Folders not able to be deleted

[utbigred]

I'm not able to delete folders for some reason. First of all I have two drives. The folders I'm trying to delete are on a hard drive separate from my hard drive with system files.
With that said, I'm trying to delete these folders with the titles: movie maker, microsoft frontpage, msn gaming zone, netmeeting, outlook express, windows media player, internet explorer, windows nt, xerox.
For some reason, these folders appeared out of nowhere. There are no files in it and the size on disk for each one is 0 bytes. I tried deleting it but it keeps bringing up the message: Cannot delete accessories: it is being used by another person or program. I got a little worried after that and started doing what I could. I did spyware scan, ccleaner, avg virus scan, went to safety mode and deleted the folders. When I restarted again, the files appeared again. I don't see any irregular process in the task manager. Any way to get rid of this without reformatting?

Here's a list of process I have.

 

[LookinAround]

1. Curious. The message you say you are getting. The windows message would be "Cannot delete <file>: It is being used by another person or program" wjere file is name of file or folder you are trying to delete. Does it really say accessories?
2. Have you tried rebooting? Or rebooting into safe mode? Are all these files/folders still opened at startup?
3. Use OpenedFilesView to see what is opened and which process has them open. Might help in understanding the mystery (or at least see what has them open)

 

[utbigred]

1.) That's the message I got when I tried deleting windows nt. The other files stick to their name like outlook express will say outlook express.
2.) I've rebooted twice. Both into safe mode and both into different users (administrator and my user name). Deleted all those files and restarted, and somehow those files pop.
3. Im using that right now, but not quite sure what too look for.

Does this have anything to do with registry? What I mean is that sometimes when I download stuff, it can only be installed in my main hard drive (c:\). I changed it so that it can be installed into a different drive (my g:\), because my main hard drive is relatively small and doesn't have a lot of space.

 

[LookinAround]

1. If you scroll right in OpenedFilesView it will tell you which process has the file opened. It tells you process id, process name, and process path
2. If you look the files, who is listed as owner (am curious)
3. This post Viruses/Spyware/Malware, preliminary removal instructionsgives instructions to prepare for removing spyware etc. It includes instructions to install, run and post HijackThis (HJT). You've done some preliminary scans already. Why don;t you run/post HJT as it indicates to see what, if anything, it shows at this point in time.
4. Could you also post the OpenedFilesView output? would like to see that info too... might show something
5. I don't think the registry or what you described should be causing these files ro reappear.
6. What operating system are you running?

 

[utbigred]

I will have to post it later, im in a hurry to attend to a wedding. So far nothing seems to be a problem. It's just that it is really annoying to see random files pop up like that.

 

[utbigred]

What exactly do you want to look for in the OpenedFilesView. Er what I mean is what general area do you want me to screenshot since it's a pretty big file. Ok I attached an htg file as well.



the one I highlighted are the folders I want to delete.

 

[LookinAround]

1. Your HJT log looks innocent to me. One entry raised an eyebrow, at first, O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) but looking further shows it's related to Windows Live and a missing htc.dll. Coincidentally, i saw the exact same entry on a friend's machine. In that case, i ran HJT only out curiosity. He wasn't showing any signs of any problem

2. That said, i don;t know if you saw mention in that 15 step guide i referred to earlier (I should have mentioned it myself) that you should set folder options to show hidden files before running HJT? Was this done also? If not, from any file Explorer window, click Tools->Folder Options. Click View tab. If you look through advanced settting,

• set the radio button to Show hidden files and folders.
• Clear Hide protected operating system files
• Clear Hide extensions for know file type

Now run and post HJT again please.

3.OpenedFilesView will reveal which processes have which files/folders open which may be a clue to why they're open and being restored after being deleted.

Start OFV. Under options

• Show Open Directories, Show Open Files, Show Network Files
• Hide files in Winfows Folders should be cleared.

Under View, Choose All Columns

Now run OFV. If you think the file is too big or don't want to post it all, find the line entries for the files/folders you say are recreated and open so can't delete (some or all of which you listed in a prior post). Create a log file of these entries only (If easier it allows you to create an html file of all entries and you can delete items not needed from the report. Hopefully, a look at the process opening it will reveal something.

Based on above, we might want to look and verify all the startups on your machine but will saye that as a next step after we see what might be revealed by above

 

[utbigred]

Ok here are files from hjt with show hidden windows and the openfilesview

 

[LookinAround]

First, kritius, one of the resident HJT experts, pointed out your IE Trused Zone includes http://holic.netgame.com. Is this a game you use? Something you've approved?

OpenedFilesView indicates all the folders are opened by winlogon.exe. This is a Windows program which runs when you logon and often the target (or after effect) of malware. It's also possible you have old startup that's going to these folders.I would suggest the following

1. Do you have your XP install disk?. System File Checker will validate all the system files haven't been touched but it may ask you to insert your XP disk. Start->Run->cmd. Then in the command window type sfc /scannow. Wait for it to complete and see if it reports any bad files
2. We can check all your startups and validate winlogon.exe (regardless if you ran sfc or not). Install and run Autoruns.
   • Wait for the status displayed in the lower left of the screen says "Ready"
   • Click Options and check Verify Code Signatures
   • Other options should not be checked.
   • Then click Files-Refresh
   • Wait for Ready status again
   • Click File and save as a text file and post it here

 

[utbigred]

Hmm well Holic is a game that I used to play. Apparently it had problems with AVG thinking it's a malware or a Trojan. A lot of users in that game have the same problem. Not sure if it's avg side or holic but that isn't what is causing the folders to not be deleted. The folder situation started recently actually if you take a look at the 2nd screenshot. The hard drive g:| that I'm using is bye itself. I'm currently using two, one being c: and d: together and g: being the other. The g:\ is completely empty and never installed windows on it.
I'll try and do what you suggested, probably won't have time today. I'll try and post it by tomorrow. Busy busy busy.

 

[utbigred]

Here's the file from Autorun. I don't have the xp disc on me. For some reason I can't find it.

 

[LookinAround]

Looks like the System File Checker (and XP disk) may not be required. Will start with this reply post for you as i'll need to write down the instructions for what will follow. btw.. Do you know how to do create a System Restore point? If no, i;ll include that as well.

Some observations

1. At first look, the Autorun entries which don’t verify aren’t unusual.
2. Going back to an earlier question you asked about the registry: I see you do, in fact, have a number of stale registry startup entries. I also see some references to G:\Program Files\Outlook Express (I’ll be telling you how to clean all those out) but I don’t see entries for the other problem folders
3. But…. We’re only seeing the Autoruns for the current userid and I wonder if they might be started/opened under a different user id. Look at the menu at the top of Autoruns. Click User. Do you see multiple userids listed? The current user id will have a check mark. Could you select each other userid, refresh, wait for status to say Ready and generate the output file? I can then look for the other folders and I can see if other folders referenced.

We’ll be using Autoruns to remove all the stale entries (I’ll put some instructions together). I'd like to find the start references for your other folders. As an alternative, It’s possible to just force them closed, but prefer (and I think safer) to not open them in the first place, if possible, i order to do your deletes.

Do you know how to create a system restore point?

 

[utbigred]

Yes I know how to create a system restore point. This is under the Administrator user.

 

[LookinAround]

Very interesting....

I checked the other output file you created and couldn't find references to the other folders. Trying to figure out what-the-heck was going on, I started digging deeper for other explanations (now knowing they're all related to winlogon) and discovered these folders have been annoying XP users for years. Seems the references are within winlogon itself! (I just looked and i have the same folders opened by winlogon.exe on my own computer but on my C: drive, of course)

I'll follow up (probably tomorrow). We will still remove all those stale entries sitting in your registry and will see what i can find about removing the other folders (to remove them from my computer as well! )

Do the same folders exist on your C: drive? When did you do the split between C: and G:? When you said they "just showed up" are you certain? I;m kinda surprised i never notice "Pinball" or "xerox" on my own system before. In any case, will follow up with you.

 

[utbigred]

They exist in my c:\ since that's where I installed windows xp. As for the ones in g;\, they appeared recently like on Saturday.

 

[LookinAround]

1. Can start off by removing all those stale registry entries. But first create a System Restore point for “just in case”
Run HijackThis

• Find entry O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
• Check the box next to it
• Click Fix Checked

AutoRuns

• Start Autoruns, wait for status showing Ready in lower left
• I’m going to have you go through and delete each entry which points to a File not found except for one that refers to About:Home. It will look like: 0 File not Found:About:Home
• To start, the cursor position should already be at the first display entry
  • Press CTRL-f to open a Find window. Type in not found then click Find Next button
  • You’ll see an entry indicating File not found. If it’s not for About:Home, right click and select delete to remove the entry.
  • Press F3 key to Find Next and repeat till you’ve found/removed each "not found" entry except for About:Home.
  • Close Autoruns and reboot just to see you do in fact reboot.

2. Provide a list of all file/directories currently open by winlogon
Right after rebooting I would like to see which files on which disks winlogon has open and when they were created (to see what winlogon opens on C: and/or on open G: etc. to hopefully provide clues as to what's up)

• Open an empty text file (e.g. run Notepad.exe) so we can paste the info into it shortly. Then run OpenedFilesView
• Click Options. Both Show Open Directories and Show Open Files must be checked.
• Click View->Choose Columns. All column names should be checked. Scroll down to Process Name (this is the name of process that has the file open) and click the Move Up button to move it to the first in the list. Click OK.
• Click on the column header Process Name to sort by Process Name ascending order.
• Scroll down to the first entry for Winlogon.exe. Left click to select.
• Scroll down to the last entry for Winlgon.exe. Hold SHIFT while you left click to select everything from the first to the last winlogon entry.
• Click Edit->Copy Selected Items and then paste it into the empty text file window you created earlier.
• Save the file and post it please

3. Provide a closer look at your winlogon
Let’s also verify, check the version and look at the environment variables your winlogon.exe (in part, want to see if what or any of the environment points to G: )

• Install Process Explorer. (it provides all the functions of Task Manager and a whole lot more) and run it.
• Select winlogon.exe and right click and select Properties.
• Look at the Image Tab. Towards the top it’ll say “(Unverified) Microsoft Windows Publisher”. Click the Verify[\b] Button (is downward and right). It should now say Verified. Just tell me the version number listed and for the command line listed, it should be simply winlogon.exe with no arguments, right?
  [*]For the last set of data, you can screen capture the info I want or install SysExporter. It’s pretty handy and allows you to capture certain types of data displayed in windows that you can’t otherwise copy.
  [*]Now, click on the Environment tab. When it’s displayed, screen capture the info or try SysExporter. Scroll the SysExporter top window looking for winlogon (i.e. the window name). Some of Winlogn entries in SysExporter will be of type Listview . Hit the SysExporter entry in top window to see its data in bottom window and i think the tab Environment data would be of Listview type. Copy/Paste the evironment data from SysExporter into a text file and post.
  

 

[utbigred]

"Look at the Image Tab. Towards the top it’ll say “(Unverified) Microsoft Windows Publisher”. Click the Verify[\b] Button (is downward and right). It should now say Verified. Just tell me the version number listed and for the command line listed, it should be simply winlogon.exe with no arguments, right?"

Ya, there were no arguments. I tried using Sysexporter, but for some reason couldn't copy the listing. Instead, I'm posting the one from Process Explorer.

 

[LookinAround]

First of all I have two drives. The folders I'm trying to delete are on a hard drive separate from my hard drive with system files.

At some point, i'll look at removing those odd pesky folders i found that winlogon creates (like xerox and pinball) But that's for my computer. You have a bigger issue to address.

The quote above was from your first post. What you said is true about system files. But, you’ve split your Windows Program Files folder across your two hard drives!
The Problem

• A process uses its environment variables to locate things. %ProgramFiles% indicates where the process will find the Windows Program Files folder. The info you gathered at last request indicates winlogon’s ProgramFiles variable points to G:\Program Files not C:\Program Files!
• Looking back at an earlier post, it appears you installed some games and must have created a G:\Program Files to install in. I searched online and see people installing games on different hard drives (because of the space) but create something like G:\Games for the install not Grogram Files (you’ll have to check with your game’s tech support on how to/what needed for you to install yoiur game on a different drive). My guess is one of those installs has confused windows and now winlogon thinks program files are located on G:. The Program Files folder should be fully contained in a single partititon.
• So, it's Winlogon and the Windows File Protection feature that's prevent deletion and replacement of the "protected" files/folders it has open on G. But not being able to delete the pesky folders should be occuring on C: (like my machine) and not G: like your machine!
• The Windows registry saves the value of %ProgramFiles% in registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion. I don’t know if you changed this value yourself or it was changed as a result of one of your game installs on G:. But regardless of how it happened, it happened. And I happened to find a Microsoft KB on the topic: Microsoft does not support changing the location of the Program Files folder by modifying the ProgramFilesDir registry value.

A Solution?
This is my best guess for a solution but, of course, I think it should work but can’t guarantee it will provide the desired result. So take whatever additional cautions you feel needed and other opinions as you decide what you want to do

• First, create a full backup. Preferably use a backup tool that can create a disk image backup in additon to file backups capability. (just fyi… I like Acronis True Image Home which you can download and use free trial the first 15 days
• Uninstall all the game programs (and anything else) you had installed under G:\Program Files
• Follow the steps in the Microsoft KB titled “Steps to change the ProgramFilesDir registry value to use the default location for the Program Files folder”
• Reboot your machine into safe mode (why safe vs. normal? Just me be cautious as will be fewer things startings and possibly going wrong)
• See if things look ok.
  • I’d expect winlog environment variable to point to C: now
  • I’d expect you could delete those folders on G: now. But before deleting them…. Are you sure they are all empty? Including internet explorer? Unless your 100% certain copy all of it over to somethin like G:\ProgramBkup. Hang on to it for a week or two of no trouble then delete

And now delete G:\Program Files
Now reboot. you should be back to normal, hopefully. Please post back when your're all done as would like to know if the solution worked or if you still had other isssues. Oh, and I can still address why you had problem with SysExporter as it is a handy tool to have available

 

[utbigred]

I had a feeling that changing the registry was the issue. My c:\ doesn't have a lot of space since I partitioned it so that it only contains mainly system files. Some games for some reason doesn't have the option to change it to a different directory. I found out how to change it by changing the registry. I'll do everything I can today and I'll post the results tomorrow. As for SysExporter, please explain. It seems like a useful tool that i can use for future use. I want to thank you so much for the effort and time you spent on this. I hope other people will see this topic as a way to help out if there are others like me. Again Thank you very much!!

 

[LookinAround]

And you're most welcome! Glad was able to find something and help...

Here's some more info on SysExporter. I'm guessing you probably didn’t change the cursor focus between its upper/lower windows before the copy. In any case, why don’t you try again using Process Explorer, select winlogon, right click properties and then click the Environment tab. Now run SysExporter. (Note if SysExporter is already running you can click Options->Refresh to capture the current screen data.)

• SysExporter has an upper and lower window and you must change the cursor focus (by clicking in the upper or lower window) to work in the upper vs. the lower window
• With cursor focus in upper window you can scroll through the entries looking for the window name (in this example, the name of the window we want begins with winlogon)
• You’ll see a number of line items for the winlogon window. Each of lines represents a data structure which is part of the actual winlogon window you see on the screen
• You can use the column labeled “item” to help find which entry might be the one you want if you have an idea of how large or small the number items you’re expecting. (Though I have on rare occasion seen the item count showing zero when, in fact, there is data displayed in lower window)
• When you select a line in the upper window you’ll see its associated data in the lower window. When you see what you want in lower window you must change cursor focus by clicking an item in the lower window. Now u can select the lines you want, copy, or you can right click to get a menu of things you can do with lines you select in lower window
• Once familiar with the basics listed above, also take a look at what you can do with the Options and Filter menu items

Think you’ll find this tool as useful as I do.

 

[Bobbye]

Internet Explorer, Outlook Express &, Windows Media Player are part of or bundled with the operating system. Leave them alone. just don't use them.

Windows NT is the basic building tool for your operating system.
Xerox and Net Meeting are included in the OS.
MST Software has several downloadable programs for computer performance and security.
The Movie Makes and MSN gaming Zone were downloads.

FrontPage is an installed download and should be removed through Add/Remove Programs in the Control Panel. This is a fairly pricey program so think twice before removing it.

Why are you trying to "delete" these programs? Leave the bundled programs alone and don't touch the system folder! If you want to "uninstall"-not delete, the others, go ahead.

 

[LookinAround]

these are (mostly) empty folders that appeared on his G drive for other reasons...

btw... you running XP Pro? (might be true XP Home as well, not certain) look and tell me if you have a C:\Program Files\Xerox folder on your system?