Can't delete file. Let the flaming begin!

[TimeCode]

Ok so I was working on a computer that had a few viruses on it and most came off easily. But then there was "msñonfig.exe"... It was supposedly located in c:\Program Files\Windows Media Player\msñonfig.exe

1. Avira crashed whenever I tried to quarantine it from within that PC.
2. File Assassin couldn't kill it.
3. Removed the HD and put it in my Windows 7 laptop. Where I couldn't see the file at all. (Yes, see hidden files was turned on)
4. Avira found it but couldn't delete it.
5. Avira tried unlocking it but failed.
6. Avira tried setting it to be deleted upon next reboot, that failed too.
7. Rebooted in Knoppix, couldn't find the file there either.

Please tell me what else I could do since I can't find this file to remove it. And if you feel the need to call me an idiot, I'll accept it, as long as the condescension is accompanied by a decent suggestion. Its sad that I like an idiot for admitting I have a problem and don't know everything.

 

[angry_geek]

@ idiot

That sounds nasty. You said you tried knoppix; did you try booting off of UBCD or Hiren to see if you can see the file in there? It sounds almost like the MFT may be acting silly. I would try running chkdsk /r to see if that fixes the issue. It's a long shot, but it may work. You could also try using TestDisk.

 

[TimeCode]

Thank you.

I tried running UBCD but it was taking WAY too long so I took it out and attached it to my laptop instead.

Chkdsk is a great idea that I didn't think of. Thanks!

 

[TimeCode]

Just curios, in Knoppix, did you do the whole mount with RW perms, and then ls -arl on the directory that is said to have the file in there?

Ummm, you're speaking greek. Or is that Geek? No, I didn't and wouldn't have known to do it. I'll try googling specific directions for that.

I don't think anyone will call you an idiot Tim, lol.

Are you sure? It must be because I have a huge post count.

 

[MHCG]

Perhaps try renaming its parent folder and rebooting the machine. Are you able to view the security/ownership attributes of the file?

 

[Methical]

@ACG

Get your daily dose of terminal? Feel better now?? lol

@TimeCode

Yeah, your not an idiot because you have a huge post count lol
Anyone else askin' that question with less than posts would of got flamed hard lol

It's weird that your boot CD didn't find the file; nor when you connected it to your laptop.

I would try ACG's suggestion; he seems quite profound in his Linux. He has a terminal addiction; and there is nothin' you can't do via terminal

Did you try 'UnLocker'? I'm sure its listed in our 'Repair Tools of the Week'. I've never had a problem with it, and never been able to not 'unlock' a process/application etc

 

[iptech]

Then rm -rf filename

Go easy with recursive deletes, I've seen whole systems wiped out. The process cannot be stopped once it's started. It will delete everything in that directory and below, including sub-directories. There's no recycle bin with Unix filesystems!

I would just use rm filename.ext

 

[eggy53]

Maybe you should try the Malwarebyte FileAssasin feature.

 

[PatrickB]

But then there was "msñonfig.exe"... It was supposedly located in c:\Program Files\Windows Media Player\msñonfig.exe

So if it is really located there, open a Cmd prompt and try renaming it to a name without the high ASCII character.

Rename ms*.exe msbad.exe

That should rename the file to msbad.exe and then you may be able to delete it normally.

-- Patrick B.

 

[purple_minion]

No problem. I can help ya.

Make sure your root.

then..

mkdir /mnt/somedir
chmod 777 /mnt/somedir


Then mount -t vfat /dev/hdaX /mnt/somedir(what ever the win32 drive is listed as in fdisk -l)

now as root you should have full RW permissions to that drive (or should) another way to do it would be to mount it with umask, like;

mount -t vfat -o umask=0 /dev/hdaX /mnt/somedir

Then you can dig down by doing cd / mnt/somedir/where_ever_the_file_is_located/

Then ls -arl (lists everything, hidden or not)

Then rm -rf filename

and bingo, you should be good to go.

Why are you mounting as fat? I'd go with ntfs-3g, unless I really missed something? I don't claim to be a linux guru.

 

[abe]

@ACG

WE do not appreciate so called "TECHS" coming on and giving code that can harm others computers, so go get training and you shouldn't be working on other peoples computers and...........

 

[purple_minion]

Wow.. good catch, I totally missed that, I was typing in an extreme hurry. Sorry about that Tim, substitute vfat for NTFS.

/me smacks self on head, don't type in a hurry.

I can't believe I did that, now everyone can call me stupid lol.

Geez, and here I thought tim was bad! A real loose cannon here folks. I also think you mean substitute ntfs for vfat

God I'm on a roll!

Time for bed for me before I look like a fool too.

 

[TimeCode]

Thanks for all the help. I can't get to the PC today, but I should be able to get there tomorrow morning.

 

[MM PC Solutions]

Kaspersky removal tool via safe mode, or Unlocker (as someone else mentioned).

Also, check it's not classified itself as a protected operating system file by unchecking within the view settings and then see if you can view it!

 

[usacvlr]

Erm.. I think you mean pizzas.

I Know ... I am going to back to delivering news papers...

 

[TimeCode]

Well, I booted into knoppix on the PC (last time I used knoppix from my laptop) and it couldn't mount the drive at all. So I decided to boot into Windows and do as MM PC Solutions suggested.

Also, check it's not classified itself as a protected operating system file by unchecking within the view settings and then see if you can view it!

That worked (I should have thought of it) then it was File Assassin FTW. Rebooted and did another scan of that folder to be certain that it hadn't repopulated itself there under another name. All clear!

Thanks to everyone for all the help!

**EDIT**
Shoot! I had intended to get a copy of it to send to Avira and tell them what was happening.