MS-DOS Application files always in-use

[Livingston Dell]

Operating system: WindowsXP SP2 RC1
Problem originally occured while I had WindowsXP SP1 installed but I updated to SP2 RC1 recently.

Hey, hope someone can help me with this! Some few months ago I got a virus by viewing a page locally in IE. The virus itself is indentified as "Download.Trojan" by Norton AV, but I'm not sure if it is as the characteristics of the virus don't seem exactly the same.

This virus is more an example of exploits in IE; when opened it replaces notepad.exe with, if I remember rightly, an OpenGL demo when you opened the page (locally). I suppose it's fair to say curiosity got the better of me, so I tested the page on my own computer to see what would happen, more or less.

It did what was described ... but something I hadn't counted on, nor was mentioned, is that the virus would put up some resistance against being deleted/renamed/moved (at least, I think it's related, more on that later)- "Cannot delete [filename]: It is being used by another person or program. Close any programs that might be using the file and try again".

In the end, it wasn't all that hard to remove, booting into safe mode, scanning for viruses, and I'd taken a backup of notepad.exe previously (as stated by the warning) to ensure I wouldn't have any difficulties getting everything back to the same state it was in before.

However, coming back to what I just mentioned above, I now seem unable to delete/move/rename any MS-DOS application file (I think that's the correct name but I've attached a screenshot just to be sure on the file-type) I always get an error saying the file is in use. This only happens if I try to delete the file of this type directly, by which I mean clicking and pressing delete. If I boot up the system fresh, click the folder the file is contained within and delete the folder entirely, it's removed okay.


Also, I know of the command prompt workaround where you have a cmd window open, end all explorer.exe processes, delete the file in question, then start a new explorer.exe process. But it's just that; a workaround rather than a permanent fix, which is more what I'm looking for

One problem diagnosing this is that I don't know for sure if this problem start only after the 'virus' was executed on my system (including the replaced notepad.exe file)- I can't say I remember any problems previous to this.

I've uploaded the supposed virus file as well demonstrating the security exploit... To keep myself covered: I will not be held responsible for any damage to your system if you decide to execute it on your own system.
url removed

Steps I've tried to sort things... Ran Norton AntiVirus, in normal and safe mode. It removed the files; SystemRestore; running Spybot S&D; running AdAware; checked the website it was from originally for more details but couldn't find anything; checked for any strange processes, etc.


Thanks for any help you can give me with this one. I know it's a long shot and all

_{URL removed by moderator}

[Statica]

Moderator note: Please do not upload or attach a link to a virus file. That is just not right. I understand you have a question that needs to be answered, but putting a malicious piece of code for download is not the answer.

---

The zip you had seems to contain at least one virus: VBS_INOR.L The virus characterisitics and cleaning details are available here: http://www.trendmicro.com/vinfo/viru...ame=VBS_INOR.L

You may also scan your system with http://housecall.antivirus.com/

[Livingston Dell]

My apologies for the linking to the file;

Thank you for more accurate information on the virus. I followed the removal instructions and scanned my system using the link provided. My system was definitely clean; I guess that can only mean the problem most likely existed before the virus executed on my system, I just hadn't noticed it.

On further examination it turns out the exact problems I mentioned were slightly inaccurate- the problem only kicks in after 1) trying to delete a file by selecting it and pressing delete or 2) right clicking the file bring up the context menu (whether I do anything or not is irrelevant). Thereafter the file is 'locked' and I can't delete/move/rename it until system restart or I end any explorer.exe processes and create a new.

I know it may sound like a trivial problem, and I guess it is, but it's one of these problems that just really get to you eventually