DELETING STUBBORN FILES
Last Updated May 7, 2007 (Version 2.0)
Receive notice whenever this page is updated.
Sometimes it is necessary to delete a file that doesn’t want to be deleted. Frequently, this is the case in a virus-laden computer where the resident antivirus software is incapable of removing the afflicting files.
This page is aimed primarily at manual removal of virus-infected files that resist deletion. Whether you want to delete stubborn files for that reason or others, the following approach is recommended and should prove helpful. In following these tips, please understand that stubborn file deletion often is as much art as science. To some extent, you have to develop your own technique and, in the case of deeply-rooted viruses, it probably will involve some going back and forth because as you remove some files they may be replaced by others you haven’t yet removed.
- Print out, or otherwise have at hand, the list of infected files to delete.
- Be sure that Windows is set to show Hidden and System files and folders. In Windows Explorer orMy Computer, at Tools | Folder Options | View, set Hidden files and folder to “Show,” and uncheck Hide protected operating system files. (Beginning with Windows Vista, My Computer is called Computer, and you need to press Alt before you will see the Tools menu.)
- Download HijackThis, IBProcMan, Advanced Process Manipulation, and Killbox. Have these at hand (say, on your desktop) before you start.
- Boot to Safe Mode. (Do all remaining work on this problem in Safe Mode.) Make sure nothing is running. To boot your computer in Safe Mode you need to restart the computer and bring up the Boot Menu. How to do this varies slightly with different versions of Windows.
- Windows 95: Wait until the moment the first (memory check) screen blinks away and the notice of loading Windows appears. At that moment, press and hold F8 until the Boot Menu appears. (A blank diskette in the floppy drive will halt the computer at this point if you have difficulty finding the right moment.)
- Windows 98 or ME: Press and hold the Ctrl key anytime during the memory check or other preliminary self-test. (F8 still works as before on most systems, but not on all; and the Ctrl key system is much simpler.)
- Windows 2000, XP, or Vista: It’s back to F8. For Windows 2000, you must press and hold this just as the row of dancing white rectangles appears at the bottom of the screen. For Windows XP or Vista (where the white rectangles don’t appear except when bringing the computer back up from hibernation), it’s easier: Press and hold F8 during the initial memory test, and wait for the boot menu. Another convenient way to get to Safe Mode in Windows XP or Vista is to launch MSCONFIG from a Run box, select the BOOT.INI (in XP) or BOOT (in Vista) tab, and check the /SAFEBOOT box, then reboot. (Remember to change this back later when you want to return to Normal Mode startups!)
- Windows NT4 and earlier: There is no Safe Mode option. You will have to do your best with the steps below, logged on as local administrator.
- In Safe Mode, using My Computer, go to the relevant folder(s) and just try deleting each infected file. If you can’t delete one, go on to the next until you’ve deleted everything you can this way.
NOTE: When deleting a file from the System32 folder, check first to see if it is in the System32\dllcache folder. If it is, then delete it from there first — otherwise, Windows will restore the file from dllcache when you delete it from System32. Confirm (when asked) that you do not want Windows to restore it!
- For those you haven’t been able to remove, something is running in the background. You have to catch it when it isn’t running before you can delete it. The two main ways are to End Process on the file while Windows is running, or to delete the file at a time that Windows isn’t running. (On Windows 9x, or on NT-based versions using FAT32, this can be done simply by booting from a startup floppy and deleting the file; but on Windows 2000, XP, etc. using NTFS, that isn’t possible.) Each of the suggestions below attempt one or the other of these approaches.
- To End Process on the file while Windows is running, you have a couple of primary tools available. One is the Windows Task Manager (Ctrl+Alt+Del | Task Manager) — the Processes tab — click on the process you wish to delete then click End Process. The other tool is the stronger process manager built into HijackThis at Config | Misc Tools.
- If you need even more powerful tools, use IBProcMan (which is the same process manager that is in HijackThis, but rewritten so it is tougher for malware to resist it) and/or Advanced Process Manipulation.
- End Process and delete everything you can without rebooting. Hopefully you will have gotten everything, or at least all but a small list.
- Delete on reboot approach
Here’s where it can get tricky: If the wrong file is left undeleted, new infected files may be recreated on next startup. Do your best and keep plugging away.
- If any infected files are left, use another tool in HijackThis Config | Misc Tools — the utility to delete a single file on next reboot. Select one of the files remaining and mark it to remove. Don’t close HijackThis (leave it running). Then reboot (back to Safe Mode).
- If this doesn’t work, try Killbox another tool that provides the opportunity to delete a file on next reboot.
OTHER IDEAS, RESOURCES & PARTICULARS
When I asked the brightest and most experienced pool of Desktop Support MVPs I know, several of them (no surprise!) had some further suggestions on how to delete stubborn files. These included the following:
- Jim Byrd recommended Noel Danjou’s freeware utility Locked Files Wizard, “a small program that allows replacing, moving, renaming or deleting one or many files which are currently in use (e.g. system files like comctl32.dll, or virus/trojan files.)”
- For a somewhat different form of the problem — deleting files and folders with invalid names — Jim Byrd recommended, with high praise, Delinvfile.
- Patty MacDuffie passed along a link to Cedrick Collomb’s freeware tool Unlocker. If a file or folder is in use, and therefore cannot be deleted, Unlocker will, well, unlock it — so you can undelete it at will. As Jim Byrd has observed, this tool “is particularly helpful in identifying malware components which are 'protecting' each other.”
- Harry Ohrn recommended MoveOnBoot, which “allows you to copy, move or delete files on the next system boot.” In addition to its reliability, he particularly likes that it integrates right into the Windows shell.