1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Deleting a folder that it says isn't there but is?

Discussion in 'Windows 7' started by machv, Apr 30, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    349
    i had a hacker so i reinstalled my OS. win7 created a folder called windows.old. after installing from scratch a folder called nexon was created i used to have a nexon game. also a folder that among other things had nircmd utility in it. i deleted folders nexon, windows.old, and folder that contained nircmd. as i did not want hacker to come back. i have nircmd folder in recycle bin can i get rid of it? i get conflicting research regarding this nircmd thing. Also windows.old was deleted completely except for a few folders and files basically folder pathe leading from c: to securerom and two files called ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ and ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ i can't read them they have no extension and notepad doesn't open it either it just does nothing. when i try to delete the windows.old folder i am told that it does not exist. i tried to encrypt the thing which i thught would stop any hacker access to whatever it does that didn't work but now the folder is in green text and all folders contained in it except files that are still black text. how can i get rid of them? I also tried using cmd.exe as administrator and tried del and del /f to no avail. what can i do?
     
  2. BillVB

    BillVB

    Joined:
    Apr 30, 2010
    Messages:
    37
    Try doing the same thing on CMD, but try these extensions:
    del /f /q

    Alternatively, try deleting the folder with a 3rd part shredder.
     
  3. antech

    antech Banned

    Joined:
    Feb 23, 2010
    Messages:
    1,427
  4. BillVB

    BillVB

    Joined:
    Apr 30, 2010
    Messages:
    37
    The files themselves do appear to be the remains of some kind of malicious activity or a temp file. As antech said above, Unlocker should be able to do the trick, and the above link also.

    Otherwise, try scanning it with your AV, if there is any dodgyness then it should pick it up.
     
  5. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    349
    i just tried a couple shredders to no avail they either crash from trying to delete it or can't do it either way i cant get rid of them
     
  6. antech

    antech Banned

    Joined:
    Feb 23, 2010
    Messages:
    1,427
    Have you tried the link provided by me?
     
  7. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    349
    no i'll give them a shot and get back to you.
     
  8. aka Brett

    aka Brett Banned

    Joined:
    Nov 25, 2008
    Messages:
    16,918
    If one has had an infection etc.,they need to reformat...being you have a windows old folder you merely put on another copy of widows.
    I would start over and format the drive then install windows.
     
  9. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    349
    ok. this sucks
     
  10. antech

    antech Banned

    Joined:
    Feb 23, 2010
    Messages:
    1,427
    What sucks?
     
  11. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    349
    that is what sucks. that i have to reinstall everything. I did just that yesterday and made sure to format the drive before the install.

    I never did manage to remove that folder and files. i tried everything that was suggested to no avail. On another note. I noticed that the nmap tcp scans and fin scans i was getting numerous times a daay have stopped since this install. they were still happening last install. but i have just started seeing something else happening this address 89.241.78.17 has tried to send a possible fragmentation attack by sending a suspiciously small fragment.
    this is what http://www.whois.domaintools.com has to say about them.

    inetnum: 89.241.0.0 - 89.243.255.255
    netname: OPAL-DSL
    descr: Opal Telecom DSL
    country: GB
    admin-c: PM58-RIPE
    admin-c: GD1052-RIPE
    tech-c: PM58-RIPE
    tech-c: GD1052-RIPE
    status: ASSIGNED PA
    mnt-by: OPAL-MNT
    source: RIPE # Filtered

    person: Phill Magill
    address: Opal Telecommunications Plc
    address: Northbank Industrial Estate
    address: Irlam
    address: Manchester
    address: M44 5BL
    address: United Kingdom
    phone: +44 161 222-2000
    fax-no: +44 161 222-2008
     
  12. Pookie

    Pookie

    Joined:
    Dec 31, 2004
    Messages:
    198
    boot up to your windows cd, choose repair, go to recovery console, then when in recovery console use the attrib command to remove the flags if needed, -a is archive, -s is system, -r is read only, -h is hidden. Once it is unhidden and deletable, delete your file or folder that is not shown in normal mode. When done exit recovery console and boot normally. Short tutorial on attrib -r removes the read only flag +r adds it, same with all the other flags + adds it and - removes it.
    Best of luck.
     
  13. jiml8

    jiml8 Guest

    Joined:
    Jul 2, 2005
    Messages:
    2,634
    I guess at this point I am not clear about whether you did manage to eliminate the files through a reformat and reload, or whether you are still wrestling with it.

    Regardless, there is a way which positively will work when every Windows method fails.

    Obtain a Linux Live CD and boot with it. A Linux Live CD is a complete Linux distribution on a CD or DVD, that is bootable. It will run completely off of the CD and out of RAM, and won't touch your hard disk.

    After booting into Linux, use any of the many available Linux tools to delete the files off of your Windows drive. It won't fail because Windows won't be running and any mechanisms employed to prevent Windows from changing or removing the files will be totally bypassed.

    As for the fact that you are again seeing evidence of external attacks, you need to make sure your system is secured. A software firewall installed and running on your system is a BIG help, but the hands-down best way to do it is to set up a router between your Windows machine and the internet..

    Personally, I believe that NO Windows computer should be allowed on the internet without a keeper, and a router is the best form of keeper. You can purchase one in any electronics or computer store and in many department stores, starting at about USD 30.
     
  14. antech

    antech Banned

    Joined:
    Feb 23, 2010
    Messages:
    1,427
    Follow the below Instructions Carefully:

    1. Download Hijack this from the link.

    (Choose the installer of HJT—Hijack This)

    2. Run a Scan.

    DO NOT FIX ANYTHING BY YOURSELF.

    (Doing so when NOT Instructed Might cause Unwanted System Instability, BSOD's and Even Render your System Unusable)

    3. Save a Log file (On your Desktop)

    4. Copy and Paste all the contents.

    5. Paste them in the Reply Window.

    I am NOT an Authorized Malware Remover.

    The Log is requested by me only for Optimization Purposes, troubleshooting and removing applications that are causing various problems such as Crashing, BSOD’s and Freezing and helping the poster remove any incompatible application/program and driver.

    I will therefore NOT help if anything related to Malware is found in your log.

    The thread will then be moved to the Malware Removal Forums for expert assistance.
     
  15. machv

    machv Thread Starter

    Joined:
    May 23, 2009
    Messages:
    349
    here is the hijack log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:37:30 AM, on 5/4/2010
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Shaw Secure\Common\FSM32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\shaw\bin\shawsupport.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\siuloader.exe /notify
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - Global Startup: Shaw Support.lnk = C:\Program Files\shaw\bin\shawsupport.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
    O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

    --
    End of file - 6067 bytes
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/920308