Solved

Malware file hiding in the recycle.bin that can't be deleted

Posted on 2013-06-02
13
476 Views
Last Modified: 2013-11-22
I have a system that AVG realtime monitor keeps finding infected files on.  However, when I try to delete them I get, Access Denied.  

The files are located in the recycle.bin folder and I'm using an admin account to delete them.  No matter what i do I can't get rid of them; I always get the error:  Access Denied.  

Also, AVG is the only program that finds them.  

Now that I think about it -- should I try deleting them via the command prompt?  

Thanks
0
Comment
Question by:CraigSNYC
  • 4
  • 2
  • 2
  • +4
13 Comments
 
LVL 92

Expert Comment

by:John Hurst
ID: 39214298
Try online Malwarebytes. AVG is not the best AV in the world and I have had to remove it from client machines and replace it with commercial AV.

You might also try setting up a new, different admin account to see if a different account can delete the files.

.... Thinkpads_User
0
 
LVL 19

Expert Comment

by:helpfinder
ID: 39214327
Try to run a AV scan in Safe mode.
also try to scan the disk when OS is not running (booted up) - e.g. Kaspersky Rescue Disk, or remove HDD and plug it into another machine as second disk
0
 
LVL 24

Accepted Solution

by:
aadih earned 500 total points
ID: 39214364
As Thinkpads_User said, "AVG is not the best AV".

Try using bitdefender free:  < http://www.bitdefender.com/solutions/free.html >.

For now, try scanning and cleaning with Malwarebytes Antimalware (free) in safe mode (or even from command prompt in safe mode); then, again from the normal Windows mode.
0
 

Author Comment

by:CraigSNYC
ID: 39214390
Thanks!  

Hadn't run AVG in SM, so I will try that.  

Sorry, but I always leave out important bits of info (duh!): Malwarebytes doesn't find the files that I need to delete.  Also, the system was infected enough that I decided it was best to pull the drive from the client's system and clean it that way.  This is when the ownership issue first popped up.  I tried to change ownership of the files then but for whatever reason I couldn't.  I figured once the drive was reinstalled on the system I'd delete the files with no problem.  I was wrong about being able to do that.  

I'll run AVG in SM and see what happens.  

I'll update tomorrow, once I've been able to do this.  

Thanks!
0
 

Author Comment

by:CraigSNYC
ID: 39214396
One more interesting thing:  I ran CCleaner, emptied the recycle bin and turned off system restore but the files are still there.  Shouldn't have doing those things have deleted all files in the Recycle.bin folders?
0
 
LVL 24

Expert Comment

by:aadih
ID: 39214405
It appears there is a permissions issue (for files in recycle bin); thus the non-deletion.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 18

Expert Comment

by:web_tracker
ID: 39214472
get the application called FileAssassin  to gain access to the file, then you can delete it.
http://download.cnet.com/FileAssassin/3000-2094_4-10639988.html
When you delete the file use the shift key while pressing the delete key, this will bypass the trash can an permanently delete the file.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39220209
Some malware didn't let MalwareBytes to scan them in realtime, so we would need to run software like RKill, or RogueKiller to kill those malware processes and then run MalwareBytes.

I would recommend to scan the system with the tools mentioned below and in the sequence they are mentioned and post the logs

Make sure you DO NOT REBOOT the system after running tools in point 1 & 2.

1. RogueKiller/TheKiller
2. MalwareBytes
3. TDSSKIller

I would also recommend you to go through the articles from Younghv and RPG for the links of the tools and for the future reference

Basic Malware Troubleshooting
http://www.experts-exchange.com/A_1940.html

Rogue-Killer-What-a-great-name
http://www.experts-exchange.com/A_4922.html

Stop-the-Bleeding-First-Aid-for-Malware
http://www.experts-exchange.com/A_5124.html

Run MalwareBytes in Quick Mode and if that required reboot, then reboot the system and run tools mentioned in point 1 and 2 but this time run MalwareBytes in Full Systen Scan.

So in your next reply post the RogueKiller logs, MBAM logs and TDSSKIller Logs

Sudeep
0
 

Author Comment

by:CraigSNYC
ID: 39237760
**Thanks for the input.  I'm trying FileAssasin when I get my hands on the system this weekend and report back.
0
 
LVL 38

Expert Comment

by:younghv
ID: 39338779
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39329650
@CraigSNYC - You never did follow up as you committed to do.

.... Thinkpads_User
0
 

Author Comment

by:CraigSNYC
ID: 39338777
I'm sorry!  I posted a response -- I don't know what happened to it.  

I ran AVG in SM.  Rebooted normally and ran it again.  Ran clean.  Also ran Malwarebytes in SM.  

The client reports no more real-time popups from AVG reporting the files in the recycle bin.

Thanks!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Identifying virus/malware after an attack 8 112
Equivalent of HP Fortify (code scanner) for Excel macros & MS Access codes 5 122
Virus softwares 11 76
ransomware virus 21 105
12 Steps to a more secure Internet experience (http://tekblog.teksquisite.com/) Everyone who is a licensed driver initially had to pass a driving test that consisted of taking:    1. a written test    2. a road test    3. a vision test Le…
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now