Help! Can't delete a file in Windows XP!

This should be so simple on the face of it, but aaaaargh!

In a nutshell, I have a virus that has corrupted the USERINIT registry
entry. Identified it ok. Just need to delete c:\program\abc\def.exe (I
got the name from regedit.)

1. I can't delete folder "abc" because it says it's "not empty". Fair
enough, I'll delete "def" first.
2. Uh huh. Says "def" isn't there.
3. I go into DOS (or rather the command prompt feature of WXP).
4. I do the ATTRIB command for -r -s -h, and it takes it without error
message..... BUT nothing's changed, at all!
5. Read on the internet that the TYPE command ignores whether files
are hidden/system, so I do that on def.exe.
6. YES! It lists gobbledegook (as expected with .exe data) so that
proves it DOES exist and is still there.

So - the question seems to be why the ATTRIB command had no
effect..... anybody have any suggestions?

Thanks
Guy

On 8/1/2011 3:37 PM, Guy Fletcher wrote:
This should be so simple on the face of it, but aaaaargh!

In a nutshell, I have a virus that has corrupted the USERINIT registry
entry. Identified it ok. Just need to delete c:\program\abc\def.exe (I
got the name from regedit.)

1. I can't delete folder "abc" because it says it's "not empty". Fair
enough, I'll delete "def" first.
2. Uh huh. Says "def" isn't there.
3. I go into DOS (or rather the command prompt feature of WXP).
4. I do the ATTRIB command for -r -s -h, and it takes it without error
message..... BUT nothing's changed, at all!
5. Read on the internet that the TYPE command ignores whether files
are hidden/system, so I do that on def.exe.
6. YES! It lists gobbledegook (as expected with .exe data) so that
proves it DOES exist and is still there.

So - the question seems to be why the ATTRIB command had no
effect..... anybody have any suggestions?

Thanks
Guy

Linux, Knoppix, BartPE, or the XP Recovery Console should allow you to
delete the folders and files. Have you tried Malwarebytes?

http://www.malwarebytes.org


--

Joe =o)

Guy Fletcher wrote:

This should be so simple on the face of it, but aaaaargh!

In a nutshell, I have a virus that has corrupted the USERINIT registry
entry. Identified it ok. Just need to delete c:\program\abc\def.exe (I
got the name from regedit.)

1. I can't delete folder "abc" because it says it's "not empty". Fair
enough, I'll delete "def" first.
2. Uh huh. Says "def" isn't there.
3. I go into DOS (or rather the command prompt feature of WXP).
4. I do the ATTRIB command for -r -s -h, and it takes it without error
message..... BUT nothing's changed, at all!
5. Read on the internet that the TYPE command ignores whether files
are hidden/system, so I do that on def.exe.
6. YES! It lists gobbledegook (as expected with .exe data) so that
proves it DOES exist and is still there.

So - the question seems to be why the ATTRIB command had no
effect..... anybody have any suggestions?

Thanks
Guy

When logged into Windows, have you tried the following?
- Load and leave loaded Task Manager.
- Kill all instances of explorer.exe (your desktop disappears).
- New - Task menu to run cmd.exe to load a console shell.
- Do a file/folder delete in the console window.
- Use New - Task menu to reload explorer.exe (your desktop reappears).

Alternatively, have you tried the following to delete the file/folder?
- Booting Windows into its Safe Mode?
- Into its Recovery Console mode?

Thanks guys for your replies.

First, I did the stopping explorer thing. This was new to me. Got the
command screen, did the ATTRIB etc. but no change. However, it's a
useful thing to know for the future so thanks for that.

Then I looked into Recovery Console, again new to me. Couldn't get
very far, as it wouldn't let me access the "Program Files" directory.
The internet seems to back that up - i.e. you can only do things in
C:\WINDOWS (?) with that, so that was a non-starter.

Then I tried Malwarebytes. Had heard of it before, but I honestly have
so many of such programs (always found Superantispyware the best
myself, though not 100% ideal) that I was a bit sceptical. Anyway, I
tried it and it DID bring up the directory and invisible program, so
thanks for that recommendation! Will def. use it again.

I was ecstatic for a while, deleting them and restarting. My happiness
was short-lived, however, as the damn thing came back! In short, it
seems this registry item gets corrupted EVERY time I start up:-

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

It contains the userinit.exe (as it should) but appends it to the
infernal spyware program, always with the same name (though seemingly
random letters). I just don't know where it's being edited from. All I
know is that it all started when I upgraded from IE6 to IE8. I
downloaded IE8 from Microsoft's own site, so I don't know what to
think.

I'm thinking of going back to IE6 as the only solution!

Thanks again anyway.

Guy

Guy Fletcher wrote:

Thanks guys for your replies.

First, I did the stopping explorer thing. This was new to me. Got the
command screen, did the ATTRIB etc. but no change. However, it's a
useful thing to know for the future so thanks for that.

Then I looked into Recovery Console, again new to me. Couldn't get
very far, as it wouldn't let me access the "Program Files" directory.
The internet seems to back that up - i.e. you can only do things in
C:\WINDOWS (?) with that, so that was a non-starter.

Then I tried Malwarebytes. Had heard of it before, but I honestly have
so many of such programs (always found Superantispyware the best
myself, though not 100% ideal) that I was a bit sceptical. Anyway, I
tried it and it DID bring up the directory and invisible program, so
thanks for that recommendation! Will def. use it again.

I was ecstatic for a while, deleting them and restarting. My happiness
was short-lived, however, as the damn thing came back! In short, it
seems this registry item gets corrupted EVERY time I start up:-

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

It contains the userinit.exe (as it should) but appends it to the
infernal spyware program, always with the same name (though seemingly
random letters). I just don't know where it's being edited from. All I
know is that it all started when I upgraded from IE6 to IE8. I
downloaded IE8 from Microsoft's own site, so I don't know what to
think.

I'm thinking of going back to IE6 as the only solution!

Thanks again anyway.

Guy

Don't know what anti-virus program you use. Does it have a boot-time
scanner (to scan BEFORE the operating system loads along with any
drivers of which one could be the pest)? Alternatively you could use a
boot CD that has anti-malware to scan for the pest *without* your OS
being loaded.

On 8/2/2011 11:54 AM, Guy Fletcher wrote:
Thanks guys for your replies.

First, I did the stopping explorer thing. This was new to me. Got the
command screen, did the ATTRIB etc. but no change. However, it's a
useful thing to know for the future so thanks for that.

Then I looked into Recovery Console, again new to me. Couldn't get
very far, as it wouldn't let me access the "Program Files" directory.
The internet seems to back that up - i.e. you can only do things in
C:\WINDOWS (?) with that, so that was a non-starter.

Then I tried Malwarebytes. Had heard of it before, but I honestly have
so many of such programs (always found Superantispyware the best
myself, though not 100% ideal) that I was a bit sceptical. Anyway, I
tried it and it DID bring up the directory and invisible program, so
thanks for that recommendation! Will def. use it again.

I was ecstatic for a while, deleting them and restarting. My happiness
was short-lived, however, as the damn thing came back! In short, it
seems this registry item gets corrupted EVERY time I start up:-

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

It contains the userinit.exe (as it should) but appends it to the
infernal spyware program, always with the same name (though seemingly
random letters). I just don't know where it's being edited from. All I
know is that it all started when I upgraded from IE6 to IE8. I
downloaded IE8 from Microsoft's own site, so I don't know what to
think.

I'm thinking of going back to IE6 as the only solution!

Thanks again anyway.

Guy


AVG now has an a/v Rescue CD that's free.. it should remove any rootkit
that is causing the changes. It runs in RAM so Windows processes can't
take control. TAVG also has a free USB download that should work on
newer systems that can boot from a USB device. Get them he

http://www.avg.com/us-en/avg-rescue-cd

--

Joe =o)

Try installing this free utility ;

"Unlocker"
http://www.brothersoft.com/download-...er-208761.html

....or go to the official developer's website :

http://unlocker.emptyloop.com/

....it automatically (& manually via a right-click file menu ) detects when
a file operation fails due to programs having active open handles on the
object you are trying to rename / move / delete and allows you to either
close the offending program's open handles or terminate the program
entirely - and so release the object for your proffered file operation.

It also has the built-in ability to "Delete on reboot" as a last resort, a
function that other utilities offer on it's own but is incorporated into
this useful (at least I find it so) program.

==

Cheers, Tim Meddick, Peckham, London. :-)




"Guy Fletcher" wrote in message
...
This should be so simple on the face of it, but aaaaargh!

In a nutshell, I have a virus that has corrupted the USERINIT registry
entry. Identified it ok. Just need to delete c:\program\abc\def.exe (I
got the name from regedit.)

1. I can't delete folder "abc" because it says it's "not empty". Fair
enough, I'll delete "def" first.
2. Uh huh. Says "def" isn't there.
3. I go into DOS (or rather the command prompt feature of WXP).
4. I do the ATTRIB command for -r -s -h, and it takes it without error
message..... BUT nothing's changed, at all!
5. Read on the internet that the TYPE command ignores whether files
are hidden/system, so I do that on def.exe.
6. YES! It lists gobbledegook (as expected with .exe data) so that
proves it DOES exist and is still there.

So - the question seems to be why the ATTRIB command had no
effect..... anybody have any suggestions?

Thanks
Guy

On Mon, 01 Aug 2011 19:37:04 GMT, (Guy Fletcher) wrote:

This should be so simple on the face of it, but aaaaargh!

In a nutshell, I have a virus that has corrupted the USERINIT registry
entry. Identified it ok. Just need to delete c:\program\abc\def.exe (I
got the name from regedit.)

1. I can't delete folder "abc" because it says it's "not empty". Fair
enough, I'll delete "def" first.
2. Uh huh. Says "def" isn't there.
3. I go into DOS (or rather the command prompt feature of WXP).
4. I do the ATTRIB command for -r -s -h, and it takes it without error
message..... BUT nothing's changed, at all!
5. Read on the internet that the TYPE command ignores whether files
are hidden/system, so I do that on def.exe.
6. YES! It lists gobbledegook (as expected with .exe data) so that
proves it DOES exist and is still there.

So - the question seems to be why the ATTRIB command had no
effect..... anybody have any suggestions?

Thanks
Guy


Download and burn Hiren's BootCD
http://www.hirensbootcd.org/download/

Boot to it and select "Mini Windows". Delete the folders from there.

Unk