Undeletable damaged ifmon.dll file

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

The ifmon.dll file in my \windows\system32 folder contains 0 bytes, and won't
let me delete or rename it in order to use a freshly-downloaded copy. I'm
using XP Home/SP2, with all relevant updates; has anyone any ideas, please?
 
Use Sysinternals Process Explorer (freeware) to find out what process is
locking the file and end that process , then replace the file. In the case
that the process is explorer.exe, you will need to use the task manager to
start cmd.exe after killing explorer and replace the file from the command
line.
Louis

Jobsworth said:
The ifmon.dll file in my \windows\system32 folder contains 0 bytes, and won't
let me delete or rename it in order to use a freshly-downloaded copy. I'm
using XP Home/SP2, with all relevant updates; has anyone any ideas,
Click to expand...
please?
 
Jobsworth said:
The ifmon.dll file in my \windows\system32 folder contains 0 bytes, and won't
let me delete or rename it in order to use a freshly-downloaded copy. I'm
using XP Home/SP2, with all relevant updates; has anyone any ideas, please?
Click to expand...

Click Start, Run, type SFC /SCANNOW, click OK. If any files are damaged
or missing, they'll be replaced. You may need to reboot afterwards so
damaged files will be replaced.
 
Try this, Windows File Protection will probably replace the file, ifmon.dll.

Start | Run | Type: system32 | Click OK |

WINDOWS\system32 should open.
Size the window so you can also see your Desktop.
Scroll down to ifmon.dll.
Left click and drag ifmon.dll to your Desktop.
Wait just a minute.
Now scroll down clear to the bottom of system32.
Is there a new ifmon.dll there?

If there is a new ifmon.dll delete the one on your Desktop.
Close system32.

If there is NOT a new ifmon.dll drag the one on your Desktop back into
system32.
Close system32.

If there is a new ifmon.dll in system32, you'll see something similar to
this in the Event Viewer under System, listed as Information; Windows File
Protection:

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 09-May-07
Time: 7:10:56 PM
User: N/A
Computer: GT5404
Description:
File replacement was attempted on the protected system file
c:\windows\system32\ifmon.dll. This file was restored to the original
version to maintain system stability. The file version of the system file is
5.1.2600.2180.

To open the Event Viewer...
Start | Run | Type: eventvwr | Click OK

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Thanks for the very prompt and detailed responses. However, no dice so far.
I've:
Used SFC /SCANNOW, as suggested by Elmo - although something was definitely
happening, my damaged file remained in place;
Downloaded and run the Sysinternals Process Explorer (3c273's solution), but
have been through every process shown and can't see ifmon.dll being used by
any of them;
Tried Wesley's File Protection route, but dragging the file to the desktop
produces a "Cannot move ifmon: The file or directory is corrupted and
unreadable." error.
Does any of this shed any light on my stubborn little problem?
 
Hi Jobsworth - From my Blog, Defending Your Machine, addy below in my
Signature:


"Sometimes the tools below will find files which they are unable to delete
because they are in use.

- A program called Locked Files Wizard (LFW), formerly CopyLock, here,
http://noeld.com/programs.asp?cat=misc "is a simple assistant that allows
you to either replace, move, delete or rename one or more files or folders
which are in use by the system or any running process. Additionally, you can
display and possibly stop the processes or services that lock a file, and
manage files flagged to be processed by the system on next reboot (e.g.
after an installation or an uninstallation.) The Locked Files Wizard can
also help to select some worms and trojans from the Registry and to quickly
remove them from the system." Copylock2 (now Locked Files Wizard) does
request a $12 registration fee in order to activate some additional _new
functions_ in the new version and/or for installation on multiple computers
or commercial usage. However, that version is available for download at the
link on that page without registration and with full utility of the original
capabilities of Copylock after installation without registration. If you
prefer, you can alternatively download the older v. 1.09 version which
involves no registration at all (but, of course doesn't include the
possibility of upgrade to the paid version) here:
http://copylock.noel-danjou.qarchive.org/_download2.html

- Another is Killbox by Option Explicit, Beta version available here:
http://www.killbox.net/downloads/beta/KillBox.exe
Overview directions are available here:
http://www.killbox.net/help.html#Top
Read carefully - this tool is quite powerful. A Beta version is also
available.

- A third which is a bit different but often very useful is Delete Invalid
File, here:
http://www.purgeie.com/delinv.htm
which handles invalid/UNC file/folder name deleting, rather than the in use
problem. The situation with Delete Invalid Files is similar to that with
Copylock. The latest version adds additional capabilities which are aimed at
the commercial marketplace (but would be useful to an individual user also.)
However, all of the _original file removal functions_ are still freely
available in the download version without registration or payment.

From http://www.purgeie.com/delinv/index.htm:

"As the "Free" version of DelinvFile had become so popular and has been
referenced on many download sites, web forums and newsgroups as being
"Free", the current version does not require a fee to access the original
program functions. The commercial version of DelinvFile makes available
additional functions which require licensing (registration) for them to
work. The additional functions include "Open With..", Renaming Files,
Renaming Folders, and Deleting Files and Folders at Boot."

- A fourth useful program is Unlocker, here:
http://ccollomb.free.fr/unlocker/
" Simply right click the folder or file and select Unlocker. If the folder
or file is locked, a window listing of lockers will appear. Simply select
the lockers and click Unlock and you are done!" Works as advertised and is
particularly helpful in identifying malware components which are
'protecting' each other.

- A fifth is FileASSASSIN, here:
http://www.malwarebytes.org/fileassassin.php
"FileASSASSIN can delete locked malware files on your system. It uses
advanced techniques to unload modules, close remote handles, and terminate
processes to allow the removal of the file." "



--
Regards, Jim Byrd,
My Blog, Defending Your Machine,
http://defendingyourmachine2.blogspot.com/



In Jobsworth <[email protected]> typed:
|| Thanks for the very prompt and detailed responses. However, no dice
|| so far. I've:
|| Used SFC /SCANNOW, as suggested by Elmo - although something was
|| definitely happening, my damaged file remained in place;
|| Downloaded and run the Sysinternals Process Explorer (3c273's
|| solution), but have been through every process shown and can't see
|| ifmon.dll being used by any of them;
|| Tried Wesley's File Protection route, but dragging the file to the
|| desktop produces a "Cannot move ifmon: The file or directory is
|| corrupted and unreadable." error.
|| Does any of this shed any light on my stubborn little problem?
 
Jim - many thanks for a huge amount of advice. I can't quite believe it, but
I've tried all those solutions - except KillBox - and the damn file is still
there!
Some programs say the file doesn't exist - e.g., the message from
LockedFilesWizard was: " The source file or folder does not exist. Please
correct." Unlocker looked more hopeful, reporting: "No locking handle found.
However Unlocker can help you with this object. Choose action you want to
perform on the object." A combo-type box offered several selections,
including 'delete' (which I chose), and something seemed to happen - except
the file was still listed in Windows Explorer afterwards. Similarly,
FileAssassin claimed to have processed the file (unlocked, then deleted in
two operations)... but there it is still!
I did wonder if it was just explorer playing games, but I had a look using
dir from the command prompt, and it's listed with 0 bytes.
Is this something I can ignore, maybe? What does ifmon.dll do anyway, and
what processes use it? All a bit strange!
 
....other possibly relevant piece of info is that chkdsk runs every time the
machine is booted, and Spybot Search & Destroy produces a balloon in the
system tray about the corrupt .dll whenever a scan is run.
 
Hi Jobsworth - Usually DeleteInvalidFile will handle these extreme cases.
Did you explicitly try that from my previous post?

--
Regards, Jim Byrd,
My Blog, Defending Your Machine,
http://defendingyourmachine2.blogspot.com/



In Jobsworth <[email protected]> typed:
|| ...other possibly relevant piece of info is that chkdsk runs every
|| time the machine is booted, and Spybot Search & Destroy produces a
|| balloon in the system tray about the corrupt .dll whenever a scan is
|| run.
 
Hi, Jim - yeah, I tried both ways of deleting through DIF. Both produced a
balloon message in the system tray - first said "Click to delete the file
selected above using its Short FileNam. The file or directory
c:\windows\system32\ifmon.dll is corrupt and unreadable. Please run the
Chkdsk utility.". Using the UNC option produced a similar error: "Click
folder name to navigate to it:DelinvFile.EXE - Corrupt F".
Did seem a bit odd - for example, where to click? Also, the second message
looks somewhat incomplete. Forgive me - I'm an OK user, but very green when I
get under the hood.
 
Hi Jobsworth - Well, not sure it will solve it given what you've already
done, but you might want to try these utilities again after doing a "Clean
Boot". Again from my Blog:


#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or preferably a "Clean Boot" when possible (which will let you use the
Windows Installer, access the Internet safely, etc., while still avoiding
interfering programs or malware), logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF) (including offline content.) Reboot and test if the
malware is fixed after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
How to boot to Safe mode
http://spyware-free.us/tutorials/safemode/ and
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (The procedure does differ by OS, so be sure to check for yours. The
following is for XP or Win2k w/msconfig - you can obtain msconfig for Win2k
here: http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):

1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.
4. Click OK and then reboot.

For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP,
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/ (Procedure not using
msconfig)267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/

(BTW, it's not pertinent to the 'Clean Boot' operation, but FYI you can add
a very useful 'Tools' tab to msconfig if you wish. See here:
http://support.microsoft.com/?kbid=906569)
#########IMPORTANT#########






--
Regards, Jim Byrd,
My Blog, Defending Your Machine,
http://defendingyourmachine2.blogspot.com/



In Jobsworth <[email protected]> typed:
|| Hi, Jim - yeah, I tried both ways of deleting through DIF. Both
|| produced a balloon message in the system tray - first said "Click to
|| delete the file selected above using its Short FileNam. The file or
|| directory c:\windows\system32\ifmon.dll is corrupt and unreadable.
|| Please run the Chkdsk utility.". Using the UNC option produced a
|| similar error: "Click folder name to navigate to it:DelinvFile.EXE -
|| Corrupt F".
|| Did seem a bit odd - for example, where to click? Also, the second
|| message looks somewhat incomplete. Forgive me - I'm an OK user, but
|| very green when I get under the hood.
 
Hi, Jim
Sorry for the delay - been at work and not long read your new post. Nobody'd
mentioned the 'clean boot' requirement before, so I'll get onto that later or
tomorrow, and be in touch again if that's OK.
 
Hi again, Jim
Renewed thanks for your detailed input! I've run each of those utilities
again after a clean boot - and having deleted the temp and TI files as you
suggested - and still the empty file is there! I tried killbox too, to no
avail.
I took note of the feedback from Chkdsk; while verifying files it reports:
"Truncating badly linked attribute records from file record segment 24338.".
Later it reports: "inserting data attribute into file 24338.". Don't know if
this is in any way significant or helpful.
I've responded to the request for errors in running FileASSASSIN to be
reported to the support team at malwarebytes.org. I hesitate to ask you for
further help, on account of the time you've spent already - but if you do
have any further inspiration and fancy getting in touch, that would be great!
I'm away for a few days and out of Internet range, but will check for
messages again later in the week.
Best regards.
 
Hi Jobsworth - YW. FWIW, this begins to sound more and more to me like a
hardware disk issue, and I suspect that your chkdsk msgs may, indeed, be
significant. I would at least get a SMART readout, and I think I might take
a look on my HD manufacture's site to see if there are any standalone disk
diagnostic utilities available for download (most have such, usually as
self-booting CD .iso images - I assume you know how to burn an .iso to CD?),
and institute a thorough check of the disk in question. FAIR WARNING - It's
almost always a good idea to do as complete a backup as you can given the
resources available to you of critical data BEFORE running such diagnostics.
While such utilities are normally non-destructive and quite safe, they are
often designed to also fix errors as well, and unhappy things have been
known to happen in that step upon occasion.

--
Regards, Jim Byrd,
My Blog, Defending Your Machine,
http://defendingyourmachine2.blogspot.com/



In Jobsworth <[email protected]> typed:
|| Hi again, Jim
|| Renewed thanks for your detailed input! I've run each of those
|| utilities again after a clean boot - and having deleted the temp and
|| TI files as you suggested - and still the empty file is there! I
|| tried killbox too, to no avail.
|| I took note of the feedback from Chkdsk; while verifying files it
|| reports: "Truncating badly linked attribute records from file record
|| segment 24338.". Later it reports: "inserting data attribute into
|| file 24338.". Don't know if this is in any way significant or
|| helpful.
|| I've responded to the request for errors in running FileASSASSIN to
|| be reported to the support team at malwarebytes.org. I hesitate to
|| ask you for further help, on account of the time you've spent
|| already - but if you do have any further inspiration and fancy
|| getting in touch, that would be great! I'm away for a few days and
|| out of Internet range, but will check for messages again later in
|| the week.
|| Best regards.
 
Hi again, Jim.
Sorry for the long delay - I've been working away from the poorly machine,
and without regular Internet access.
I was wondering about scrapping the HD partitions and doing a clean install
from CDs and a data backup, but maybe I'll give your suggestion a go first.
I've downloaded the .iso diagnostics file for my drive series from Western
Digital, and will run it after I've refreshed my backup. I'll let you know
what happens!
All the best,
Jobsworth
 
Update since yesterday's post... run the WD diagnostics off a bootable CD,
100% clear.
Do you think this is something I can safely ignore, and clear it up when I
reformat or replace the HDD sometime?
 
Hi Jobsworth - Are you still seeing errors when you run chkdsk? Are you
running a network that you need to manage?

--
Regards, Jim Byrd,
My Blog, Defending Your Machine,
http://defendingyourmachine2.blogspot.com/



In Jobsworth <[email protected]> typed:
|| Update since yesterday's post... run the WD diagnostics off a
|| bootable CD, 100% clear.
|| Do you think this is something I can safely ignore, and clear it up
|| when I reformat or replace the HDD sometime?
 
Back
Top