Can't delete a file.......

[archon_113]

I have an alcohol 120% image file on my computer, which is a game that I obtained through somewhat dubious means. It was suggested that I post a HJT log, so here it is.




Logfile of HijackThis v1.99.1
Scan saved at 21:37:28, on 11/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\avgamsvr.exe
C:\PROGRA~1\AVG\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\AVG\avgemc.exe
C:\Program Files\Ad-Aware\Ad-Watch.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Edd\Desktop\Stuff\PowderCleaner\PowderCleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVG\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Ad-Aware\Ad-Watch.exe"
O4 - Startup: PowderCleaner.lnk = C:\Documents and Settings\Edd\Desktop\Stuff\PowderCleaner\PowderCleaner.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Electronic Arts Licensing Service - Unknown owner - C:\Program Files\Common Files\Electronic Arts Shared\Service\EA Licensing Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe






Can anyone help?

[sUBs]

Find out the name & the full filepath of the file you want to delete.

Example - C:\Downloads\dubousfile.img

Then, Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...

1. In the popup box that appears, type in:
   • Filepath of file to be deleted
2. Click the Open button.
3. Click YES when prompted to restart your computer.

Let me know if that helps.

[archon_113]

I already tried using MoveOnBoot to delete the file, which didn't work. Neither did the delete on boot function from HJT. Any other ideas?

[sUBs]

Please name the file & post the full filepath

[archon_113]

The file is:


C:\Documents and Settings\[USERNAME]\Desktop\Stuff\Prince of Persia\Prince Of Persia The Two Thrones [DVD][Spanish_EN_GE_FR_IT][www-pctorrent.com]\MIR-POPT2T.mdf

[sUBs]

Quote:

Originally Posted by archon_113

The file is:


C:\Documents and Settings\[USERNAME]\Desktop\Stuff\Prince of Persia\Prince Of Persia The Two Thrones [DVD][Spanish_EN_GE_FR_IT][www-pctorrent.com]\MIR-POPT2T.mdf

Do you intend to delete the entire Prince of Persia folder?

[archon_113]

Yes, I do.

[sUBs]

HJT's delete-on-reboot feature doesnt work on folders. Just files.

You'lll need to download this - KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Run KillBox & paste the following locations into KillBox one at a time:

• C:\Documents and Settings\[USERNAME]\Desktop\Stuff\Prince of Persia

1. Checkmark the following boxes :
   • Delete on Reboot
   • DelTree (includes Subdirectories)
2. Click the RED X button
3. Answer YES when asked to confirm file deletion
4. click YES when prompted to reboot.

[archon_113]

I'm trying to what you suggested, but the deltree option is unavailable for some reason. When I click the Delete File button without checking deltree, I get an error message saying 'PendingFileRenameOperations Registry Data has been removed by External Process!'

[sUBs]

C:\Documents and Settings\[USERNAME]\Desktop\Stuff\Prince of Persia

Is [USERNAME] really your username?

[archon_113]

Quote:

Originally Posted by sUBs

C:\Documents and Settings\[USERNAME]\Desktop\Stuff\Prince of Persia

Is [USERNAME] really your username?

No, but I typed my actual username when I was using KillBox.

[sUBs]

Please refer to the picture above.
Take note of the folder icon to the left of the Red X
Click on that & use it to browse to that folder's location.

Then select Delete-on-reboot & DelTree & clcik the Red X
You shouldnt get a PendingFileRenameOperations after that

[archon_113]

I've already tried what you described above, but the Deltree box remains greyed out after I select the file (like it is in your image.) Here's a screen capture of what happens after I locate the file:





I've also tried telling it to delete the file on reboot without checking Deltree, bu the file is still there after I restart the computer.

[sUBs]

From your screenshot, I can tell that you browsed to the file - MIR-POPT2T.mdf
That's not what I instructed you.
I asked you to browse to the folder on your Desktop - Prince of Persia
Deltree would not be grayed out if you did that.

[archon_113]

Sorry, I misread your previous post. I selected the Prince of Persia folder this time, selected Deltree and Delete on Reboot, but the folder, with the file inside, was still there after restarting.

[sUBs]

Okay.. let's get another tool for it.

Please downlaod & install - DeleteFXPFiles

Usage is easy. Run the tool & browse to the folder concerned.
Click the X button located in the right pane

[archon_113]

When I try to delete the folder with DeleteFXPFiles, I get an error message telling me that 'Recursive Folder Deletion is not available in the non-registered version of Delete FXP Files.'

If I try to delete just the file and not the folder on the next reboot, the same thing happens as before.

[sUBs]

I initially assumed that your problems weren't malware related. Thought it was simply a stubborn file that refused to be deleted. Let's do an online scan to get a better look

perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

I would aslo require a fresh HJT log

[archon_113]

I tried to run the Kaspersky virsu scanner, but after 2 hours it was still at 5%, seemingly stuck on the very file I'm trying to get rid of.

[sUBs]

Quote:

C:\Documents and Settings\[USERNAME]\Desktop\Stuff\Prince of Persia\Prince Of Persia The Two Thrones [DVD][Spanish_EN_GE_FR_IT][www-pctorrent.com]\MIR-POPT2T.mdf

Refering to the above file.
To use it, you have to mount it with Alchohol or some other emulator like Daemon.
Have you unmounted it yet?