Solved

Undeletable File - Any Suggestions?

Posted on 2004-10-04
11
654 Views
Last Modified: 2010-04-11
In my many years of working in IT, this is the first time I've come across a file which I couldn't delete... eventually.

Either this is a first, or I'm going senile...

A customer's Win2K/NTFS machine was infected with spyware and Trojans and I eventually managed to get rid of pretty much everything apart from some spyware thing called TV Media and a dll file in System32 called MSLG.DLL - a trojan which AVG pointed out but couldn't do anything with.

The entries which start it up in the registry are immediately replaced when you try to remove them - even in safe mode.

Same thing with HijackThis - rescan after removing three entries and they are back again - even in Safe Mode!

Boot into command prompt mode and it still won't delete - it shows up as a Read Only, BUT you get an Access Denied error when you try to remove the Read Only status with attrib.

So I brought the drive home and put it into my clean XP machine (using USB2 external case so I didn't have to boot with it attached) and once again, AVG detects the dll but still won't remove it.

And, although it's no longer in memory, I still can't change the attributes or delete the damn file - I just get Access Denied.

This one has me stumped!

TenerifeBaz
0
Comment
Question by:tdk_man
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
ID: 12222523
Hello tdk_man =)

Access Denied error means, u dont have permissions ont he files,,, and deleting the registries create them again, can be also due to premission problem on the registry folders !!

So try taking their ownership and then check if u can delete them or not :)

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019

!! GOOD LUCK !!
0
 
LVL 1

Author Comment

by:tdk_man
ID: 12222736
Surely ownership comes into play when windows loads.

At the moment, the Win2K drive is sitting in my XP machine and I haven't booted off it. So, as Win2K isn't actually running, shouldn't XP just see all files as normal files? I can copy, rename and delete any other files without problem.

The URL you gave assumes that you are in Win2K, so I can't test it out until I return the drive tomorrow and boot into Win2K. I'd like to delete it now if possible.

As an aside, I've just tried MoveOnBoot and WhoLockMe but they both failed too.

I'm going to see if I can find any other delete file utils on trhe net in the meantime.

Thanks for the suggestion though...

TDK_Man
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12222779
>> The URL you gave assumes that you are in Win2K,
here are for WinXP.... its more easy if u are deleting them from another system :)

HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421

HOW TO: Set, View, Change, or Remove File and Folder Permissions in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
0
 
LVL 1

Author Comment

by:tdk_man
ID: 12222860
If I right click on it, AVG pops up a virus warning saying it's a Trojan horse BackDoor.Agent.BA.

No security tab appears - only 'General' and 'GiPo@Utilities' which is a delete undeletable files utility I installed - which incidentally also doesn't work! :)

The attributes box for read only is ticked and there is an advanced button which just gives you some indexing options.

Whatever you try to change on this panel results in an Access Is Denied error.

TDK_Man
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12222869
if u are using XP Pro, then goto Explorer>Tools>Folder Options>View and untick Simple File Sharing,,,, apply and now u shud get the Security tab !!

if its xp home, then boot into safemode and login as Administrator, in home edition only Administrator can access the security tab !!  :)
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 1

Author Comment

by:tdk_man
ID: 12222953
Thanks for that!

I've learnt something new about XP tonight if nothing else... :)

Anyway, it took a while because every time I right clicked on the damn file, the anti-virus warning kept popping up and the right-click menu kept disappearing!

Eventually I did get rid of it, (I hope) but for some strange reason, after deleting it, AVG still kept popping up saying it was still there.

I'm doing a full scan now just to confirm that it's definitely gone!

TDK_Man
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12223214
I get the feeling this wee bugger will be back.

If i am right I think it may well be a BHO (Browser Helper Object that is initialised with the Internet explorer.  It regenerates itself renaming itself too, or the DLL that keeps appearing is getting regenerated by another file somewhere.

Try running some programs to see if they bring anything up

cwshredder http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Spybot http://www.safer-networking.org/en/download/index.html
HiJackThis http://www.spychecker.com/program/hijackthis.html

Now i may be wide of the mark here but I did experience a wee nasty like this not so long back and it was a browser hijacker.  Once you do a scan of the machine with Hijack this it will generate a log file and you can upload this logfile to a website to be analysed, http://www.hijackthis.de/index.php?langselect=english

I hope this helps you

pjcrooks2000
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12223275
0
 
LVL 1

Author Comment

by:tdk_man
ID: 12223343
Well, it's gone! Thanks for the pointers Shehar. :)

pj:

Like I said, the drive is connected as a slave in a different machine with a different OS, so anything registry related could not be the cause of the problem as my system is clean and the registry didn't contain the keys that the iffy system's registry did.

AVG, Spybot 1.3 (with Tea Timer), Stinger, CWShredder, half a dozen different 'delete file on reboot' programs and manually editing the registry when the drive was booted in the original machine resulted in the infection returning instantly (or the changes were never made)!

As Shehar correctly suggested, it appears that the newer trojans have the ability to create read only dropper files which are 'owned' by a user other than the administrator or the user logged on at the time of infection.

This means you cannot delete them or change their attributes in normal mode, safe mode, at the command prompt or even when the drive is a slave in another machine with a different OS!

So, beware... and store this thread in case you need it in the future. ;)

TDK_Man
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12223356
Sorry tdk_man i missed that, probbaly on account of it being 3am here now and perhaps i need ot close my eyes for a while.

I will certaily bear this in mond for the future anyway, cheers

pjcrooks2000
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12224830
gald it went TDK,,,, Cheers ^_^
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now