet explorer.  It regenerates itself renaming itself too, or the DLL that keeps appearing is getting regenerated by another file somewhere.

Try running some programs to see if they bring anything up

cwshredder http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Spybot http://www.safer-networking.org/en/download/index.html
HiJackThis http://www.spychecker.com/program/hijackthis.html

Now i may be wide of the mark here but I did experience a wee nasty like this not so long back and it was a browser hijacker.  Once you do a scan of the machine with Hijack this it will generate a log file and you can upload this logfile to a website to be analysed, http://www.hijackthis.de/index.php?langselect=english

I hope this helps you

pjcrooks2000
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12223275
0
 
LVL 1

Author Comment

by:tdk_man
ID: 12223343
Well, it's gone! Thanks for the pointers Shehar. :)

pj:

Like I said, the drive is connected as a slave in a different machine with a different OS, so anything registry related could not be the cause of the problem as my system is clean and the registry didn't contain the keys that the iffy system's registry did.

AVG, Spybot 1.3 (with Tea Timer), Stinger, CWShredder, half a dozen different 'delete file on reboot' programs and manually editing the registry when the drive was booted in the original machine resulted in the infection returning instantly (or the changes were never made)!

As Shehar correctly suggested, it appears that the newer trojans have the ability to create read only dropper files which are 'owned' by a user other than the administrator or the user logged on at the time of infection.

This means you cannot delete them or change their attributes in normal mode, safe mode, at the command prompt or even when the drive is a slave in another machine with a different OS!

So, beware... and store this thread in case you need it in the future. ;)

TDK_Man
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12223356
Sorry tdk_man i missed that, probbaly on account of it being 3am here now and perhaps i need ot close my eyes for a while.

I will certaily bear this in mond for the future anyway, cheers

pjcrooks2000
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12224830
gald it went TDK,,,, Cheers ^_^
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Current Mac OS X Network Profiles and Firewall 5 75
Open Encryption Software Advice needed 4 68
Cisco ASA blocks some https sites. 27 43
How does ADMT SID History work? 1 26
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question