1

Topic: Not deleted file

Good afternoon! The file which I can not delete was formed at me. Resolutions on it - Full Access. Just in case removed at it all resolutions and delivered itself FullAccess and more to anybody of anything. Unlocker - says that cannot find locking descriptor. LockHunter (http://lockhunter.com/downloadnow.htm) speaks too. That the file is not locked. And delete it I can not. Access Denied. Here that shows Process Monitor when I from FAR try to delete it. FAR it is, of course, triggered with the rights of the manager. What could it mean? The file is not pleasant to me. At it title MZ, as though not I picked up a virus.

2

Re: Not deleted file

Hello, Pavel Dvorkin, you wrote: PD> the file which I can not delete Was formed at me.) Make disk check Try delete from a safe mode it Can a virus what - it is possible to scan an antivirus with Live CD/USB (is on sites Kaspersky, ESET, Dr. Web).

3

Re: Not deleted file

Hello, Pavel Dvorkin, you wrote: PD> the File is not pleasant to me. At it title MZ, as though not I picked up a virus. You can load it here: https://virustotal.com/

4

Re: Not deleted file

Hello, Pavel Dvorkin, you wrote: PD> the file which I can not delete Was formed at me. Two sentences: 1. To overload in safe mode, to try to delete 2. MoveFileEx (szDstFile, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);

5

Re: Not deleted file

Hello, VladFein, you wrote: VF> 1. To overload in safe mode, to try to delete VF> 2. MoveFileEx (szDstFile, NULL, MOVEFILE_DELAY_UNTIL_REBOOT); For ideas of thanks. The first, alas, yet does not transit - I through RDP work. The second, I think, works, actually, Unlocker to me it and suggests to make. Me not so much file interests, how many that it means. The file is not locked, is right to eat, delete it is impossible. What is it?

6

Re: Not deleted file

Looked for folder name (GUID) in the register and found here that in PendingFileRenameOperations \?? \C:\Users\dvorkin\AppData\Local\Temp\784F.tmp \?? \C:\Program Files (x86) \Google\Chrome \Device\HarddiskVolume3\Users\dvorkin\AppData\Local\Temp\236F7CD06.sys \?? \C:\Users\dvorkin\AppData\Local\Temp\DEL3CAD.tmp \?? \C:\Users\dvorkin\AppData\Local\Temp\DEL3CBD.tmp \?? \C:\Users\dvorkin\AppData\Local\Temp\DEL3CCE.tmp \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\0NRlaJJDui \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\1gRWdOrr0GxEN \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\1p5n9V5EszfnrF1 \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\235a32338.sys.4b3d5a \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\2Uq5EOgv32 \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\3ca2shyi2Ui3aCh \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\4J4883T5Znhk4u \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\6zIibcz7yEkKmFg \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\7eQXEHXjPi2H \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\9KM71ev6Z2zTMQ and ., some more tens same lines And then found here such in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Doctor Web\Dr. Web Engine EventMessageFile C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\X9f4STf2bD5ho.exe It seems that jokes DrWeb CureIt which I launched. Though all the same it is not absolutely clear.

7

Re: Not deleted file

Hello, Evgeny. Panasyuk, you wrote: EP> you Can load it here: https://virustotal.com/Yes, thanks, checked up. Purely.

8

Re: Not deleted file

Hello, Pavel Dvorkin, you wrote: PD> Unlocker - says that cannot find locking descriptor. And what Process Hacker speaks?

9

Re: Not deleted file

Hello, Pavel Dvorkin, you wrote: PD> It seems that jokes DrWeb CureIt which I launched. Though all the same it is not absolutely clear. It loads the driver, temporary. Probably it it.

10

Re: Not deleted file

Hello, Vain, you wrote: V> And what Process Hacker speaks? Did not try.

11

Re: Not deleted file

PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\0NRlaJJDui PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\1gRWdOrr0GxEN PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\1p5n9V5EszfnrF1 PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\235a32338.sys.4b3d5a Whose signature at this file? PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\2Uq5EOgv32 PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\3ca2shyi2Ui3aCh PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\4J4883T5Znhk4u PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\6zIibcz7yEkKmFg PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\7eQXEHXjPi2H PD> \?? \C:\Users\dvorkin\AppData\Local\Temp\5A5B1556-3F9D380-474EFCDD-FED2EEE3\9KM71ev6Z2zTMQ PD> and ., some more tens same lines Stremno somehow. The adequate vendor  from rate to load the driver not begins. Lay out several  (I suppose here those is) and the driver , there will be time - will look in IDA on what it  similar.

12

Re: Not deleted file

Hello, ononim, you wrote: O> Stremno somehow. The adequate vendor  from rate to load the driver not begins. And EXE will launch from rate? Here such now is. VirusTotal on it gives 0/56 https://social.technet.microsoft.com/Fo … ows7ru> Lay out several  (I suppose here those is) and the driver , there will be time - will look in IDA on what it  similar. Alas, there are no already they more. CureIt deleted.