an undeletable file?

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

Elite Baiter Joined: 02 Jul 2006 Posts: 1702

Heres one for the techies.

A friend running windows xp suspected a virus, so i said ok send me the drive and ill sort it out for you.

Drive arrives sure enough 2 stubburn files "access denied" so i think to myself - well a root user in linux a few seconds and them 2 files are historically dead - Not so - in root i got an "access denied"

Anyone know how to delete a file that even linux cannot?

The file isnt corrupt it sends the virus scanner crazy - its certainly new and in windows we cant even see the folder, in linux i can at least get near it.

Posted: Sat Jan 05, 2008 9:05 pm

Code:

format c:

Elite Baiter Joined: 02 Jul 2006 Posts: 1702

Cant format it, the data is unique and too valuable.

Chuck Norris Joined: 11 Jun 2007 Posts: 1369

But if the data is unique and valuable then it is backed up, yes?

Posted: Sat Jan 05, 2008 9:13 pm

http://www.theeldergeek.com/delete_undeletable_file.htm ????

Has to be worth a go.

Posted: Sat Jan 05, 2008 9:19 pm

@D1

I was joking.

However, data should never be unique.

Posted: Sat Jan 05, 2008 9:33 pm

I guess you tried 'safe mode' booting?

Try booting from a win98 cd or a dos disk - just enough os for IO but not enough for file protection.

Or Format C:\ (actually after any infection I suggest format c:\ every time - it's like a cheating spouse, sure maybe you'll go on together but the trust is completely blown...)

Elite Baiter Joined: 02 Jul 2006 Posts: 1702

@kd i know lol im just stressed .

Sadly im working on his backup - both are infected.

I thought to do it via linux hoping it wont make the infection worse, and so mounted the drive as an external

media:/sda1

Quote:

root@******* whoami
root
rm update.exe.mui
access denied.

So then i think to myself - must be corrupted or somethings broken the file itself so i check - nope the files intact

Scratching me head next ive tried manually via root to change all perms on the file to everyone, every action 777 - wide open ive managed to rename it to update5939.exe.mui but thats about it - it still refuses to move, especially to the trash can. It cant possibly run under linux, yet its managing to hold on tight.

Edit: im now moving the files to a larger drive in linux and going to redo the drive, give it a new partition and clear out the mbr and set it all go again should fix it (i hope)

Posted: Sat Jan 05, 2008 10:07 pm

I've seen files that couldn't be deleted because they used characters in the file name that weren't recognized by the OS during processing of the dir elements.

e.g. / | etc.

In the old DOS days we used to protect directories from some users by typing an ASCII 255 at the end of the directory name.

Elite Baiter Joined: 02 Jul 2006 Posts: 1702

Yea ive seen those, or when people name stuff like lpt1 lol,

ive double checked the attributes - its not showing as locked in linux, and the file can be opened etc - ive given up im going to copy whats good and not showing via fprot as infected - the first 2 do, and then re-partition it and format whats left.

Posted: Sat Jan 05, 2008 11:21 pm

I had a similar problem with a file once and was given this modality:

I managed to get the file on its own in a folder I didn't need. Then used

rd<space>/S<space>"\\?\C:\directory\folder"

where C:\directory\folder is the root folder that needs deleting

Worked like a charm in XP Pro - folder went and took file with it. Apparently it forces a delete. I can't remember whether I ran it in "run" or from a command prompt - I guess you could try run first.

The other thing you could try, if you have one, is to use a secure shredder on the file. There's plenty to download free (there's one as part of Spybot, for example, although I use simplefileshredder)

Posted: Sun Jan 06, 2008 4:35 am

Is the drive formatted with NTFS? Do you just mount it or do you use the NTFSProgs or NTFS-3g together with FUSE to access it?

If you just mount it, and thus use the kernel-driver, you won't be able to write on the drive. If you use either the NTFSProgs or NTFS-3g, you might want to try using the one you're currently not using.

I've experienced a couple of times that I couldn't delete a file in Windows, but never have seen a file resist Linux...

Posted: Sun Jan 06, 2008 11:05 am

I used to try overwriting the file with one of the same name - e.g.

Change undeletable filename to 'trash.txt'
Save a txt file into the same folder as 'trash.txt'
confirm that you want to overwrite it, then delete trash.txt.

Might work for you if you can do that through Linux or sommat.

Posted: Sun Jan 06, 2008 12:47 pm

This seems far too simple to be the cause, but it's all I can think of:
Is the device an NTFS volume, and if so, do you have the NTFS-3g filesystem driver installed? Otherwise, Linux won't be able to write changes (and therefore delete files) on the volume.

Edit: Damn, didn't read rootuser's post Razz

Elite Baiter Joined: 02 Jul 2006 Posts: 1702

Yup its definately using the right ntfs tools, it can edit write and delete all the other files on the mount only those 2 refused to budge.

In the end what i did was use linux to cut the 200+gigs onto a 3rd drive which it did, as it wouldnt move any infected files it was quite cool.

i then called in another mate to sort out the final bit, in years ive never seen a file that linux as root cant take ownership of and delete, ive had corrupt files broken ntfs the lot and linux has always sorted it, this time it wouldnt budge.

As a side note this issue is now solved had to flatten the drive (repartition it etc) but having a linux live cd is a good idea for everyone even if they only use windows - when things go wrong at least linux can get in deep and help move the other stuff. Also linux copies files faster than windows in windows im not sure ive never had to copy 200+ gigs before - but linux suse live 10.2 took 4 hours 8 minutes - dont think windows can do it that quick Wink

Posted: Sun Jan 06, 2008 6:19 pm

I've just experienced a similar problem with several txt files in a folder in winblows, access denied, copied the folder to a usb key using puppylinux, rebooted to winblows, an empty folder, back we go copied the files 1 by 1, rebooted tried to copy them into the necessary folder and overwrite, access denied, deleted the whole folder (in windows) then created the new one then they copied across fine.

Elite Baiter Joined: 02 Jul 2006 Posts: 1702

@mark linux normally can shift even the most stubborn files, or at least crush them to bits and reset them. The two on that drive simply refused to be moved, deleted (in windows you could not even see them and access to the folder is also denied)

As they were windows mui extension linux certainly would not have had them in use. That was me thinking as linux couldnt run them the virus couldnt continue on its course - that bit i got right but deletion proved a nightmare.

@miss behaving because of the access denied on the file in entirety rename could only be done by sheer brute force using linux I also used linux to kill the partition.

My best guess as to how it was done is in the disk something nasty got low level into the 512k and locked itself from there, thus linux was forced to see the same permissions windows did - because when i tried a simple reformat i got the same - access denied. So i just ran linux's best command -

Code:

fdisk /dev/sda1 << windows stole that lol
then the P to see the partitions then the D to delete em which is sda1 so we select 1 as thats correct and kaboom problem gone now its just a case of clicking n and then p and then 1 then let it do it default- you really want the primary partiton to begin at cylinder 63 then your asked where to end again just click return - linux will being at the start - cylinder 63 sector 1
next you need to know the filesystem code NTFS is listed if you press L as are others such as 83 for the standard linux ext2 system. but i chose windows one, anyhow then i just has to fsck it up (Thats not a swear word lol its a command to format it :twisted: )

A few notes if you follow that little tutorial above to use linux to partiton and format a drive - i didnt mention mkfs or any prep work that needs doing its accurate but incomplete so dont blindly follow that.