Announcement

Collapse
No announcement yet.

Undeleteable hidden files created by SecuROM 7.xx

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Undeleteable hidden files created by SecuROM 7.xx

    Could someone help me to get rid of these hidden files that SecuROM7 created? As you can see from the log, not even del *.* could touch them..
    OS: XP Pro, NTFS

    Filenames that really have question marks in them, what a nice gift from Macrovision.

    I tried this software to remove them, no luck.


    Short filenames are disabled on this volume and the UNC path trick didn't work either. Impossible to rename.

    Directory of C:\Documents and Settings\Administrator\Application Data\SecuROM\UserData

    2005/09/17 01:05 <DIR> .
    2005/09/17 01:05 <DIR> ..
    2005/08/13 22:39 444 ???????????π????????
    2005/08/13 22:39 16 ???????????π???????????
    2 File(s) 460 bytes
    2 Dir(s) 630.139.651.072 bytes free

    C:\Documents and Settings\Administrator\Application Data\SecuROM\UserData>del *.*

    Could Not Find C:\Documents and Settings\Administrator\Application Data\SecuROM\UserData\*.*
    Win2k3 & OSX Intel, 2GB DDR400 P4 2.6@3.55 H2O, 7800 GTX @480/1250 H2O, 1x74GB Raptor, 8x400GB RAID5

  • #2
    Solution

    Here's a solution on how to remove the SecuROM infection but it costs $75:

    1. Buy WinHex professional edition (somebody with personal edition please try this since it's $35 cheaper!)

    2. Open your logical hard drive (i.e. drive C)

    3. From the directory browser, browse to Application Data\SecuROM

    4. Right-click "SecuROM" and choose "Position -> go to FILE record"

    5. Make sure that you are in $MFT (on the left panel)

    6. Enable edit mode

    7. Fill the entire SECTOR (NOT cluster!!) with "00"

    8. Save changes on disk, make sure the sector number is correct!

    9. Run cmd.exe, type "chkdsk c: /v /f", choose to run on next restart

    10. Reboot. Chkdsk will come up and your computer will reboot again.

    11. Yes, the undeleteable files are gone now! Remove directory c:\found.000 if it exists.

    12. Remove cmdline*.dll from your %windir%\system32 and %temp%

    13. Remove everything SecuROM related from registry like references to cmdline*.dll etc.

    14. Download cracks for all your SecuROM protected games you wish to play. Save the original executables for future patches.

    15. Never again install SecuROM protected games and demos(!) or you will get re-infected, only use cracked releases or software that uses another protection or no protection at all. You can buy the original CD/DVD if you wish to support the makers, but don't ever put the discs in your drive.

    16. If you must use original media or a demo, use only an account WITHOUT any administrative privileges. You CAN run most games as an ordinary user if you use cracked executables, it's the bloody protections that need to have Administrator level access in order to fuck up your system.

    17. Enjoy your games with faster start-up times and without any hidden data stored on YOUR drives.


    I e-mailed SecuROM support asking how to remove their crap from my system, they answered "There is no need to worry about these files, they are normal". I DIDN'T ASK THAT, I asked in plain English how to remove their crap!

    Since they don't seem to care about me, I sure as hell won't care about them. From this day forward, I will download every single SecuROM protected title I'd like to have, seed them for at least 24 hours after download AND write the authors (not publishers) explaining my decision. Once again, only legimate customers are punished as the pirate versions are actually better than the originals.


    I'd like to thank my friends in Russia and East Europe, this guide is published also on eMule network as "Get rid of SecuROM7 hidden files vX.X.zip".
    Win2k3 & OSX Intel, 2GB DDR400 P4 2.6@3.55 H2O, 7800 GTX @480/1250 H2O, 1x74GB Raptor, 8x400GB RAID5

    Comment


    • #3
      use Unlocker its free and great http://ccollomb.free.fr/unlocker/

      Comment


      • #4
        Jarik got owned xD Free unlocker verses 75 dollars (how the heck did you get 75 anyway? its just 35 for winhex pro...)

        Comment


        • #5
          Re: Undeleteable hidden files created by SecuROM 7.xx

          Originally Posted by JariK-Tietomedia
          As you can see from the log, not even del *.* could touch them..
          <snip>
          Directory of C:\Documents and Settings\Administrator\Application Data\SecuROM\UserData

          2005/09/17 01:05 <DIR> .
          2005/09/17 01:05 <DIR> ..
          2005/08/13 22:39 444 ???????????π????????
          2005/08/13 22:39 16 ???????????π???????????
          2 File(s) 460 bytes
          2 Dir(s) 630.139.651.072 bytes free

          C:\Documents and Settings\Administrator\Application Data\SecuROM\UserData>del *.*

          Could Not Find C:\Documents and Settings\Administrator\Application Data\SecuROM\UserData\*.*
          "del *.*" doesn't work because the filenames don't have any dots. Try "del *". Also, if you're a programmer, you could try writing an application with hardcoded file identifier strings, as the blocking of specific characters from file identifier is sometimes implemented on application level, not by the actual filesystem or operating system. An example of this is the character ":", which is banned from file identifiers by Explorer, and most of all commands and tools used in/from cmd.exe (and probably applications using the standard Windows API for handling files), but is readily available otherwise (however the effects of putting ":" in a file identifier is quite different from what one might expect).

          Comment


          • #6
            Pocket Killbox is your friend here - This was created for Spyware removal, and can even go as far as killing the explorer shell before delete, and should get rid of anything
            Nothing stands in the way of it, simply enter the path (Doesn't care at all, I'd probably try deleting the directory as opposed to the files themseslves)

            Edit: If you're feeling really adventurous, a decent Linux install & Captive NTFS also works very nicely. (Albeit with a little more 'risk'; NTFS is closed source )

            Cheers

            -Leezer-

            Your friendly forum lurker

            Comment


            • #7
              1. Use sysinternals' process explorer to see if anything has a handle on the the files in question. if something does have a handle, (although Securom doesn't use device drivers like Starforce I think) then try and kill that process. If you can't kill the process then some more work is need to find out when that process is started. For starters check Services, non-pnp drivers (hidden by default) in the Device Manager, and System Drivers (System Info)
              2. if there's no handle open then try and delete it through cygwin (unix environment) if you have a copy to hand
              3. if you still can't then boot your machine with a linux live cd e.g. knoppix, and delete it with that!

              Comment


              • #8
                Re: Undeleteable hidden files created by SecuROM 7.xx

                Originally Posted by JariK-Tietomedia
                Could someone help me to get rid of these hidden files that SecuROM7 created? As you can see from the log, not even del *.* could touch them..
                Which version of Securom? None of the secumron protected games I have created any such directory or files.

                But in order to try to anwer your question:

                1) Reboot in the WindowsXP rescue console.
                2) Enter the directory in question and do a DEL *
                3) If that won't work, try to use autocompletion:

                Type DEL and then press TAB (maybe multiple times).
                See what the shell suggests for these filenames.
                To contact me privately, pray. I might answer.

                Comment


                • #9
                  I also had this same problem - unprintable characters.

                  It looks a lot like NTFS file corruption, and I'm fairly sure it's deliberate.

                  However, I did find a solution to this without requiring Cygwin, Linux or another piece of software.

                  You can use the inbuilt "\\?\C:\Documents and Settings\<user profile>\Application Data\SecuROM\UserData\*" format to unattrib and delete the files.

                  So, something like so:

                  Code:
                  ATTRIB -R -S -A -H "\\?\C:\Documents and Settings\<user profile>\Application Data\SecuROM\UserData\*"
                  
                  then
                  
                  DEL "\\?\C:\Documents and Settings\<user profile>\Application Data\SecuROM\UserData\*"
                  Worked for me.

                  Microsoft page for this info:
                  http://support.microsoft.com/Default.aspx?kbid=320081 (See Section 6)

                  EF

                  Comment


                  • #10
                    start windows in safemode and delete all the files...... 8)

                    Comment


                    • #11
                      MS KB, you cannot delete a file or a folder on an NTFS file system volume

                      Nice post Earlyflash.
                      the modern world:
                      net helpmsg 4006

                      Comment


                      • #12
                        Another method that often works on hidden or oddly named files is to remove the directory:
                        Code:
                        C:\Documents and Settings\LodeRunner>dir
                         Volume in drive C is Basroil 01 Root (40)
                         Volume Serial Number is 60A4-6D79
                        
                         Directory of C:\Documents and Settings\LodeRunner
                        
                        10/22/2005  06:16 PM    <DIR>          .
                        10/22/2005  06:16 PM    <DIR>          ..
                        <...>
                        10/22/2005  06:16 PM    <DIR>          funky
                        <...>
                                       2 File(s)      5,787,648 bytes
                                      14 Dir(s)  22,050,852,864 bytes free
                        OK, I made a folder called 'funky'. Then I copied the boot.ini file from the root into the 'funky' folder and made it read only.
                        Code:
                        C:\Documents and Settings\LodeRunner>cd funky
                        
                        C:\Documents and Settings\LodeRunner\funky>del boot.ini
                        C:\Documents and Settings\LodeRunner\funky\boot.ini
                        Access is denied.
                        As you can see, deleting the file was unsuccessful. So, we use the rd command.
                        Code:
                        C:\Documents and Settings\LodeRunner\funky>cd ..
                        
                        C:\Documents and Settings\LodeRunner>rd /s /q funky
                        'rd' alone will remove an empty]directory. To delete a folder and all its files, you use 'rd /s /q' where '/s' indicates that rd should remove all subfolders and files and '/q' indicates that it will not ask for confirmation.

                        Code:
                        C:\Documents and Settings\LodeRunner>dir
                         Volume in drive C is Basroil 01 Root (40)
                         Volume Serial Number is 60A4-6D79
                        
                         Directory of C:\Documents and Settings\LodeRunner
                        
                        10/22/2005  06:17 PM    <DIR>          .
                        10/22/2005  06:17 PM    <DIR>          ..
                        10/22/2005  04:38 PM    <DIR>          Application Data
                        10/20/2005  11:48 AM    <DIR>          Desktop
                        10/12/2005  12:49 AM    <DIR>          Favorites
                        10/21/2005  01:50 PM    <DIR>          Local Settings
                        10/20/2005  12:32 PM    <DIR>          My Documents
                        10/09/2005  03:58 AM    <DIR>          NetHood
                        10/22/2005  12:05 AM         5,767,168 NTUSER.DAT
                        10/22/2005  06:16 PM             1,024 ntuser.dat.LOG
                        10/09/2005  03:58 AM    <DIR>          PrintHood
                        10/22/2005  05:14 PM    <DIR>          Recent
                        10/15/2005  01:02 AM    <DIR>          SendTo
                        10/15/2005  01:02 AM    <DIR>          Start Menu
                        10/09/2005  12:59 PM    <DIR>          Templates
                                       2 File(s)      5,768,192 bytes
                                      13 Dir(s)  22,050,865,152 bytes free
                        
                        C:\Documents and Settings\LodeRunner>
                        And the folder, along with the file is gone. This method generall works.

                        Comment


                        • #13
                          the Unlocker tool works perfect. I didn't even know I had these files in my pc until I tried to clear up my second hd

                          Comment


                          • #14
                            Thanks LodeRunner! That walkthrough works perfectly!

                            Comment


                            • #15
                              I think a soft named unlocker can do it

                              Comment

                              Working...
                              X