How do you delete an undeletable Windows file?
August 27, 2005 7:53 PM Subscribe
I found a hidden, read-only file called windows.pif in my c:\winnt\system32 directory that won't respond to del or attrib commands. How can I delete this file?
If I hook up a network cable, tcpview shows me windows.pif is trying to make dozens of connections, but all the anti-virus and spyware programs I've tried tell me my systems clean. Short of downloading a knoppix cd how do I get this off the Win2k machine I've unhooked from my network?
If I hook up a network cable, tcpview shows me windows.pif is trying to make dozens of connections, but all the anti-virus and spyware programs I've tried tell me my systems clean. Short of downloading a knoppix cd how do I get this off the Win2k machine I've unhooked from my network?
Attrib is for the ancient FAT-style attributes ("R/H/S/A") whereas you probably need to edit the NTFS ACL which is much more involved than a simple "read only" flag. You do this through the "Security" tab of the Properties page. Give yourself Full Control and then delete the file. If you can't change the ACL, then you'll have to take ownership first, and then edit the ACL. ('Take ownership' required administrator privilege.)
If this is actually an executable that is running (which it sounds like it from what you've said) you will not be able to delete it until you terminate the process. Use process explorer to do this.
posted by Rhomboid at 8:29 PM on August 27, 2005
If this is actually an executable that is running (which it sounds like it from what you've said) you will not be able to delete it until you terminate the process. Use process explorer to do this.
posted by Rhomboid at 8:29 PM on August 27, 2005
Response by poster: Yeah from safe mode I did right-click -> properties -> unchecked "read-only" -> OK, then I deleted it. I had tried that before but explorer crashed when I clicked any other tabs so I was trying to delete it from the command line, second time around I just left the other tabs alone.
So I hooked the network cable back up and nothing unusual. Before I was seeing a whole bunch of traffic all over the place. I think I got infected with something when I unhooked my old router (I was having slowdowns and I thought it might be overheating) and hooked my computer straight into my dsl modem (to see if it wasn't the modem that was the problem). So I deleted 3 files in my system32 directory that were popping up in TCPview, trapper.exe, windowsnfo.exe and windows.pif... can't find useful references to these files and my anti-virus didn't find anything.
posted by bobo123 at 10:02 PM on August 27, 2005
So I hooked the network cable back up and nothing unusual. Before I was seeing a whole bunch of traffic all over the place. I think I got infected with something when I unhooked my old router (I was having slowdowns and I thought it might be overheating) and hooked my computer straight into my dsl modem (to see if it wasn't the modem that was the problem). So I deleted 3 files in my system32 directory that were popping up in TCPview, trapper.exe, windowsnfo.exe and windows.pif... can't find useful references to these files and my anti-virus didn't find anything.
posted by bobo123 at 10:02 PM on August 27, 2005
Deleting it is good, but you've still got the residual effects of this infection, including registry settings to start it up every time you reboot.
There are viruses that create windows.pif (ie. W32.Spacemark)...I'd be more concerned that your anti-virus proggies aren't finding this than you apparently are. That's a pretty big thing.
It may be worth a quick email to Symantec or McAfee or whoever to see what they think.
posted by Kickstart70 at 10:12 PM on August 27, 2005
There are viruses that create windows.pif (ie. W32.Spacemark)...I'd be more concerned that your anti-virus proggies aren't finding this than you apparently are. That's a pretty big thing.
It may be worth a quick email to Symantec or McAfee or whoever to see what they think.
posted by Kickstart70 at 10:12 PM on August 27, 2005
Response by poster: I had tried EZ Antivirus, McAfee Stinger and Microsoft's Antispyware. Win2k installation had been regularly updated and Firefox 1.0.6 is the default browser, hadn't had any problems before. I'm at a loss to how this stuff got on my system, like I would be surprised that simply hooking my pc directly to my dsl instead of a router could compromise it, though that could just be a coincidence and there was some other cause.
Deleted about a dozen entries in the registry for each file (File Mapping Services - trapper.exe, Win32 Info - windowsnfo.exe, Windows Security Service - windows.pif). Still a little suspicious that deleting a few files could clear everything up but I have to consider wether I want to do a brand new install and migrate over all my crap and patch everything again.
posted by bobo123 at 11:24 PM on August 27, 2005
Deleted about a dozen entries in the registry for each file (File Mapping Services - trapper.exe, Win32 Info - windowsnfo.exe, Windows Security Service - windows.pif). Still a little suspicious that deleting a few files could clear everything up but I have to consider wether I want to do a brand new install and migrate over all my crap and patch everything again.
posted by bobo123 at 11:24 PM on August 27, 2005
Try running trendmicro's online scans... they have ones for both virus and spyware. Active-X, so run them in IE. Also, AdAware and Spybot.
Not sure if it's a problem in 2000, but in XP nasties like to hide in the temp folder... [username]\local settings\temp (a hidden folder), as well as other places. If you're in safe mode, you should be able to dump everything except one or two tmp files.
It's fairly common to catch something by just having it sitting out in the open. Viruses float around on the network and constantly try to find unpatched loopholes. (I work at a college computer help desk [with all the fuckwittiness that implies], so YMMV.)
posted by strikhedonia at 11:56 PM on August 27, 2005
Not sure if it's a problem in 2000, but in XP nasties like to hide in the temp folder... [username]\local settings\temp (a hidden folder), as well as other places. If you're in safe mode, you should be able to dump everything except one or two tmp files.
It's fairly common to catch something by just having it sitting out in the open. Viruses float around on the network and constantly try to find unpatched loopholes. (I work at a college computer help desk [with all the fuckwittiness that implies], so YMMV.)
posted by strikhedonia at 11:56 PM on August 27, 2005
I'm assuming you're running NTFS and not FAT32, and that you can't simply boot to a raw (unsecured, non-NTFS) MS-DOS prompt before loading Win2k and delete it.
You should have a Knoppix CD anyway. I'm not a Linux fiend, but it's an awesome bootable tool to have for getting at the drive and files and getting network access going when NT/2K/XP and/or NTFS dumps a load in your lap.
Have you tried NOD32 antivirus?
posted by loquacious at 1:26 AM on August 28, 2005
You should have a Knoppix CD anyway. I'm not a Linux fiend, but it's an awesome bootable tool to have for getting at the drive and files and getting network access going when NT/2K/XP and/or NTFS dumps a load in your lap.
Have you tried NOD32 antivirus?
posted by loquacious at 1:26 AM on August 28, 2005
For any undeletable file, I recommend the Gipo@Utilities suite available here (http://www.freedownloadscenter.com/Utilities/File_Maintenance_and_Repair_Utilities/GiPo_FileUtilities.html)
Gipo@MoveonBoot will let you flag any file and, when you next reboot, it will delete/move/copy that file, according to your instructions. Every PC should have one. And it's free.
posted by TheRaven at 5:40 AM on August 28, 2005
Gipo@MoveonBoot will let you flag any file and, when you next reboot, it will delete/move/copy that file, according to your instructions. Every PC should have one. And it's free.
posted by TheRaven at 5:40 AM on August 28, 2005
Along the lines of Knoppix, there's also the Ultimate Boot CD, which is a Windows environment. It works well, and you can usually fix most problems with one or the other.
posted by strikhedonia at 6:27 AM on August 28, 2005
posted by strikhedonia at 6:27 AM on August 28, 2005
This thread is closed to new comments.
To get rid of it yourself, either restart the computer in safe mode (F8) and delete it or run MSConfig (from the Run line), uncheck the reference to it, restart and delete it. Then run HijackThis to get rid of the references to it in the registry.
This Symantec page talks about how to remove it in more detail.
posted by strikhedonia at 8:28 PM on August 27, 2005