Cannot delete a file

Discussion in 'adware, spyware & hijack cleaning' started by jastec, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. jastec

    jastec Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    10
    Hello, I performed the following from a previous post and am now unable to delete the file "go away.reg" I created. "Unable to delete, there has been a sharing violation" is what I get when a delete is attempted. I copied the following.


    These will remove the startup for the file which is putting this back in place.

    Windows 2000 and XP

    Copy the contents of the Quote Box to Notepad. Name the file go away.reg
    Save as all files.
    Double click on go away.reg to enter into the registry.

    Quote:
    ***
    Windows Registry Editor Version 5.00

    [-HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA 23B61E40F}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{3F143C3A-1457-6CCA-03A7-7AA 23B61E40F}"=-



    Restart the Computer
    Once back in Windows.
    Delete these two files from system32.
    mtwirl32.dll and mtwcnl32.dll

    Can anyone help please
     
  2. jastec

    jastec Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    10
    how do I delete a .reg file

    I have created a .reg file from notepad and put it on my desktop. I now cannot delete it. When I try I get the prompt" Cannot delete There has been a sharing violation. The source or destination file may be in use.

    Can someone please help.
    Thanks
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: how do I delete a .reg file

    Hi jastec,

    I am not sure if I can help, but more information would definitely help to know what happened. What kind of .reg file did you create, and did you merge it to the registry?

    Also, if this is an XP computer, are you logged in as Administrator?

    Regards,

    snap


    I just noticed the other post you made and merged it with this since it gives more information
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Now that we have a little more information, did you reboot your computer?

    Do you remember the link you got those instructions from?

    ok, I found the link where you got the instructions. It's for the smartsearch removal: https://www.wilderssecurity.com/showthread.php?t=19769

    Humm...maybe you better post a hijackthis log here in this thread so we can have a look.

    Regards,

    snap
     
    Last edited: Jun 27, 2004
  5. jastec

    jastec Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    10
    thanks snap, that was mighty quick. I'm using win 2000. Heres my highjackthis scan result
    Logfile of HijackThis v1.97.7
    Scan saved at 9:05:35 PM, on 27/06/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\Keyboard\Ikeymain.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jas.JASCO-QJA8MEQC7\Desktop\HijackThis.exe

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
    O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{71127C7F-F10B-4D16-BEAA-1AC844DF9343}: NameServer = 203.194.27.57 203.194.56.150
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi jastec,

    I am not seeing anything bad in your log.

    Can you tell me the steps you took when following the instructions in the link?
    Did the reg file merge ok, and were you able to delete the mtwirl32.dll and mtwcnl32.dll files in the C:\WINNT\System32 folder? Reboot, etc.,?

    Did you run CWShredder at all?

    If the .reg file merged ok, you should be able to right-click on it and delete it, but I'm not sure why you are getting an access violation error. *correction, you were getting a sharing violation error.

    I may have to ask one of our Experts to look at your thread, so the more information you can give us, the better.

    Regards,

    snap
     
  7. jastec

    jastec Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    10
    Hi Snap, mtwirl32.dll and mtwcnl32.dll files were not present. The registery keys that were part of the file "Go away.reg" did not go into the registery. I also ran cw shredder. In Highjack this i removed 2 items from line 02 and 018 that were said to be part of the oribinal problem of smartseach browser highjack. Everything on the system is back to normal including int explorer. I also run and update ad-aware 6.0 build 181 often. I dont think the file is actually doing anything but I just cannot delete it from the desktop after many re-starts. Do you think I should just leave it there?

    Thanks
    Jastec
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  9. jastec

    jastec Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    10
    Hi Pieter_Arntz, I get the same message. "Cannot rename go away:There has been a sharing violation. The source or destination file may be in use."
    I'll try that link now.

    Thanks all
     
  10. jastec

    jastec Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    10
    Still no good. I downloaded Process Explorer and it finds the file attached or handled to explorer.exe. After cancelling all exixtances of the file I still cannot delete it.Following are the steps that led me to this problem



    Windows 2000 and XP

    Copy the contents of the Quote Box to Notepad. Name the file go away.reg
    Save as all files.
    Double click on go away.reg to enter into the registry.

    Quote:
    ***
    Windows Registry Editor Version 5.00

    [-HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA 23B61E40F}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{3F143C3A-1457-6CCA-03A7-7AA 23B61E40F}"=-



    Restart the Computer
    Once back in Windows.
    Delete these two files from system32.
    mtwirl32.dll and mtwcnl32.dll


    Any Ideas anyone?
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  12. jastec

    jastec Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    10
    That worked a treat. Thankyou all so much. There is a wealth of knowledge here. :) Do I have to close this now? Not sure how to use this yet
     
Thread Status:
Not open for further replies.