Re: deleting undeletable files

From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 01/22/05

• Next message: RA: "Re: Where are the Jan 21st post for this newsgroup?"
• Previous message: Jupiter Jones [MVP]: "Re: License with Windows XP"
• In reply to: Sid9: "Re: deleting undeletable files"
• Next in thread: Kelly: "Re: deleting undeletable files"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sat, 22 Jan 2005 21:20:28 +0200

On Fri, 21 Jan 2005 21:13:36 -0500, "Sid9" <sid9@bellsouth.net> wrote:

>I had an executable file that kept opening everytime I deleted it from the
>Task Manager.

That can be due to a respawning problem. I saw one of those; a
commercial malware (ads thing, I think) that played the Tweedle-Dee,
Tweedle-Dum game. There was AdMilli, and AdMilliKeep in Task Manager;
close one, then when you close the second, the first pops up again.

Because you can't highlight multiple tasks and terminate them
atomically (in the native Task Manager, that is), it wasn't easy
killing this malware while it was running. Which is not a surprise,
really; it's just a case of the malware actually making use of the
opportunities that are available.

>I don't believe XP will let you delete an open file.

True. Even if the malware does nothing to defend itself, the fact
that the file is "in use" means the OS won't let you delete or rename
the file. Installers face this problem by setting up an item in the
next startup that will kill the file on next boot - but an active
malware can simply clear such entries before that boot.

Malware uses this "in use" thing as well, as one way to render tools
such as MSConfig and Regedit unavailable during any runtime during
which the malware is active. If it patches itself into the shell,
that's all normal and Safe Mode runtimes; if it pushes a little bit
harder, Safe Mode Command Only is affected too. As those are all the
OS modes available to the user, that's all runtimes it's grabbed.

>The malware program didn't start up in safe mode.

That's where you got lucky, as one still so often does.

>I was able to delete the executable.
>That stopped the continual startups of the malware.
>That then allowed me to get on with the cleanup

Yes.

>Anyway that's how I saw my problem and it worked.
>If I'm wrong, please tell me

You weren't wrong for that particular malware; it could have set
itself up to run in Safe, but mercifully didn't.

Presuming on the mercy of malware is not a good long-term OS
development strategy; this is why I call for both a stronger "Safe"
mode that really is safe...

http://cquirke.mvps.org/nomos.htm

...as well as a proper maintenance OS:

http://cquirke.mvps.org/whatmos.htm

Some folks have mis-interpreted this as a call for a completely
different OS for maintenance. That's one way of doing it, but I'd
prefer the same OS, just in a form that is able to operate formally -
i.e. that can boot with no references to the HD or without running
code there, and can then run without automatically picking up things
from the HD and putting them in its mouth.

Only if the current OS is too far gone - i.e. so hopelessly designed
that it's no longer possible to amputate risky bits that create
opportunities for malware to autorun - that one would *have* to create
a whole new OS for maintenance.

I don't like that because once you have two different code streams,
you may have exploitable differences between them, e.g. a file system
object that's valid when handled by one set of code but crashes the
other set of code, thus allowing one code set to be DoS'd.

So as I say; you aren't wrong, for the malware that you had. You'd
only be wrong if you extrapolated from this experience to assert that
*all* malware could be safely and effectively handled in this way.

That's not your problem, unles syou are the vendor that designs and
codes the OS. If you are that vendor, and you make that assertion,
then it becomes a problem for *all* of us :-(

>-- Risk Management is the clue that asks:
      "Why do I keep open buckets of petrol next to all the
      ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -

---

• Next message: RA: "Re: Where are the Jan 21st post for this newsgroup?"
• Previous message: Jupiter Jones [MVP]: "Re: License with Windows XP"
• In reply to: Sid9: "Re: deleting undeletable files"
• Next in thread: Kelly: "Re: deleting undeletable files"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: No Desktop, No icons, No START, No Taskbar ... I've tried to scan in both Safe Mode and Normal Mode. ... Reboot to safe mode again and run all four ... Once there is no malware reported reboot into normal ... and it all has to be done through a cmd prompt from the Task Manager ... (microsoft.public.windowsxp.general) Re: regedit and msconfig ... You have a virus or other malware. ... Task Manager, they flash for a second and quit. ... You might want to start in Safe Mode to run your antivirus and anti-spyware ... How to start Windows in Safe Mode Windows XP ... (microsoft.public.windowsxp.help_and_support) Re: deleting undeletable files ... If you know the path, you will need to have the Task Manager open, ... > The malware program didn't start up in safe mode. ... > That stopped the continual startups of the malware. ... >> registry. ... (microsoft.public.windowsxp.general) Re: How to find prog using disk? ... >>> My hard drive light constantly flickers and cpu usage is stays ... Task Manager may show the "culprit"; you may just not know what you are ... Do all scans for malware in Safe Mode. ... (microsoft.public.windowsxp.general) Re: cquirke - What about "Quick Poll: What do you use Safe Mode for?" ? ... >>Quick Poll: What do you use Safe Mode for? ... The bottom line; for malware, ... (microsoft.public.windowsxp.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)