Wanted: tool to delete undeleteable files

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,749
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
What's the best program to use when you need to delete a locked file? You know the routine: you need to clean a virus or other nasty off a system, but you can't delete the exe/dll/etc file itself because Windows says it's in use, you can remove the reference to it via Hijackthis or Regedit, but the file is in memory and either recreates the registry entry or else locks it so that you can't edit/delete it. Safe mode is often your friend, but the really nasty ones even lock themselves in safe mode.

Under Win9x you can just boot off floppy and use XTree Gold or some other utility, but with 2K & XP and an NTFS boot partition you cannot boot off floppy, and booting off the XP install CD and buggerising about with this stuff is a big-time pain in the ... er ... elbow. Likewise plugging the drive into another machine and doing it from there.

I have a utility that works just fine, it's called MoveOnBoot but the silly bugger that wrote it made one big mistake: it needs the Windows Installer to install it! Ths means that you can't install it in safe mode!

An ideal utility for this task would not need installing at all and could simply be run from CD-ROM.

Anyone know of one?
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,749
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
Thankyou Buck. Yes, some good stuff in that thread. Groltz provided a link to a thing called Unlocker, which wasn't quite what I was after, but the nice people at that site kindly provide a list of other programs in the same general sort of department. This is an excellent idea which I wish other people would do more readily: it's really helpful.

The one that looks just right to me is the very simple DelLater. I'll try it out when I get back to work in the morning.

Thanks for the hint, Buck!
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Tea:
MoveOnBoot allows you to Move, Copy or Delete files before Windows can lock or alter the files. The changes are made to your hard drive before Windows starts (it requires a restart of your system after you give MoveOnBoot its instructions). There are no messy boot or DOS commands, just a simple 3-step process. For more information about how this tool can help you, see the Can't delete files tutorial.
As the name implies, the utility works on the next boot, at boot time. If it moves the file to a different placem, whatever locks it shouldn't be ablt to find it, so it wouldn't be locked.

Am I stating the obvious and yet completely missing your point?
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,749
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
Now I'm confused. Stating the obvious? Um, yes, maybe. At least that's how it's supposed to work. Missing my point? I'm not sure about that. I wasn't making a point, juzt looking for a suitable uility. Seem to have found it now, though that will have to wait for proper testing.

Assume a virus or other nasty which I can't get rid of in the ordinary ways. Essentially I don't care which of three possible things happen:

* Delete the file. (Then it can't hurt me because it doesn't exist.)
* Delete the registry entry that loads the file. (Then it can't hurt me because it isn't getting loaded when I restart.)
* Move or rename the file. (Then it can't hurt me because the registry entry can't find the file.)

Any one of those three is pretty much as good as any other, isn't it? Once you can boot with the nasty no longer active in memory, you can delete, repair, inocculate, whatever is required.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
Tea said:
Now I'm confused.

<snip>

Assume a virus or other nasty which I can't get rid of in the ordinary ways. Essentially I don't care which of three possible things happen:

* Delete the file. (Then it can't hurt me because it doesn't exist.)
* Delete the registry entry that loads the file. (Then it can't hurt me because it isn't getting loaded when I restart.)
* Move or rename the file. (Then it can't hurt me because the registry entry can't find the file.)
So am I!

MoveOnBoot does #3, does it not? In normal Windows mode, use MoveOnBoot to mark the bad file. Reboot, and before Windows "starts", MoveOnBoot moves the marked file so the bad file can't cause any trouble. At this point, since the file is not in use, it should be possible to delete it.

At least that's my understanding of how the utility is supposed to work. Maybe it actually doesn't work that way?
 

i

Wannabe Storage Freak
Joined
Feb 10, 2002
Messages
1,080
RE: Tea's multiple, "then it can't hurt me," quotes

I came across one spyware package that acted as a shim, of sorts. I can't remember many details now because it was a one-time thing and more than a year ago. Using a randomly generated string, it renamed a critical system file that's necessary to allow a user to log on, and then named itself as that critical system file. Consequently, when the user entered their credentials and hit "OK", Windows would diligently pass things off to the spyware application, instead of the critical system file. The spyware then launched the original, now-renamed critical system file hidden somewhere on the system. To the user, the log-on process seemed perfectly normal. They had no idea they were launching -- and likely passing their credentials to -- a spyware application every time they logged on.

Delete the spyware file? Kiss your ability to log on to the system goodbye. Kill the registry entry that activates the spyware file? Kiss your ability to log on to the system goodbye. You would need to find the original system file -- located somewhere on the system, and with some randomly generated name -- to shore-up either approach.

But it became even harder than that, as the spyware was active as soon as someone logged on, and was "watching" what files and registry entries were being manipulated.

I wound up telling the person to reinstall XP.

Windows is piece of garbage.
 

i

Wannabe Storage Freak
Joined
Feb 10, 2002
Messages
1,080
I read somewhere that if you use the "at" command to start a shell in an interactive mode, the resulting shell will have "system" level priviledges or some such thing, and you'll be more able to kill things at will from within that command line shell.

I have no idea if that's true. I don't touch Windows any more than I absolutely have to these days.
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,749
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
As mentioned above, MoveOnBoot can move or delete. It did what I needed last night anyway - i.e., remove a nasty set of viruses on a customer's machine that I couldn't touch any other way. The tricky bit was getting it to install, as you had to boot in normal mode and even after extensive work with HijackThis, Ad-Aware, Spybot, Regedit, SpywareBlaster, Housecall, and TMIS it was still riddled with nasties. Not to mention pop-up "you have a virus" warnings from TMIS that were almost as bad as the viruses themselves. This was one seriously infected machine.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,302
Location
I am omnipresent
Er, why not just boot up in Safe Mode (Command Prompt) and do it?
SMCP let me do funny things like move \Documents and Settings off the C: drive. I imagine it'll let you kill whatever other file you happen to want dead.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
Some virus/malware apps still load, even in safe mode, Merc. Not too many, but when you strike one, it's a real bastard to get rid of. Tea tried the SMCP on the machine that was giving her trouble the other day: no dice. But a couple of the utilities mentioned above did the trick. (Used two or three different ones, haven't decided which is the best of them yet.)
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
Just to update: we have been using MoveOnBoot now and again since whenever Tea started this thread and while it's not perfect (you seem to need to delete bad apps one at a time, with a reboot in-between) it's simple and practical and very powerful. There might be even more useful tool out there, but MoveOnBoot is all the tool I need. Recommended.
 

Sol

Storage is cool
Joined
Feb 10, 2002
Messages
960
Location
Cardiff (Wales)
Possibly irrelevant so long after the last post but killbox seems a fairly handy app for these situations. It can delete stuff on next boot or try a couple of other tricks to get rid of files right away. It can also kill some processes which task-manager will have trouble with (presumably by starting with debug privilages or something).
 
Top