Solved

Malware file hiding in the recycle.bin that can't be deleted

Posted on 2013-06-02
13
467 Views
Last Modified: 2013-11-22
I have a system that AVG realtime monitor keeps finding infected files on.  However, when I try to delete them I get, Access Denied.  

The files are located in the recycle.bin folder and I'm using an admin account to delete them.  No matter what i do I can't get rid of them; I always get the error:  Access Denied.  

Also, AVG is the only program that finds them.  

Now that I think about it -- should I try deleting them via the command prompt?  

Thanks
0
Comment
Question by:CraigSNYC
  • 4
  • 2
  • 2
  • +4
13 Comments
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Try online Malwarebytes. AVG is not the best AV in the world and I have had to remove it from client machines and replace it with commercial AV.

You might also try setting up a new, different admin account to see if a different account can delete the files.

.... Thinkpads_User
0
 
LVL 19

Expert Comment

by:helpfinder
Comment Utility
Try to run a AV scan in Safe mode.
also try to scan the disk when OS is not running (booted up) - e.g. Kaspersky Rescue Disk, or remove HDD and plug it into another machine as second disk
0
 
LVL 24

Accepted Solution

by:
aadih earned 500 total points
Comment Utility
As Thinkpads_User said, "AVG is not the best AV".

Try using bitdefender free:  < http://www.bitdefender.com/solutions/free.html >.

For now, try scanning and cleaning with Malwarebytes Antimalware (free) in safe mode (or even from command prompt in safe mode); then, again from the normal Windows mode.
0
 

Author Comment

by:CraigSNYC
Comment Utility
Thanks!  

Hadn't run AVG in SM, so I will try that.  

Sorry, but I always leave out important bits of info (duh!): Malwarebytes doesn't find the files that I need to delete.  Also, the system was infected enough that I decided it was best to pull the drive from the client's system and clean it that way.  This is when the ownership issue first popped up.  I tried to change ownership of the files then but for whatever reason I couldn't.  I figured once the drive was reinstalled on the system I'd delete the files with no problem.  I was wrong about being able to do that.  

I'll run AVG in SM and see what happens.  

I'll update tomorrow, once I've been able to do this.  

Thanks!
0
 

Author Comment

by:CraigSNYC
Comment Utility
One more interesting thing:  I ran CCleaner, emptied the recycle bin and turned off system restore but the files are still there.  Shouldn't have doing those things have deleted all files in the Recycle.bin folders?
0
 
LVL 24

Expert Comment

by:aadih
Comment Utility
It appears there is a permissions issue (for files in recycle bin); thus the non-deletion.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 18

Expert Comment

by:web_tracker
Comment Utility
get the application called FileAssassin  to gain access to the file, then you can delete it.
http://download.cnet.com/FileAssassin/3000-2094_4-10639988.html
When you delete the file use the shift key while pressing the delete key, this will bypass the trash can an permanently delete the file.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
Comment Utility
Some malware didn't let MalwareBytes to scan them in realtime, so we would need to run software like RKill, or RogueKiller to kill those malware processes and then run MalwareBytes.

I would recommend to scan the system with the tools mentioned below and in the sequence they are mentioned and post the logs

Make sure you DO NOT REBOOT the system after running tools in point 1 & 2.

1. RogueKiller/TheKiller
2. MalwareBytes
3. TDSSKIller

I would also recommend you to go through the articles from Younghv and RPG for the links of the tools and for the future reference

Basic Malware Troubleshooting
http://www.experts-exchange.com/A_1940.html

Rogue-Killer-What-a-great-name
http://www.experts-exchange.com/A_4922.html

Stop-the-Bleeding-First-Aid-for-Malware
http://www.experts-exchange.com/A_5124.html

Run MalwareBytes in Quick Mode and if that required reboot, then reboot the system and run tools mentioned in point 1 and 2 but this time run MalwareBytes in Full Systen Scan.

So in your next reply post the RogueKiller logs, MBAM logs and TDSSKIller Logs

Sudeep
0
 

Author Comment

by:CraigSNYC
Comment Utility
**Thanks for the input.  I'm trying FileAssasin when I get my hands on the system this weekend and report back.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
@CraigSNYC - You never did follow up as you committed to do.

.... Thinkpads_User
0
 

Author Comment

by:CraigSNYC
Comment Utility
I'm sorry!  I posted a response -- I don't know what happened to it.  

I ran AVG in SM.  Rebooted normally and ran it again.  Ran clean.  Also ran Malwarebytes in SM.  

The client reports no more real-time popups from AVG reporting the files in the recycle bin.

Thanks!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
XTBL Ransomware 8 321
Malware on Windows 10 machine 14 99
PC Users 7 53
Checkpoint Endpoint Managment 3 43
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now