Can't delete kqbmsupb.dat from my temp directory

  • Thread starter Thread starter DaveF
  • Start date Start date
D

DaveF

I have a file named "kqbmsupb.dat" in my temp directory that I am unable to
delete. It doesn't appear to be locked by any program but I keep getting an
Access Denied error. When I open the properties on the file there is no
Security tab. I am an admin on the machine which is running Windows XP SP3
and is part of a domain.

Here are some of the things I tried to delete the file and they all failed.

1) Signed in as Administrator
2) Tried Safe Mode
3) Used Unlocker
4) Used recovery console
5) Used Sysinternals Process Explorer but file does not show up
6) Used Sysinternals Handle but file does not show up
7) Tried to quarentine it with my AV software
8) Tried to delete it with Anti-malware software

Any suggestions would be welcome.

Dave
 
From: "DaveF" <[email protected]>

| I have a file named "kqbmsupb.dat" in my temp directory that I am unable to
| delete. It doesn't appear to be locked by any program but I keep getting an
| Access Denied error. When I open the properties on the file there is no
| Security tab. I am an admin on the machine which is running Windows XP SP3
| and is part of a domain.

| Here are some of the things I tried to delete the file and they all failed.

| 1) Signed in as Administrator
| 2) Tried Safe Mode
| 3) Used Unlocker
| 4) Used recovery console
| 5) Used Sysinternals Process Explorer but file does not show up
| 6) Used Sysinternals Handle but file does not show up
| 7) Tried to quarentine it with my AV software
| 8) Tried to delete it with Anti-malware software

| Any suggestions would be welcome.

| Dave



Use Process Explorer to find what process is keeping that file handle held open.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
 
David H. Lipman said:
From: "DaveF" <[email protected]>

| I have a file named "kqbmsupb.dat" in my temp directory that I am unable
to
| delete. It doesn't appear to be locked by any program but I keep getting
an
| Access Denied error. When I open the properties on the file there is no
| Security tab. I am an admin on the machine which is running Windows XP
SP3
| and is part of a domain.

| Here are some of the things I tried to delete the file and they all
failed.

| 1) Signed in as Administrator
| 2) Tried Safe Mode
| 3) Used Unlocker
| 4) Used recovery console
| 5) Used Sysinternals Process Explorer but file does not show up
| 6) Used Sysinternals Handle but file does not show up
| 7) Tried to quarentine it with my AV software
| 8) Tried to delete it with Anti-malware software

| Any suggestions would be welcome.

| Dave



Use Process Explorer to find what process is keeping that file handle held
open.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

#5 on my list.
 
David H. Lipman said:
From: "DaveF" <[email protected]>


| #5 on my list.

Sorry...

Have you tried "find" (find handle or DLL) from the pulldown menu ?

Yes sir! That is what leads to state that there is no lock on the file. It
appears to simply be a permission issue but I can't find a way to change the
permissions.
 
DaveF said:
I have a file named "kqbmsupb.dat" in my temp directory that I am
unable to delete. It doesn't appear to be locked by any program but I
keep getting an Access Denied error. When I open the properties on
the file there is no Security tab. I am an admin on the machine which
is running Windows XP SP3 and is part of a domain.

Here are some of the things I tried to delete the file and they all
failed.
1) Signed in as Administrator
2) Tried Safe Mode
3) Used Unlocker
4) Used recovery console
5) Used Sysinternals Process Explorer but file does not show up
6) Used Sysinternals Handle but file does not show up
7) Tried to quarentine it with my AV software
8) Tried to delete it with Anti-malware software

Any suggestions would be welcome.

Dave

Have you tried taking ownership of the file? If Home version, you need
Safe Mode to do so. Then you should be able to control it.
You didn't mention TaskManager or msconfig?

HTH

Twayne
 
From: "DaveF" <[email protected]>


| Yes sir! That is what leads to state that there is no lock on the file. It
| appears to simply be a permission issue but I can't find a way to change the
| permissions.


Hmmm...

Could be a RootKit.

Did you search the Registry for; kqbmsupb.dat ?

Go to Device Manager.
Go to View --> show hidden devices.

Look for anything called TDSSxxx and/or loading a file such as TDSsxxx.sys
 
David H. Lipman said:
From: "DaveF" <[email protected]>


| Yes sir! That is what leads to state that there is no lock on the file.
It
| appears to simply be a permission issue but I can't find a way to change
the
| permissions.


Hmmm...

Could be a RootKit.

Did you search the Registry for; kqbmsupb.dat ?

Go to Device Manager.
Go to View --> show hidden devices.

Look for anything called TDSSxxx and/or loading a file such as
TDSsxxx.sys

The anti-malware software did identify it as a rootkit and claimed it needed
a reboot to remove it but the file is still there after rebooting.
 
Twayne said:
Have you tried taking ownership of the file? If Home version, you need
Safe Mode to do so. Then you should be able to control it.
You didn't mention TaskManager or msconfig?

HTH

Twayne
It is the Pro version. Nothing out of the ordinary appears in either task
manager or msconfig. There is no security tab in properties to change the
permissions. Is there another way to take ownership?
 
From: "DaveF" <[email protected]>


| The anti-malware software did identify it as a rootkit and claimed it needed
| a reboot to remove it but the file is still there after rebooting.

Bingo !

It is still there because it is protected.

What anti malware software declared this and what was it identified as ?
 
David H. Lipman said:
From: "DaveF" <[email protected]>


| The anti-malware software did identify it as a rootkit and claimed it
needed
| a reboot to remove it but the file is still there after rebooting.

Bingo !

It is still there because it is protected.

What anti malware software declared this and what was it identified as ?
Software was Malwarebytes and it was identified as "kqbmsupb.dat
(Rootkit.Agent)"
 
David H. Lipman said:
From: "DaveF" <[email protected]>


| Software was Malwarebytes and it was identified as "kqbmsupb.dat
| (Rootkit.Agent)"

Please use the Gmer utilities like I requested.

Dave,

I was able to delete the file with GMER. Thank you very much.

Dave
 
DaveF said:
It is the Pro version. Nothing out of the ordinary appears in either
task manager or msconfig. There is no security tab in properties to
change the permissions. Is there another way to take ownership?

You probably have fast user switching turned on? I think that prevents
you from getting the security tab.

Twayne
 
From: "Twayne" <[email protected]>


| You probably have fast user switching turned on? I think that prevents
| you from getting the security tab.

| Twayne

Since this was a RootKit, it wouldn't have helped. The file is protected and hidden.
That's why it couldn't be seen in Process Explorer.
 
David said:
Since this was a RootKit, it wouldn't have helped. The file is
protected and hidden. That's why it couldn't be seen in Process
Explorer.

Yup; posted that before the other showed up.

Twayne
 
Back
Top