Unreadable file cannot be deleted

Discussion in 'malware problems & news' started by cgstrange, Sep 26, 2005.

Thread Status:
Not open for further replies.
  1. cgstrange

    cgstrange Registered Member

    Joined:
    Sep 26, 2005
    Posts:
    3
    Since early August my clean, very well maintained Win98 system has been held hostage by a baffling, powerful malware which has effectively disabled ALL of my most cherished (and crutial) system maintainance tools, both Windows-native and third-party, while at the same time "allowing" me complete use and control of of all my non-system related programs and files (word prossessors, HTML editors, graphic and audio editors and files, games, etc.). The affected files include such trusted on-board favorites as Microsoft's Scandisk, RegClean, Scanreg, and Defrag, as well as reknowned heavy-hitters like Adaware, AVG, Spybot, Easy Cleaner, JV16 Power Tools, Reg Supreme, What's On My Computer, fileAlert!, and Fred Langa's clean9x.bat. Since all programs dealing with this file have crashed, no helpful reference logs had been saved other than a vague 'Failed to open file' comment from Eraser 5.7, which subsequently froze. Even a TrendMicro Online Scan was stopped dead in its tracks by this pest. The invader also has remarkable control over the behavior of such system utilities as Find -- the engine quickly locates anything non-specific to the OS, but freezes solid if the search terms involve any system files or folders, or even the DATE the thing first made its appearance -- as well as the Properties Dialog Box from the context menu -- again turning my computer to stone (ONLY if a SYSTEM file's properties are requested).

    My system was in perfect health (I ran most of the above clean-up utilities on a DAILY basis). I do not have OE installed (nor any other mail client, for that matter, other than QM, a tiny send-only client configured to handle any send-to protocols), so no email has ever been downloaded to or opened in Explorer, nor have I installed any new programs lately, and I don't do any file sharing, etc., so there's really no telling where this malware originated. But there it sat one day following a particularly sluggish reboot: a FOLDER within the Windows\Temp folder mysteriously bearing a FILE-like name: 6230.tmp. I later found and deleted a suspicious IP address (213.159.117.202 -- HistHost Biz-Net RU) in my 'Trusted Sites' zone, though I'm not positive the two are related.

    Absolutely nothing has been able pry/trick this thing out of my system. I felt slightly encouraged when a utility I ran to back up my Windows long filenames performed without a hitch, but the subsequent running of XCLONE.EXE crashed miserably... a program can't copy what it can't read/write. Booting into DOS, I was absolutely amazed to watch the file thwart my every effort even in that simple environment: each of the commands - DEL, COPY, MOVE, DELTREE and REN - flowed along smoothly in typical DOS fashion until it reached that infernal ".tmp folder", whereupon DOS itself (YES, DOS!!) would freeze solid. Not even ctrl-alt-del could coax it back to life. Even the harmless DIR command paralyzed my machine at the point of C:\WINDOWS\TEMP\6230.tmp, so I still have no idea what's hiding in there. (Hell, in Windows just HOVERING the cursor over the folder in Explorer is enough to crash my machine!?)

    One day, on a hunch, I opened as many of my most resource-hungry apps as possible 'till my system resources dropped below 33% (ouch!), and, with the word 'crap' already copied to the Clipboard, I was able to "sneak up" on the folder, rename it, move it out of the TEMP folder, and hit a shut down/restart link all at once, before the bogged-down system had a chance to crash and forget the new settings. Yet, despite its new name and location (C:\WINDOWS\pest\crap\), I cannot delete or overwrite it (not even on startup or shutdown or in DOS mode), ergo I can't run any system utilities, scans, or defrag anymore. Get this: I can't even format the disk; everything simply freezes when it reaches that folder (0 KB, supposedly). I am no longer able to rename the 'mother directory', and as for 'Drag and Drop', well, don't make me laugh!!

    I have a few spare disks with which to start over, that's no problem. But I've become obsessed with this thing! I DO NOT want to see what's inside of it; I simply want it gone. Is there any utility or command that can blindly delete (eradicate) a file without trying to read it first? I need something that will suck this pest off my drive and out of my life forever. It's driving me crazy...

    Thanks to anyone who can help,
    cgstrange
     
  2. cgstrange

    cgstrange Registered Member

    Joined:
    Sep 26, 2005
    Posts:
    3
    Okay, I must confess I was not entirely honest when I stated:

    The truth is I would love to have a peek at the folder's mysterious contents (i.e. the file's name or perhaps even its properties). But scanning the folder has now crashed every conceivable major scanning engine, command, device and/or utility, so I doubt there is a way for any program to safely view the contents. It seems too dangerous.

    Meanwhile, a recent run of HijackThis revealed that the suspicious IP address (213.159.117.202) that I thought I had successfully removed from the Trusted Sites list is still there. There has to be a connection.

    I have NEVER added a site to the 'Trusted Sites Zone' list, but an unknown IP address -- 213.159.117.202 (belonging to HistHost Biz-Net RU, I think) -- planted itself there sometime last month and will not go away. After physically removing the suspect IP address via the Internet Options dialog box (Internet Options\Security\Trusted sites\Sites), the dialog panel insists that there are no sites left in that zone, yet HijackThis reports that it is still present (O15 - Trusted IP range: 213.159.117.202 (HKLM)) but is unable to delete/fix it.

    The LOCAL_MACHINE entry (HKLM\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1) is the only reference to that particular IP address that I could find in the registry:


    Name ~ ~ ~ ~ ~ ~ ~ ~ Data

    (Default) ~ ~ ~ ~ ~ ~ (value not set)

    * ~ ~ ~ ~ ~ ~ ~ ~ ~ 0x00000002 (2)

    :Range ~ ~ ~ ~ ~ ~ "213.159.117.202"


    (Sorry about the lousy column representation above, but you get the idea.)


    Though the simultaneous appearance of this "Trusted" address in the Zone list and the exasperating unreadable, undeletable .tmp folder/file(s) in my C:\WINDOWS directory (which is causing my sytem maintenance utilities so much grief) might conceivably be merely coincidental (yeah, right...!), I'm pretty sure the two are partners in crime. Since HijackThis couldn't fix the Trusted IP, and subsequently crashed when attempting to delete the .temp folder, I assume they need to be killed simultaneously, right? Perhaps I could create a .BAT file that will delete them both at bootup. Please advise how I should edit the 'Range1' key, or should I simply delete it?

    Thanks again,
    cgstrange
     
  3. Get

    Get Guest

    Maybe you haven't tried this , this (choose "delete on reboot) or this .
     
  4. cgstrange

    cgstrange Registered Member

    Joined:
    Sep 26, 2005
    Posts:
    3
    Hi Get!

    Yup, I've tried KillBox... It crashed within seconds.

    And, even though the WinXP-specific methods described by the The Elder Geek and the DelLater websites can be configured for use in my Win9X environment, they need to know the FILEname to delete, and thus far nothing has been able to read past the second folder (pest\crap\). So the name of the file remains unknown, thus rendering these methods useless in my situation.

    Also, dozens of previous attempts to delete at startup have failed. And, whether running from the boot, a DOS prompt, or a bootable floppy, the DEL, COPY, MOVE, DELTREE, ATTRIB and REN commands (to name a few) and any applicable switches have all failed and left the system frozen. Very peculiar.

    Thanks so much for trying, Get, I really appreciate it.

    The answer is out there,
    cgstrange
     
  5. Get

    Get Guest

    Too bad. Well I don't think it will be of much use, but here's another link just for the heck of it. Good luck.
     
  6. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    bring up task manager on the desktop with ctrl+alt+delete then stop explorer.exe next goto start then goto run type in explorer.exe and hit enter. basically what you just did was tell all them process running to exit and restarted a new plain jane explorer. next navigate to the folder where the .tmp file is and delete it. should work. then close all open windows and reboot computer. let us know how it goes.
     
  7. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hi cgstrange,

    Challenging proposition you've got there! I'm wondering if your inability to deal with that file has anything to do with a reserved word or name space hidden somewhere in the path, as described in this security patch ....

    xxxx://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4C6FD7E5-A66E-4A08-B782-2A64C77B95B6

    I've also read such a file may have been created by a program other than DOS, possibly on a POSIX subsystem.
    The following article (though not 98) should offer some ideas to help *fuel* your obsession, maybe ....

    xxxx://support.microsoft.com/default.aspx?scid=kb;en-us;120716

    Use this link below to see if there's any obsfucated information hiding in that IP address you mentioned or in the *source* of your browser,
    it may lead to a cloaked dll in the registry. More useful resources on the page ....

    xxxx://www.simplelogic.com/Developer/URLDecode.asp

    Please deal with the http's.

    BTW .... good link's Get.


    GF
     
    Last edited: Sep 28, 2005
Loading...
Thread Status:
Not open for further replies.