Deleting files that don't exist (bear with me...)

[DAS]

I was recently attacked by a virus that clearly enjoys pornography and bizarre sex games, and then enforcing that love upon your internet browser.

Now it's taken me about three days to get rid of that sodding trojan thing, and my PC is just about back to normal.

Apart from one thing:



There is a non-existant favourite in the favourites folder. It has 0 bytes or any file information but is just, well, there. When you try to delete it, it says "Cannot delete file: cannot read from the source file or disk."

Any ideas on how to get rid of this last reminder of a terrible sexual experience?

[Big Brother]

Oh my goodness tell me how you got rid of it. I think I've got some similar. Constantly changes my homepage. Always pops up windows. Opens new browser windows when your not doing anything on the PC. (Just out of the blue)

It doesn't show up on a virus scan. I've uninstalled all visable spyware. I've run spyware tools to get rid of it. Somehow it always re-appears, and normally twice as worse as before!

[DAS]

Well I'm saying I got rid of it with caution because there's no guarantee that it won't reappear.

I think I got more than one virus at the same time - Winshow, Iefeats, Bytesomethingorother. Sometimes they showed up, sometimes they didn't. Sometimes they would get deleted, sometimes they wouldn't. But they would ALWAYS reappear when I rebooted. Then I followed some instructions on a website involving CWS Shredder, Search and Destroy and Adaware (all of which hadn't worked before) and it seems to have worked for once.

Touch wood.

[Chris]

Have you tried deleting the file manually from the favourites folder?

I.e. - going to x:\documents and settings\yourusername\favourites and deleting the offending file there, where X represents the letter of the drive.

Alternatively you could try backing up the favourites folder minus the offending file, nuking the whole lot and restoring the contents of your favourites folder from the backup.

[Neil Jones]

Two things:

1) http://www.grisoft.com - free antivirus software. No excuses.

2) http://www.lavasoft.de - Adaware 6. Free. Download, install, update and scan and remove all spyware it finds. May cause some programs, especially Kazza, to stop working if you remove the spyware.

Adaware will probably be able to get rid of your stuck bookmarky type thing.

[DAS]

Have you tried deleting the file manually from the favourites folder?

I.e. - going to x:\documents and settings\yourusername\favourites and deleting the offending file there, where X represents the letter of the drive.

Alternatively you could try backing up the favourites folder minus the offending file, nuking the whole lot and restoring the contents of your favourites folder from the backup.

Thanks for that advice, but it's already been done. Manual deletion of the file in question comes up with the same message box saying "hang on mate, this isn't real". Deleting the folder also does the same thing because it won't allow deletion of that one bugger.

[DAS]

Two things:

1) http://www.grisoft.com - free antivirus software. No excuses.

Well indeed. That's just one of the virus scanners I'm using that keeps warning me about the virus, goes through the process of deleting the offending files - but the virus crops/cropped up again when the PC is rebooted. Hence why this is a particularly nasty virus.

2) http://www.lavasoft.de - Adaware 6. Free. Download, install, update and scan and remove all spyware it finds. May cause some programs, especially Kazza, to stop working if you remove the spyware.

As above - although I think that was the program that finally got rid of the virus on its sixth run or something. But sadly it won't get rid of the bookmark.

Thanks for the advice though, appreciated.

[Neil Jones]

Two things:

1) http://www.grisoft.com - free antivirus software. No excuses.

Well indeed. That's just one of the virus scanners I'm using that keeps warning me about the virus, goes through the process of deleting the offending files - but the virus crops/cropped up again when the PC is rebooted. Hence why this is a particularly nasty virus.

Fire up Msconfig (Start --> Run, type in msconfig and press enter). On startup tab, look for anything with some obscure name. If this "thing" returns after a reboot, it must be being loaded at startup and locking this unremovable bookmark, so Windows can't remove it as it's probably in use.

Decent proggies will at least have some ounce of familiarity to their startup names and paths when looking through msconfig. For example, AVG fires up avgcc32.exe but, assuming default folder installation, it's obvious where it is and what it's for (unless you deliberately like to be awkward ). Take note of anything that loads from Windows or Windows\System (or Windows\System32), especially if it's not an executable file.

You don't state your OS but from your brower buttons, I'm assuming XP? In which case expect to see "dumprep" in the startup list and, if Nero Express is installed, Nerocheck, from system32, to be loaded as well.

[DAS]

Thanks Neil.

I've had a look at the Startup thing, and they all appear to be legitimate. Apart from the glaringly obvious - and I mean GLARINGLY obvious - entry that reads as follows:

Startup Item: Free_Sex_Download
Command: C:\Free_Sex_Download.exe

Now the recurring problem I have here is that Free_Sex_Download.exe doesn't actually appear to exist!

In addition, I'm unsure about this one...

Startup Item: MSZTCE
Command: C:\WINDOWS\System32\MSZTCE.EXE

(I am running Windows XP by the way)

Back to the undeleteable "favourite", it's as though it's already been deleted but the icon has remained if you see what I mean. I sometimes do it with normal files if I'm trigger happy with the delete button - the Yes or No to delete box will appear more than once, and if you click both Yes es, the second will produce an error saying that it cannot be read from the source disk.

[Pete]

this is odd, DJGM hasn't been along and told you if you got Mozilla you wouldn't have all these problems, he's slipping up.

For future reference: Service Pack 2 - from what I've used of it - fixes a hell of a lot of problems like this in IE so hopefully annoyances like this will be a thing of the past.

[Chris]

I've had a look at the Startup thing, and they all appear to be legitimate. Apart from the glaringly obvious - and I mean GLARINGLY obvious - entry that reads as follows:

Startup Item: Free_Sex_Download
Command: C:\Free_Sex_Download.exe

Now the recurring problem I have here is that Free_Sex_Download.exe doesn't actually appear to exist!

In addition, I'm unsure about this one...

Startup Item: MSZTCE
Command: C:\WINDOWS\System32\MSZTCE.EXE

(I am running Windows XP by the way)

Doing a quick Google reveals that "MSZTCE.EXE" is part of a browser ad toolbar component. Have you had any new toolbars appear recently in your IE?

Also to nuke the rather embarassing entry off your startup list you will need to download this utility which is the much more uselful equivalent of MS Config - it allows you to rename and delete stuff rather than just disable it. Use of it should be self explanatory from the screenshot on the page.

Another thing, bring up task manager and kill the processes which appear to have suspicious names (e.g. free_sex_download.exe or MSTZCVD.exe). That should allow you to unlock the file and delete it. Do not go just killing random processes - you may end up crashing/rebooting your computer or exposing it to virusses and other undesirable items.