System is a Dell optiplex 160L running WinXpProSP2.
One of the boys was gaming and got tricked into downloading and running a hack.
Now there is a file called new.exe in the "my documents" folder.
I can not delete it because it says it is in use. Same if I try to rename or move it.
I booted to a knoppix liveCD and tried to delete the file, but is would not allow me to delete it. no reason was given.
Don't see anything in the list of processes that looks out of place.
Any ideas, other than the format route? I am going to end up doing that, but would like to figure out how to kill this first.
This is my home system, I have full admin rights, as well as full physical access.
Thanks,
jd
- Follow via:
- RSS
- Email Alert
Question
Answers (12)
0
Votes
This may help
I haven't tried it but it may work.
http://www.snapfiles.com/get/removereboot.html
If the file reappears again check its creation date to ensure it is being recreated and you can't make it budge, you may have trouble with spyware or a virus on your system. In this case you should get a good spyware removal program to scan your system.
http://www.snapfiles.com/get/removereboot.html
If the file reappears again check its creation date to ensure it is being recreated and you can't make it budge, you may have trouble with spyware or a virus on your system. In this case you should get a good spyware removal program to scan your system.
Updated - 22nd Apr 2008
Replies
suggestion doesn't work try this.
From another PC download and install these two programs and copy the the installed folders to a USB Stick.
Restart the PC in Safe Mode and turn off System Restore and run Sophos when you have completed the 4 steps run Spybot.
Download Sophos and the latest IDE Files. Install it and extract the IDE files to the SAV32CLI folder. I normally create batch Files for the 4 runs.
EG: Sav1.bat
cd\SAV32CLI
SAV32CLI -P=C:\SCANLOG.TXT
http://www.sophos.com/support/knowledgebase/article/13251.html
Download Spybot - Search & Destroy 1.5.2 and install it. Update it. http://www.safer-networking.org/en/download/index.html
Take note of anything that can't be removed and check this link.
http://forum.worldstart.com/showthread.php?t=43513
If everything is OK and you think that you are clean re-enable Systen Restore.
<Format>
From another PC download and install these two programs and copy the the installed folders to a USB Stick.
Restart the PC in Safe Mode and turn off System Restore and run Sophos when you have completed the 4 steps run Spybot.
Download Sophos and the latest IDE Files. Install it and extract the IDE files to the SAV32CLI folder. I normally create batch Files for the 4 runs.
EG: Sav1.bat
cd\SAV32CLI
SAV32CLI -P=C:\SCANLOG.TXT
http://www.sophos.com/support/knowledgebase/article/13251.html
Download Spybot - Search & Destroy 1.5.2 and install it. Update it. http://www.safer-networking.org/en/download/index.html
Take note of anything that can't be removed and check this link.
http://forum.worldstart.com/showthread.php?t=43513
If everything is OK and you think that you are clean re-enable Systen Restore.
<Format>
Jacky Howe
22nd Apr 2008
and have never been able to remove it in the first place.
will give your link a shot (but probably not until tomorrow night).
Thanks.
jd
will give your link a shot (but probably not until tomorrow night).
Thanks.
jd
jdclyde
23rd Apr 2008
if it is Sophos should remove it.
new.exe (beagle.eg worm) - Details
If the new.exe process is running on your computer, your pc may be infected with a variant of the beagle.eg worm.
new.exe is considered to be a security risk, not only because antivirus programs flag beagle.eg worm as a virus, but also because a number of users have complained about its performance.
beagle.eg worm is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of new.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.
new.exe (beagle.eg worm) - Details
If the new.exe process is running on your computer, your pc may be infected with a variant of the beagle.eg worm.
new.exe is considered to be a security risk, not only because antivirus programs flag beagle.eg worm as a virus, but also because a number of users have complained about its performance.
beagle.eg worm is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of new.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.
Jacky Howe
23rd Apr 2008
As there is nothing on this system of concern.
I AM going to wipe and reload, but as said earlier, I never like to pass up a chance to learn something new.
I will run the sophos and see what I can find. Will report back, probably thursday night.
Thanks Blue!
I AM going to wipe and reload, but as said earlier, I never like to pass up a chance to learn something new.
I will run the sophos and see what I can find. Will report back, probably thursday night.
Thanks Blue!
jdclyde
23rd Apr 2008
area of IT that gives me the irrits. I hate Virus's. I can get them cleaned off the system but I always have a lingering doubt about their presence. You can run an AV program and it will come up clean, then run another AV and it will find something else. I like to get the system as clean as possible before Backing up Data and then its Dariks Boot and Nuke. It is so bloody time consuming, but I won't copy Data until I am sure that it is not infected. Did I mention that I hate Virus's. 
Jacky Howe
23rd Apr 2008
thanks.
will wipe and reload this weekend.
will wipe and reload this weekend.
jdclyde
24th Apr 2008
a fully qualified tester.
I will add that to my Toolbox.
I will add that to my Toolbox.
Jacky Howe
24th Apr 2008
0
Votes
Turn off system restore, run Ad-Aware 2007 and Spybot S&D
in safemode 99.9% sure it's a virus, haven't seen new.exe for years
If there are any files that can't be deleted boot to command line safe mode and do it that way.
Had the same problem with a virus the other day and Spybot couldn't delete it.
Jeff
If there are any files that can't be deleted boot to command line safe mode and do it that way.
Had the same problem with a virus the other day and Spybot couldn't delete it.
Jeff
22nd Apr 2008
Replies
and never found anything. Spent a few days when this first happened a few months back and found nothing.
Thought I was clean until I just happened upon that file the other day.
I think it is either a root kit or a keylogger, because he got it from someone in a game, and they are notorious for getting your password and then cleaning out your characters. I saw it happen because I was sitting next to him and reached over and unplugged the system, so it might not have finished the install.
Thought I was clean until I just happened upon that file the other day.
I think it is either a root kit or a keylogger, because he got it from someone in a game, and they are notorious for getting your password and then cleaning out your characters. I saw it happen because I was sitting next to him and reached over and unplugged the system, so it might not have finished the install.
jdclyde
23rd Apr 2008
0
Votes
this may help u out
i haven't faced this problem but i hope u would find this helpful-
http://softwarepatch.com/tips/howto-delete-xp.html
http://softwarepatch.com/tips/howto-delete-xp.html
22nd Apr 2008
Replies
and get back to you.
(home system, so can't try right now)
Thanks for the idea.
jd
(home system, so can't try right now)
Thanks for the idea.
jd
jdclyde
23rd Apr 2008
0
Votes
Safe Mode could help you out
turn off system and restart in safe mode. now try deleting the file. this should work
22nd Apr 2008
Replies
and booting to the liveCD is taking that idea one step further out.
Still didn't budge.
Still didn't budge.
jdclyde
23rd Apr 2008
0
Votes
Have you checked the Registry?
See if anything is trying to run it. I can't find much about it in Google. Might be a version of the Beagle worm.
Good luck and I'll keep poking around. Slap your lad around the ear, by the way, so he doesn't do it again!
Neil
Good luck and I'll keep poking around. Slap your lad around the ear, by the way, so he doesn't do it again!
Neil
23rd Apr 2008
Replies
went into regedit and searched for new.exe and found nothing.
It was a good lesson for the boy, as it is primarily a system only he and his brother use for games and downloading xbox hacks.
Getting him involved in the cleanup, so he is going to be learning this as we go.
He is VERY embarrassed about the whole thing. No one likes to get fooled.
It was a good lesson for the boy, as it is primarily a system only he and his brother use for games and downloading xbox hacks.
Getting him involved in the cleanup, so he is going to be learning this as we go.
He is VERY embarrassed about the whole thing.
No one likes to get fooled.
jdclyde
23rd Apr 2008
0
Votes
CHMOD the file while ROOT
Use your live disk, switch to Root, use the terminal to CHMOD 777 the file. This should allow you to then delete. One big problem with many files created by Windows as system files (which this virus file has done) is they slap on a permissions level that only the creator can change it or do anything but run it. The Windows ROOT creator ID assigned is NOT always the same that Linux Root has, thus often the permissions aren't able to do anything with it. I've had this problem a few times on infected Windows machines of friends and some files they created while logged in as Admin. I use a MepisLInux 6.5 live disc to access the system and CHMOD the permissions, then delete the file using Linux.
Also run a search pattern for all other files created at the same time as this virus will often have a file set to run at boot to recreate it and it often has a different name just to make it hard to find.
If this doesn't work, you already know what's next. Use the live disk to copy important data and run the old standby repair command 'Format C:' then reload, lock, and beat him about the head for loading the hack. Better yet, load Linux and the latest version of WINE or VM ware for him to run his games in.
Have fun JD.
Also run a search pattern for all other files created at the same time as this virus will often have a file set to run at boot to recreate it and it often has a different name just to make it hard to find.
If this doesn't work, you already know what's next. Use the live disk to copy important data and run the old standby repair command 'Format C:' then reload, lock, and beat him about the head for loading the hack. Better yet, load Linux and the latest version of WINE or VM ware for him to run his games in.
Have fun JD.
23rd Apr 2008
Replies
I used the GUI to try to delete it.
Will do that when I get home and check the file permissions while I am at it.
He followed a link from someone that had been pretending to be "a friend". We did have a long talk about this afterwards, both about not trusting people over the net, and about running something you don't know ABSOLUTELY what it is.
The only thing on that system are some mp3's, as it is just there so the boys can chat and play games. I have copies of the mp3's elsewhere, so there is NOTHING I will lose on it.
I just wanted to accidentally learn something before I wipe it. System is home, so will check after darts tonight if I am almost sober. odds are, won't get a chance until thursday night though. last night of league, and the chances of staying sober are somewhere between slim and none.... :P
I DID show him (ThingTwo) the linux live cd, and he thought it was the coolest thing. We will be loading a few linux systems very soon. Just got to get Diablo2 running on linux!
Will do that when I get home and check the file permissions while I am at it.
He followed a link from someone that had been pretending to be "a friend". We did have a long talk about this afterwards, both about not trusting people over the net, and about running something you don't know ABSOLUTELY what it is.
The only thing on that system are some mp3's, as it is just there so the boys can chat and play games. I have copies of the mp3's elsewhere, so there is NOTHING I will lose on it.
I just wanted to accidentally learn something before I wipe it. System is home, so will check after darts tonight if I am almost sober. odds are, won't get a chance until thursday night though. last night of league, and the chances of staying sober are somewhere between slim and none.... :P
I DID show him (ThingTwo) the linux live cd, and he thought it was the coolest thing. We will be loading a few linux systems very soon. Just got to get Diablo2 running on linux!
jdclyde
23rd Apr 2008
I've settled on Kubuntu and like the latest version - it has a very win98 feel to it. WINE, Crossover, and Cedega all allow you to play Windows games in Linux. I was using Cedega to Plays Diablo 2 - Lord of Destruction on MepisLinux with Cedega on a 32bit system but dropped Cedega as they flatly refused to look at a 64 bit version. I haven't yet got around to loading D2 onto my 64 bit system.
Deadly Ernest
29th Apr 2008
jdclyde
29th Apr 2008
if the map hacks for d2 will run on this?
Got a GODLY paladin right now (hdin), and the hack is killer for runs.
Got a GODLY paladin right now (hdin), and the hack is killer for runs.
jdclyde
29th Apr 2008
0
Votes
Have you tried
taking ownership of the file?
23rd Apr 2008
Replies
I am not a windows guy, I just play one when I am not doing my real job, networking.
How do I take ownership?
How do I take ownership?
jdclyde
23rd Apr 2008
Right click on file, properties, security, advanced, Owner, choose new owner, ok.
If you are running XP Home, you may need to turn off simple file sharing. From explorer, tools, folder options, view, uncheck "use simple file sharing (recommended)". I don't remember if you need to reboot after this though...
If you are running XP Home, you may need to turn off simple file sharing. From explorer, tools, folder options, view, uncheck "use simple file sharing (recommended)". I don't remember if you need to reboot after this though...
cmiller5400
23rd Apr 2008
Right-click the file, choose properties, go to the security tab
First check to make sure nobody has checked "deny" on the write permissions. Check each user in the pane. If it's checked, try to uncheck it.
If you click apply and don't get a warning, you should then be able to delete the file. If you get a warning, clear it, then click 'advanced' then the owner tab.
Make yourself the owner, click OK, and retry unchecking the deny checkbox.
First check to make sure nobody has checked "deny" on the write permissions. Check each user in the pane. If it's checked, try to uncheck it.
If you click apply and don't get a warning, you should then be able to delete the file. If you get a warning, clear it, then click 'advanced' then the owner tab.
Make yourself the owner, click OK, and retry unchecking the deny checkbox.
TonytheTiger
23rd Apr 2008
0
Votes
Try Unlocker. I've used it several times and keep it handy.
23rd Apr 2008
Replies
sure, it caused a core dump when I tried to kill the process with this after unlock didn't work, but was still cool....
jdclyde
24th Apr 2008
0
Votes
Process Explorer
Use it to explore what is actually running in the background, what it depends on, etc.
In addition, you can kill processes as well as change permissions, ownership, etc.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
In addition, you can kill processes as well as change permissions, ownership, etc.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
23rd Apr 2008
0
Votes
HOME EDITION! (how did I miss that?)
Right-clicked the file, but no "security" tab.
NOW WHAT?
I am shutting down sys restore right now.
NOW WHAT?
I am shutting down sys restore right now.
24th Apr 2008
Replies
have to be in Safe Mode to access the Tab.
Jacky Howe
24th Apr 2008
got the solution though, used the reboot delete utility and it took it away.
jdclyde
24th Apr 2008
.
Jacky Howe
25th Apr 2008
0
Votes
Problem resolved - file deleted
http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=261539&messageID=2482042
removereboot got it.
rebooted a few times and searched for the file, but it "seems" to be long gone.
Thanks all.
jd
removereboot got it.
rebooted a few times and searched for the file, but it "seems" to be long gone.
Thanks all.
jd
24th Apr 2008
0
Votes
try this
have not tried it personally, but the reviews are good.
Unlocker
http://www.download.com/Unlocker/3000-2248_4-10493998.html
Unlocker
http://www.download.com/Unlocker/3000-2248_4-10493998.html
29th Apr 2008
