Deleting Virus Files Which Is Used By Windows

Sometimes it is necessary to delete a file that doesn’t want to be deleted. Frequently, this is the case in a virus-invaded computer where the resident antivirus software is incapable of removing the affected files.

This page is aimed primarily at manual removal of virus-infected files that resist deletion. Whether you want to delete stubborn files for that reason or others, the following approach is recommended and should prove helpful. In following these tips, please understand that stubborn file deletion often is as much art as science. To some extent, you have to develop your own technique and, in the case of deeply-rooted viruses, it probably will involve some going back and forth because as you remove some files they may be replaced by others you haven’t yet removed.

PRELIMINARIES

1. Print out, or otherwise have at hand, the list of infected files to delete.


2. Be sure that Windows is set to show Hidden and System files and folders. In Windows Explorer or My Computer, at Tools | Folder Options | View, set Hidden files and folder to “Show,” and uncheck Hide protected operating system files.


3. Download HijackThis, IBProcMan, Advanced Process Manipulation, and Killbox. Have these at hand (say, on your desktop) before you start.


4. Boot to Safe Mode. (Do all remaining work on this problem in Safe Mode.) Make sure nothing is running. To boot your computer in Safe Mode you need to restart the computer and bring up the Boot Menu. How to do this varies slightly with different versions of Windows.
   
   
   
   • Windows 95: Wait until the moment the first (memory check) screen blinks away and the notice of loading Windows appears. At that moment, press and hold F8 until the Boot Menu appears. (A blank diskette in the floppy drive will halt the computer at this point if you have difficulty finding the right moment.)
   
   
   • Windows 98 or ME: Press and hold the Ctrl key anytime during the memory check or other preliminary self-test. (F8 still works as before on most systems, but not on all; and the Ctrl key system is much simpler.)
   
   
   • Windows 2000 or XP: It’s back to F8. For Windows 2000, you must press and hold this just as the row of dancing white rectangles appears at the bottom of the screen. For Windows XP (where the white rectangles don’t appear except when bringing the computer back up from hibernation), it’s easier: Press and hold F8 during the initial memory test, and wait for the boot menu. Another convenient way to get to Safe Mode in Windows XP is to launch MSCONFIG from a Run box, select the BOOT.INI tab, and check the /SAFEBOOT box, then reboot. (Remember to change this back later when you want to return to Normal Mode startups!)
   
   
   • Windows NT4 and earlier: There is no Safe Mode option. You will have to do your best with the steps below, logged on as local administrator.
   
   
   
   

DELETION

1. In Safe Mode, using My Computer, go to the relevant folder(s) and just try deleting each infected file. If you can’t delete one, go on to the next until you’ve deleted everything you can this way.
   

   NOTE: When deleting a file from the System32 folder, check first to see if it is in the System32\dllcache folder. If it is, then delete it from there first — otherwise, Windows will restore the file from dllcache when you delete it from System32. Confirm (when asked) that you do not want Windows to restore it!

   
   


2. For those you haven’t been able to remove, something is running in the background. You have to catch it when it isn’t running before you can delete it. The two main ways are to End Process on the file while Windows is running, or to delete the file at a time that Windows isn’t running. (On Windows 9x, or on NT-based versions using FAT32, this can be done simply by booting from a startup floppy and deleting the file; but on Windows 2000, XP, etc. using NTFS, that isn’t possible.) Each of the suggestions below attempt one or the other of these approaches.
   
   
   
   • End Process approach
     
     
     
     1. To End Process on the file while Windows is running, you have a couple of primary tools available. One is the Windows Task Manager (Ctrl+Alt+Del | Task Manager) — the Processes tab — click on the process you wish to delete then click End Process. The other tool is the stronger process manager built into HijackThis at Config | Misc Tools.
     
     
     2. If you need even more powerful tools, use IBProcMan (which is the same process manager that is in HijackThis, but rewritten so it is tougher for malware to resist it) and/or Advanced Process Manipulation.
     
     
     3. End Process and delete everything you can without rebooting. Hopefully you will have gotten everything, or at least all but a small list.
   
   
   
   
   • Delete on reboot approach
     
     
     
     1. If any infected files are left, use another tool in HijackThis Config | Misc Tools — the utility to delete a single file on next reboot. Select one of the files remaining and mark it to remove. Don’t close HijackThis (leave it running). Then reboot (back to Safe Mode).
     
     
     2. If this doesn’t work, try Killbox another tool that provides the opportunity to delete a file on next reboot.
     
     
     
     


3. Here’s where it can get tricky: If the wrong file is left undeleted, new infected files may be recreated on next startup. Do your best and keep plugging away.