(Link to AcmlmWiki) Offline: thank ||bass
Register | Login
Views: 13,040,846
 Main | Memberlist | Active users | Calendar | Chat | Online users
Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album 		05-15-24 10:13 PM
0 users currently in Hardware / Software.
Acmlm's Board - I3 Archive - Hardware / Software - Undeletable files New poll | |
Add to favorites | Next newer thread | Next older thread
User Post
theclaw

Shyguy








Since: 11-17-05

Last post: 6296 days
Last view: 6296 days
Posted on 12-20-06 08:36 PM Link | Quote
It appears I have a bunch of files which show up in Windows Explorer, but the MFT doesn't contain their entries or something. A quick scan with RootkitRevealer shows them. I've attached the log for advice on removal. Simple as that!

Attachments

RootkitReveal.txt (115931b) - views: 51
neotransotaku

Sledge Brother
Liberated from school...until MLK day








Since: 11-17-05
From: In Hearst Field Annex...

Last post: 6298 days
Last view: 6296 days
Posted on 12-20-06 10:21 PM Link | Quote
Those look like shortcuts...which I guess are not really files...
||bass
Administrator








Since: 11-17-05
From: Salem, Connecticut

Last post: 6297 days
Last view: 6295 days
Posted on 12-20-06 10:22 PM Link | Quote
I'm assuming this is windows. Have you tried booting into safe mode command prompt and logging in as administrator and deleting them that way?
theclaw

Shyguy








Since: 11-17-05

Last post: 6296 days
Last view: 6296 days
Posted on 12-20-06 11:56 PM Link | Quote
Like one of them has the name SQLPRSE.DLL which contains invalid characters. I get "cannot read from the source file or disk" even though the file has been there for months. According to that log there is a similar file in the same directory named SQLPARSE.DLL that does not appear in the Windows Explorer.

Unfortunately RootkitRevealer mainly finds problems, it doesn't repair most itself. The weirdest one is at the very bottom. There's a CABIULRB. file which has no similar file elsewhere and as you can see it's name is invalid since names can't end with a dot. It also says "cannot read from the source file or disk".

About the shortcuts... I was moving items around in the Start Menu. They appear and work correctly at their new locations, so that means Windows XP doesn't clean up changes to the file system 100%. I should also mention my hard drives are formatted NTFS.

Edit: My computer indeed does not allow dots on the end of file names. If I attempt to say, make a file called "Taxes.......", it will come out as "Taxes". This occurs whether or not there are dots elsewhere in the name. It also doesn't allow me to save or create a file whose name is nothing but dots.

(edited by theclaw on 12-22-06 04:07 AM)
FreeDOS +

Giant Red Koopa
Legion: freedos = fritos








Since: 11-17-05
From: Seattle

Last post: 6295 days
Last view: 6295 days
Posted on 12-21-06 03:04 AM Link | Quote
neo: Shortcuts in Windows *are* files, a binary format actually. The unfortunate thing though, they're not nearly as useful as symlinks are (I've heard rumor that Windows Vista supports some form of symlink, anyone to give more information?).

theclaw: The last file doesn't have an invalid name (where the hell did you hear that dots can't be at the end?), and the colon is likely an alternate data stream (though, colons *are* valid in NTFS as well).

This seems odd though. See if you can make Ubcd4Win, boot it, and try to scan for viruses/malware there. Either that, or try to find the objectionable files from the live environment and possible remove them.
niteice

Gator


 





Since: 08-15-06
From: Connecticut

Last post: 6296 days
Last view: 6296 days
Posted on 12-21-06 11:43 PM Link | Quote
Originally posted by FreeDOS +
neo: Shortcuts in Windows *are* files, a binary format actually. The unfortunate thing though, they're not nearly as useful as symlinks are (I've heard rumor that Windows Vista supports some form of symlink, anyone to give more information?).

NTFS has supported a form of symlinks (not quite in the Unix sense) for a while but there hasn't been an easy way to create one.
FreeDOS +

Giant Red Koopa
Legion: freedos = fritos








Since: 11-17-05
From: Seattle

Last post: 6295 days
Last view: 6295 days
Posted on 12-22-06 12:16 AM Link | Quote
If you mean hardlinks, then yes it supports those, and you can use fsutil to make them. You could use symlinks from Interix, though the usefulness is lessened because only Interix apps can follow them.
HyperHacker

Star Mario
Finally being paid to code in VB! If only I still enjoyed that. <_<
Wii #7182 6487 4198 1828


 





Since: 11-18-05
From: Canada, w00t!
My computer's specs, if anyone gives a damn.
STOP TRUNCATING THIS >8^(

Last post: 6296 days
Last view: 6296 days
Posted on 12-22-06 08:55 PM Link | Quote
These results are quite inconsistent (some files visible but missing from MFT, others hidden from API), and why shortcuts like these would be faked or hidden is beyond me. Seems like either a very strange virus or some sort of disk corruption, possibly memory failure.
Originally posted by FreeDOS +
theclaw: The last file doesn't have an invalid name (where the hell did you hear that dots can't be at the end?)

Explorer enforces some arbitrary restrictions, such as not allowing a filename to begin or end with a period, even though other programs can create such files and it'll have no problems working with them.
Add to favorites | Next newer thread | Next older thread
Acmlm's Board - I3 Archive - Hardware / Software - Undeletable files |


ABII

Acmlmboard 1.92.999, 9/17/2006
©2000-2006 Acmlm, Emuz, Blades, Xkeeper

Page rendered in 0.013 seconds; used 386.48 kB (max 472.62 kB)