?
Solved

Delete a file with a question mark in its name?

Posted on 2006-06-02
16
Medium Priority
?
2,465 Views
Last Modified: 2012-05-05
My antivirus software has been detecting a file (related to the "Purity" adware) on one of my user's disks with the following name:

??oolsv.exe

The AV claims to have taken care of the file, but it's still there. I can see it in a DOS prompt. There are also three suspicious-looking folders with these names:

?icrosoft
?ymantec
(the third starts with what looks like a Greek letter, and then has a question mark, and then "sks")

It just occurred to me that these are probably not actual question-marks in the filenames, but characters that DOS is unable to print (at least in a US-English context).

How can I go about deleting these files and folders? They don't show up in Windows Explorer, so they're invisible to Killbox. I looked on sysinternals.com for a more sophisticated Windows shell but couldn't find one.

Thanks,

Ben
0
Comment
Question by:bslorence
  • 8
  • 8
16 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16821588
Yes Killbox can't read them so it will show with the question marks in them.

Here's how to get rid of it, if problem persists then we need to see the hijackthis log with those entries.

Go to your Add/Remove Program list and Uninstall "OIN"
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16821598
typo in my post above, I meant Hijackthis, :)

and yes Killbox can't do anything with files in Question marks.
There is a manual way of removing them also, by running a batchfile.

0
 
LVL 1

Author Comment

by:bslorence
ID: 16836911
rppggamergirl,

I think I'm missing a middle step here somewhere...

Where did "OIN" come into the picture? Is Outerinfo Network responsible for PurityScan? I checked, and don't see "OIN" in the Add/Remove Program list.

Also, I don't have HijackThis and I've never used it.

Can you elaborate on the "manual way" you mentioned?

Thanks,

Ben
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16838289
Yes OuterInfo Network is resposible for PurityScan. When you installed an OIN software you are binded with Clickspring, it says so in their EULA.

If there are no software by OIN in your Add/Remove Programs, then you need to use their uninstaller.
I have used the uninstaller many times on people's machines. If the uninstaller fails to remove purityscan(unlikely) then we will remove it manually.

Removing it manually means looking for all PurityScan files and folders with a batchfile and deleting them.
It is a lot easier to use their uninstaller.


Here's where you can download hijackthis, it is only a small file, hijackthis will scan your system for malware etc, it will list entries(mostly legit).
PurityScan files will show up in the log but not all of them.
You need to check every entry in your startup so they will show up in the log, scan in normal mode.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
LVL 1

Author Comment

by:bslorence
ID: 16865455
Will HijackThis be able to remove the file? I wrote a little JScript program to investigate this further, and found that, as I suspected, the filenames do not actually have question-marks in them. The characters that show up as question-marks in DOS are Unicode characters outside the ASCII range.

I used that same script to try to delete the file (with FileSystemObject.File.Delete()) -- but no luck. I got a "permission denied" error even though I had administrative privileges. Presumably this is because the file is in use? But if it is, then don't I need a program like KillBox that will mark it for deletion at boot-time? But then that brings us back to the original problem...

Thanks,

Ben
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16866399
Hijackthis does not support cyrillic characters so it will show as question marks in them too. I suggested hijackthis because hijackthis can show the location of the file, I then use a batchfile to look which ones are the legit ones and which ones are not, but if you already know which is which, then hijackthis is not needed.

Killbox can't delete any file with question marks in them.

Did you try the OIN uninstaller? usually purityscan files go that way.
0
 
LVL 1

Author Comment

by:bslorence
ID: 16946016
Yes, I ran the OIN uninstaller. Sorry not to mention that before.The file did not go away and is still flagged every day by the network anti-virus (although now it's being flagged as Win32:Ndrv-B, instead of as something to do with Purity).
0
 
LVL 1

Author Comment

by:bslorence
ID: 16946025
Also, just to mention this as well: I also tried rebooting into safe mode and deleting the file with my JavaScript program, as described above. That didn't work either. I still got the permissions error.
0
 
LVL 1

Author Comment

by:bslorence
ID: 16946028
excuse me, "JScript". ;-p
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16947425
Can we please look at your hijackthis log?
0
 
LVL 1

Author Comment

by:bslorence
ID: 17034222
HijackThis log is here:

http://www.rafb.net/paste/results/uhzJVf80.html

Thanks, Ben
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17034327
No signs of purityscan in your hijackthis log, that means if they are in there then it;s not active.

Do you have the locations of those purityscan files?
0
 
LVL 1

Author Comment

by:bslorence
ID: 17034398
The file is in c:\windows\system32

The only file that's left, at this point is the one named "[2 non-ASCII characters]oolsv.exe". My antivirus software (Avast) is identifying it, every day, as "Win32:Ndrv-B". As I mentioned above, at some point since I started this thread, the antivirus stopped identifying this file as Purity.

I'm not hugely concerned about whether this is an active piece of malware or not. Really I just want to delete this file. It will be a good thing to know how to do, and I'm sick of seeing it in the AV log.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 375 total points
ID: 17034436
so is this the file then? --> c:\windows\system32\??oolsv.exe

C:\WINDOWS\system32\spoolsv.exe
Since the above is the legit windows file, the only way for you to differentiate which is legit and which is not is to rightclick on the file and look in the properties, the legit one should say Microsoft or something like that.


Or run this batchfile below, the result will give us 2 files(one legit one not). I'll tell you then which one to delete.

Copy and paste the text below the line into notepad. Save it as "FindFile.bat" and save it on your Desktop.  Locate "FindFile.bat" on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
--------------------------------

dir c:\windows\system32\??oolsv.exe /a h > files.txt
notepad files.txt
0
 
LVL 1

Author Comment

by:bslorence
ID: 17034507
Gosh, in all my seeking for a fancy method of deleting this file, I forgot about just checking the attributes. The file was indeed SHR. All I had to do was undo those attributes and then I was able to delete it. I will give you the points for tipping me off with "dir /a".

Thanks, Ben
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17034523
Thanks! :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question