Delete stubborn files

Topic

New Reply

In Disc C:/ I have Windows PO Professional and all programs installed under it only. Apparently due to a virus that, apparently too, is no longer in my PC, there are in that disc nine files (2.9 GB each is, with one single letter name —A, E, F, S, etc.— with no extension) which are taken about 27 GB of disc C space.

I discovered them using Total Commander. When I tried to see them using Windows Explore I couldn’t deactivate the “Hide system protected files (recommended)”. When I finally could unblock that and I see the files, I entered Safe Mode and I could see the file via Total Commander but no via Windows Explore.

What I found about that supposed virus relates it to NTDETECT.COM and says that it is kind of trojan that sends info outside and generates a lot of small files that take over the disc space. In my case there are no small files but nine of 3,181,641,728 bytes each, and they have not increased size at all since I discovered them.

I use Eset Smart Suite 4 and Avira Personal Free. They haven´t found any malware in my PC. Malwarebytes’ and SUPERantimalware neither.

I have looked for a way to move/delete those files desperately but without success. Unlocker, WhoLockMe, Files Assassin and other have failed.

According to Unlocker the set of processes related to each one of these nine files is never the same, but all sets have in common two processes: Explore.exe an System. It’s clear that if I end these processes I shut down my PC, so this is not a solution at all.

Reply | Quote

Replies

Not sure if this is any help, but if I have deletion problems, I go into DOS prompt and delete them from there. Works all the time for me.

Reply | Quote

Usually, when I cannot delete a file (windows says that it is in use), I rename it, shutdown and restart windows and the file with the new name is OK for deletion. Another method is to use a boot CD like Knoppix which will give you access to the Windows file system and from there you can delete the files.

Reply | Quote

Usually, when I cannot delete a file (windows says that it is in use), I rename it, shutdown and restart windows and the file with the new name is OK for deletion. Another method is to use a boot CD like Knoppix which will give you access to the Windows file system and from there you can delete the files.

I forgot to say that files cannot be renamed either.

If you don’t already have it, even if it doesn’t fix your current problem, you might want to add Unlocker – CNET Download.com to your system for future use.

I already used Unlocker. This allowed me to see what processes are linked to each one of those files. It’s supposed that if I kill the processes related to an specific file I’ll be able to rename/move/detete it. But as said before two of the processes I should delete are EXPLORE.EXE and SYSTEM, and if I kill them my PC shut off.

Usually, when I cannot delete a file (windows says that it is in use), I rename it, shutdown and restart windows and the file with the new name is OK for deletion. Another method is to use a boot CD like Knoppix which will give you access to the Windows file system and from there you can delete the files.

KNOPPIX is Linux, and I have a handicap in this area because beside my age (70 years) I’m not a tech guy and know nothing about Linux. I guess I should download the program, record it in a CD,….. and what then?

Not sure if this is any help, but if I have deletion problems, I go into DOS prompt and delete them from there. Works all the time for me.

I’ve heard about this DOS resource before but have no idea on how to implement it. Would you please give me more details?

It may be a Root Kit virus you have. These viruses hide files from Windows to prevent deletion.

I suggest you run HiJackThis and post the result on an HJT web site – there are a few good ones about.

cheers, Paul

Thanks, Paul. Even though FBSL and the AVIRA anti-rookit programs didn.t find anything in my PC, I already download the HiJackThis, but started searching for HJT web sites and got pretty confused about where should I submit the HiJackThis result report.

Reply | Quote

It may be a Root Kit virus you have. These viruses hide files from Windows to prevent deletion.

I suggest you run HiJackThis and post the result on an HJT web site – there are a few good ones about.

cheers, Paul

Reply | Quote

If you don’t already have it, even if it doesn’t fix your current problem, you might want to add Unlocker – CNET Download.com to your system for future use.

Reply | Quote

I second the LINUX boot disc approach since you can make any change without Windows running.

Reply | Quote

I second the LINUX boot disc approach since you can make any change without Windows running.

Since the LINX approach has been the most voted, for you and others, and even though I’m not a tech guy and know nothing about Linux I tried to download the Knoppx but fI found it extremely complicated for me, so I downloaded UBUNTU 9.10 and InfraRecording program, I created a bootable CD and proceeded.

When after a big while Ubuntu finally started up I chose the very first option, that was highlighted: “Try Ubuntu without any changes…”. I could find the nine files and since I didn’t see any Delete option I used the Move one and moved all of them to the Trash. Then I emptied the trash.

But back in Windws I almost got an infarct because the files WERE STILL THERE!

This “Try Ubuntu without any changes…” seems to me a flase promise because back inot Windows I discovered that the date and time have been moved to next day.

Reply | Quote

There is an automated HJT analyzer here.

There is a very knowledgeable lady at this site who can spot HJT problems in a flash.

And BleepingComputer.

cheers, Paul

Reply | Quote

There is an automated HJT analyzer here.

There is a very knowledgeable lady at this site who can spot HJT problems in a flash.

And BleepingComputer.

cheers, Paul

Thanks for posting the automated analyzer site. I have several HJT sites bookmarked and this is a great addition for helping those who have not only browser hijacking issues, but malware, trojans etc. This will be a neat tool

Hey Jude

Reply | Quote

That analyzer site is actually linked from the original at hijackthis.de.

Hjt may be a very useful tool under some circumstances but there are many infections it cannot pickup, you really do need to get to a good Antimalware forum, hijackthis.de has a pretty good forum.

Reply | Quote

That analyzer site is actually linked from the original at hijackthis.de.

Hjt may be a very useful tool under some circumstances but there are many infections it cannot pickup, you really do need to get to a good Antimalware forum, hijackthis.de has a pretty good forum.

Yes this is one of my resource sites. Way back when my DIL was having virus/hijack issues we used this forum to resolve her issues.

Here is another site that’s great HJT Log Analyzer

Hey Jude

Reply | Quote

To delete a file in Ubuntu, it’s like for Windows: select the file and press the delete key. You can also right-click a file and select the option delete.

Reply | Quote

To delete a file in Ubuntu, it’s like for Windows: select the file and press the delete key. You can also right-click a file and select the option delete.

Thanks, Stephane, but no way.

I just followed the whole procedure once more and when rightclicking any of those files the closest option to Delete that Ubuntu presented to me is MOVE TO TRASH; there is no such a thing like Delete. So I used MOVE TO TRASH with each one of the nine files, then I found them in the trash, and afterward I emptied the trash but the nine files were in place when I went back to Windows.

Reply | Quote

In Disc C:/ I have Windows PO Professional and all programs installed under it only. Apparently due to a virus that, apparently too, is no longer in my PC, there are in that disc nine files (2.9 GB each is, with one single letter name —A, E, F, S, etc.— with no extension) which are taken about 27 GB of disc C space.

I discovered them using Total Commander. When I tried to see them using Windows Explore I couldn’t deactivate the “Hide system protected files (recommended)”. When I finally could unblock that and I see the files, I entered Safe Mode and I could see the file via Total Commander but no via Windows Explore.

What I found about that supposed virus relates it to NTDETECT.COM and says that it is kind of trojan that sends info outside and generates a lot of small files that take over the disc space. In my case there are no small files but nine of 3,181,641,728 bytes each, and they have not increased size at all since I discovered them.

I use Eset Smart Suite 4 and Avira Personal Free. They haven´t found any malware in my PC. Malwarebytes’ and SUPERantimalware neither.

I have looked for a way to move/delete those files desperately but without success. Unlocker, WhoLockMe, Files Assassin and other have failed.

According to Unlocker the set of processes related to each one of these nine files is never the same, but all sets have in common two processes: Explore.exe an System. It’s clear that if I end these processes I shut down my PC, so this is not a solution at all.

In your screen cap, it appears that the file attributes of System and Hidden are set. If that’s the case, Windows isn’t going to allow you to do anything with them. Clear those attributes and try again. It may seem way too easy, but let’s start with the way too easy stuff first.

Reply | Quote

In your screen cap, it appears that the file attributes of System and Hidden are set. If that’s the case, Windows isn’t going to allow you to do anything with them. Clear those attributes and try again. It may seem way too easy, but let’s start with the way too easy stuff first.

Thanks, John. I’ve found no way to chage thos files attributes. They refused to too. Just to summariza, these are their characteristics:
• Their names are a letter only (A, E, F, S, etc.)
• They have no extension
• Size of each one of them is 3.181.641.728 bytes and this hasn’t changed since 12/20/2009 when I discovered them
• They take the date and time of last PC start/restart
• They are not visible from inside Safe Mode
• They refused to be renamed/moved/deleted or get their attributes (AHS) changed
• Processes associated to each of them –or using them– are different: from 2 to more than 20. But EXPLORE.EXE and SYSTEM are always among those processes.

Reply | Quote

I wonder if “try Ubuntu without making any changes” is taken literally in that there are safety protocols in place so that not only does the OS not install but no permanent changes can be made to the resident OS?

I love Parted Magic ( http://partedmagic.com/download.html ) personally because it has tons of tools including a windows file system explorer AND since its a LINUX utility LiveCD, one just boots to it and starts using it without possibility of installing anything or limiting the action taken with the Windows system drive….which means it can really be messed up if a mistake is made, but I like having the power to show who’s in charge.

Reply | Quote

I wonder if “try Ubuntu without making any changes” is taken literally in that there are safety protocols in place so that not only does the OS not install but no permanent changes can be made to the resident OS?

Yes, I think the hard drives would have been mounted read-only, therefore no changes could have been made, inadvertantly or otherwise; with the apparent time change after running the Live CD, that could have been done within the BIOS.

Carl, should you try athe Ubuntu (or other Live CD) again, make sure you allow it to make file system changes.

Reply | Quote

Yes, I think the hard drives would have been mounted read-only, therefore no changes could have been made, inadvertantly or otherwise; with the apparent time change after running the Live CD, that could have been done within the BIOS.

Carl, should you try athe Ubuntu (or other Live CD) again, make sure you allow it to make file system changes.

But…. be CERTAIN to backup your system first !!!

Reply | Quote

Yes, I think the hard drives would have been mounted read-only, therefore no changes could have been made, inadvertantly or otherwise; with the apparent time change after running the Live CD, that could have been done within the BIOS.

Carl, should you try athe Ubuntu (or other Live CD) again, make sure you allow it to make file system changes.

I also supposed that the “without any changes” was the problem but, however, Ubuntu changed my Windows time, and back to XP I had to adjust day and time. i’m afraid what could be happening is that something in my PC is reactivating those files whenever I start/restart WinXP, but no program has found anything bad so far, and I haven’t received any answer to the HiJackThis log I submitted to a forum yet.

Reply | Quote

I haven’t received any answer to the HiJackThis log I submitted to a forum yet.

Did you paste it to one of the HJT auto analyzer sites? These have previously been posted by PT on 2010-01-10 PT posted HJT analysis sites here

Hey Jude

Reply | Quote

I wonder if “try Ubuntu without making any changes” is taken literally in that there are safety protocols in place so that not only does the OS not install but no permanent changes can be made to the resident OS?

I love Parted Magic ( http://partedmagic.com/download.html ) personally because it has tons of tools including a windows file system explorer AND since its a LINUX utility LiveCD, one just boots to it and starts using it without possibility of installing anything or limiting the action taken with the Windows system drive….which means it can really be messed up if a mistake is made, but I like having the power to show who’s in charge.

As I already answered. despite the “Try Ubuntu without making any changes to the OS” my Windows date/time was changed. I started trying the option of “Install Ubuntu” but I was frightened by the difficulties to identify the place where it would be installed (there were colored bars but no names/letters for my discs and by the messages regarding things that couldn’t be undone, and I aborted the process. I’m not a tech guy

Reply | Quote

Where’s the HJT log posted Carl? I’ll go check it over.

Reply | Quote

Where’s the HJT log posted Carl? I’ll go check it over.

I wanted to know that too

Hey Jude

Reply | Quote

Did you try changing the attributes from the command line? Navigate to the proper directory, then use “attrib -s -h filename” (without the quotes).

If it doesn’t work, please post the error message that it gives. Killing the Explorer process doesn’t hurt anything, BTW. You just end up (usually) with a blank desktop, or a slow rebuild of the icons.

There’s a way to run the OS under the System account, which has the highest privilege in Windows – higher even than the local Admin account. I hesitate to reveal how, since lots and lots of damage can be done. Still, I’d imagine that it would let you kill these rogue files. A safer way would be to pull the drive and stick it in another machine. You should be able to blow them out right away.

Reply | Quote

Hi, everybody.

I kept trying different “solutions” and finally it happened what I was afraid of: my Windows XP refused to open. I had no other option than format and reinstall it (I did it this past weekend), and the files disappeared.

THANKS TO YOU ALL!

Reply | Quote