.gif "IP Gear")
- Joined
- Jan 15, 2006
- Messages
- 4,774
This is just the begining of this discussion, feel free to expand:
First, if you have an in use EXE or DLL, even a virus, the unlock extension is "cfg." Go into folder options and select show file extensions. Then you will see the file extension. Once you do this try to rename a file like file.exe or file.dll to file.cfg. Then reboot. If you have a virus, and that is the reason you need to reboot, pull the power cord instead of rebooting. Yes, it is a dirty shutdown, but since NTFS5 from Windows 2000 days corruption of file system is highly unlikely and usually worth the benefit of removing the virus. If you try to rename it and it doesnt allow you, you will need to use something like ERD Commander 2005, WinPE, or Linux CD/DVD to boot to to delete the file UNLESS you are savy enough to remove the reference in the registry or unregister the DLL via CMD prompt. Yes I say CMD prompt because there is a huge difference between CMD.exe from NT based computers and Command.com from Dos/WinME/98 boxes. Yes Command.com does come with NT based boxes as well, just not the other way around. The benefit of command.com is simple. Its extension is a .com instead of a .exe. What does this mean? Well, while not as robust, not as fast or not a nice to use, it has 1 benefit. Malware/viruses like AntiVirus 2008 through 2010 sometimes automatically kill any new EXE process. What this means is you click on something, it starts and the Malware kills it so you can open CMD.exe prompt for that reason. Well, open command.com instead and get rid of the virus by doing start/run command.com. ALSO, as you will notice since the exe's are closed, you wont be able to open Windows Explorer. Now, there is a distinct difference by double clicking "My Computer" as it is not affected by these processes so you will be successful if you use My Computer instead. Now when it comes to rootkits, they essentially stop you from "seeing" files or registery entries by masking them at the kernel level. what to do if you dont want to take the drive out? Well, if you have a network, share out the drive and map a drive to it from another computer. More than likely they didnt cover the network stack with their rootkit low level driver so you can almost alway see the virus from another computer. What to do? Use the virus scanner from the other computer to scan the mapped drive. If it cant delete it, you will at least have an idea of what is going on. Then try to unlock it with the .cfg method listed above, then cold power off by pulling the cord. The bsolute best way is to remove the drive and put it in another machine so you can scan it because there will be no file that you cannot delete normally, but that solutions works as well.
Please make note that you should try numerous methods to delete a file that wont let you the first time. You will need to know the commands but you can use CMD.exe or command.com to delete file tha Windows Explorer or My omputer will not delete as they use different methods. If you find that a file cannot be deleted via these methods and you know it is not a virus, run CHKDSK on your computer on the volume that houses the file. so if the file resides on C:\ drive and its called file., yet wont delete correctly because it is zero bytes in size, and has no valid extension, do a start/run cmd. Then type "chkdsk c: /f" without quotes and hit enter. If it is a system drive, it will say that the drive cannot be locked and will need to be rebooted to do this operation. Select yes when it asks and reboot. After it is booted back up you may be able to delete the file. If you are not able, and it is evident that it is not a virus, try moving the file to a folder with no spaces in its name like C:\Temp\file.. Then try to delete the whole folder. NOW, if you are able to move it, yet not delete it with the folder, then it is probably not a virus and it is probably a problem with the file itself. I have found a simple remedy to this, and there are others out there on the net, but this works 99% of the time. Use robobopy.exe which is part of resource kit free tools from Microsoft. You can download here:
http://www.microsoft.com/downloads/...69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
Once you have this, you will use the mirror switch to delete the 'undeletable' file. How do you do this? Move ONLY the file to a new folder like C:\Temp1. Then create another folder called C:\Temp2. Open a CMD prompt. Type the following:
robocopy temp2 temp1 /mir /r:0
Then hit enter. The procedures and program code for robocopy is much different than "del", "rd" and right clicking in Explorer. I think once you issue this command, the file will be gone.
As I metioned, I am willing to expand on this discussion as needed so feel free to ask or add.
First, if you have an in use EXE or DLL, even a virus, the unlock extension is "cfg." Go into folder options and select show file extensions. Then you will see the file extension. Once you do this try to rename a file like file.exe or file.dll to file.cfg. Then reboot. If you have a virus, and that is the reason you need to reboot, pull the power cord instead of rebooting. Yes, it is a dirty shutdown, but since NTFS5 from Windows 2000 days corruption of file system is highly unlikely and usually worth the benefit of removing the virus. If you try to rename it and it doesnt allow you, you will need to use something like ERD Commander 2005, WinPE, or Linux CD/DVD to boot to to delete the file UNLESS you are savy enough to remove the reference in the registry or unregister the DLL via CMD prompt. Yes I say CMD prompt because there is a huge difference between CMD.exe from NT based computers and Command.com from Dos/WinME/98 boxes. Yes Command.com does come with NT based boxes as well, just not the other way around. The benefit of command.com is simple. Its extension is a .com instead of a .exe. What does this mean? Well, while not as robust, not as fast or not a nice to use, it has 1 benefit. Malware/viruses like AntiVirus 2008 through 2010 sometimes automatically kill any new EXE process. What this means is you click on something, it starts and the Malware kills it so you can open CMD.exe prompt for that reason. Well, open command.com instead and get rid of the virus by doing start/run command.com. ALSO, as you will notice since the exe's are closed, you wont be able to open Windows Explorer. Now, there is a distinct difference by double clicking "My Computer" as it is not affected by these processes so you will be successful if you use My Computer instead. Now when it comes to rootkits, they essentially stop you from "seeing" files or registery entries by masking them at the kernel level. what to do if you dont want to take the drive out? Well, if you have a network, share out the drive and map a drive to it from another computer. More than likely they didnt cover the network stack with their rootkit low level driver so you can almost alway see the virus from another computer. What to do? Use the virus scanner from the other computer to scan the mapped drive. If it cant delete it, you will at least have an idea of what is going on. Then try to unlock it with the .cfg method listed above, then cold power off by pulling the cord. The bsolute best way is to remove the drive and put it in another machine so you can scan it because there will be no file that you cannot delete normally, but that solutions works as well.
Please make note that you should try numerous methods to delete a file that wont let you the first time. You will need to know the commands but you can use CMD.exe or command.com to delete file tha Windows Explorer or My omputer will not delete as they use different methods. If you find that a file cannot be deleted via these methods and you know it is not a virus, run CHKDSK on your computer on the volume that houses the file. so if the file resides on C:\ drive and its called file., yet wont delete correctly because it is zero bytes in size, and has no valid extension, do a start/run cmd. Then type "chkdsk c: /f" without quotes and hit enter. If it is a system drive, it will say that the drive cannot be locked and will need to be rebooted to do this operation. Select yes when it asks and reboot. After it is booted back up you may be able to delete the file. If you are not able, and it is evident that it is not a virus, try moving the file to a folder with no spaces in its name like C:\Temp\file.. Then try to delete the whole folder. NOW, if you are able to move it, yet not delete it with the folder, then it is probably not a virus and it is probably a problem with the file itself. I have found a simple remedy to this, and there are others out there on the net, but this works 99% of the time. Use robobopy.exe which is part of resource kit free tools from Microsoft. You can download here:
http://www.microsoft.com/downloads/...69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
Once you have this, you will use the mirror switch to delete the 'undeletable' file. How do you do this? Move ONLY the file to a new folder like C:\Temp1. Then create another folder called C:\Temp2. Open a CMD prompt. Type the following:
robocopy temp2 temp1 /mir /r:0
Then hit enter. The procedures and program code for robocopy is much different than "del", "rd" and right clicking in Explorer. I think once you issue this command, the file will be gone.
As I metioned, I am willing to expand on this discussion as needed so feel free to ask or add.
