Deleting Files Already in Use Remotely…

I had a bit of a frustrating day the other week, a machine was infected with an IRC bot that AV couldn’t detect or remove, beyond the relatively minor host file modifications. The machine was re-imaged and then even replaced, but kept getting reinfected a few hours later.  Of course 99% of the time that means a PEBCAK (google it).  It turned out to be a user’s personal infected thumb drive that was spreading the bad stuff.  Anyway since we were getting a large amount of email alerts from the IPS on outgoing IRC NICK registration to IPs in Asia, I RPDed to the machine and copied TCPview from a share to see what exe was creating the process sending the IRC traffic.  The malware was able to hide the process from taskmgr but not the sysinternals tool. It turned out to be the file run64dll.exe so I tried to stop the process and it immediately started back up, not surprising.  I tried the delete the exe but Windows complained about it being in use.  This is usually where safe mode comes into play but I was sitting miles away, so I employed a trick that is the reason I’m writing this blog entry.  Of course you will most likely have to be local Admin or have those rights on the target folder/file, but when you need to kill a file in use try changing the permissions on the file to DENY ALL (Right click file and go to permissions tab in WinExplorer).  This will then quickly stop the process you couldn’t from accessing the file and probably will allow you to delete the file.  Worked for me and hopefully it will for you.  After that I highly recommend a full re-image, you have proof that malicious software successfully ran on that machine and there is no way to know for sure how deep the infection went, don’t risk it just wipe it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s