c:\windows\temp\rarsfx0\nero\ can't delete the temp folder,subfolders or contents??? AV says it's infected, Help!

hi all,

I am booted up in "real" dos mode...

I was running a dos AV program, F-Protdos, and it indentified a lot of
files in the the C:\windows\temp folder as being "a security risk",
and so just to save some time, I manually deleted all the subfolders
using the deltree command and it took all out with the exeption of the
last 4 and it won't let me delete them.

they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a
"Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not
let me delete, tells me "Access is denied".

How do I force this to let me delete it. Is there a way to
"unprotect" these folders? or simply unprotect the Temp folder and
delete them all at once with the "deltree" command??

thanks,
niteowl

"niteowl" wrote in message
...
hi all,

I am booted up in "real" dos mode...

I was running a dos AV program, F-Protdos, and it indentified a lot of
files in the the C:\windows\temp folder as being "a security risk",
and so just to save some time, I manually deleted all the subfolders
using the deltree command and it took all out with the exeption of the
last 4 and it won't let me delete them.

they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a
"Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not
let me delete, tells me "Access is denied".

How do I force this to let me delete it. Is there a way to

DOS ignores Windows restrictions that prevent
your deleting a file currently loaded. You ought to be
able to REName or DELTREE anything after a DOS boot.

Nero is commonly CD RW control software, best
handled by uninstalling (in Safe Mode) and reinstalling.
It would be anomalous for Nero to leave anything in
c:\windows\temp
which is temporary free parking for instal processes,
that ought to delete themselves on completion. But
Nero software started as a hacker venture in the
public domain sector, and does not necessarily
behave as Bill Gates might like.

--
Don Phillipson
Carlsbad Springs
(Ottawa, Canada)

On Wed, 18 Aug 2004 06:46:05 -0400, "Don Phillipson"
wrote:

"niteowl" wrote in message
.. .
hi all,

I am booted up in "real" dos mode...

I was running a dos AV program, F-Protdos, and it indentified a lot of
files in the the C:\windows\temp folder as being "a security risk",
and so just to save some time, I manually deleted all the subfolders
using the deltree command and it took all out with the exeption of the
last 4 and it won't let me delete them.

they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a
"Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not
let me delete, tells me "Access is denied".

How do I force this to let me delete it. Is there a way to

DOS ignores Windows restrictions that prevent
your deleting a file currently loaded. You ought to be
able to REName or DELTREE anything after a DOS boot.

so what could be keeping me from deleting these folders/files in DOS?
I am booting up from a custom made startup disk, loading CDRom drivers
so I have CD access. Nothing about Nero on this startup disk.. ????

How can I determine what is protecting those folders?

A complete scan of C, D, and E drives show only infections on C:
plus there are still 2 other files that the AV program couldn't
delete, c:\windows\msgcen~1.exe -(UPX) identified as
W32/Otwar.A@adw and c:\windows\applic~1\downlo~1.exe-(UPX) also
identified as W32/Otwar.A@adw.




Nero is commonly CD RW control software, best
handled by uninstalling (in Safe Mode) and reinstalling.
It would be anomalous for Nero to leave anything in
c:\windows\temp
which is temporary free parking for instal processes,
that ought to delete themselves on completion. But
Nero software started as a hacker venture in the
public domain sector, and does not necessarily
behave as Bill Gates might like.

Perhaps the files/folders have read-only or system attributes set. Try
running ATTRIB on them (in dos) and see what it says (or look at the
properties in Windows).

niteowl wrote:

hi all,

I am booted up in "real" dos mode...

I was running a dos AV program, F-Protdos, and it indentified a lot of
files in the the C:\windows\temp folder as being "a security risk",
and so just to save some time, I manually deleted all the subfolders
using the deltree command and it took all out with the exeption of the
last 4 and it won't let me delete them.

they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a
"Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not
let me delete, tells me "Access is denied".

How do I force this to let me delete it. Is there a way to
"unprotect" these folders? or simply unprotect the Temp folder and
delete them all at once with the "deltree" command??

thanks,
niteowl

On Wed, 18 Aug 2004 09:52:19 -0400, WoofWoof
wrote:

Perhaps the files/folders have read-only or system attributes set. Try
running ATTRIB on them (in dos) and see what it says (or look at the
properties in Windows).

okay, I did that... the files don't even show, but the AV program
still says they are there... ?? What's up with that?

I'm not sure what's hanging up the bootup to normal windows.. how
would I check that?

What I did so far.
booted up from win98 startup disk, I manually deleted all the
c:\windows\Temporary Internet Files folder, and all the contents of
the c:\windows\temp folder except those 4 I mentioned.
Ran Fprotdos and it removed 3 of the 5 virus files it identified.. the
other 2 don't appear to be there.

booted up in Safe Mode, removed Norton's cause it wouldn't startup,
Ran scandisk with the auto fix feature checked.. it did so, and am now
in the process of defragging the 3 drives I have partitioned.

So far I've been unable to bootup normally, I get the wallpaper, then
the hourglass just sits there..

I was planning to reinstall Norton's and just wondering if I should do
that in Safe Mode or if it has to be in normal windows before it will
install correctly.. ??

Any suggestions are welcome... When it gets done defragging, I'll try
to bootup again and see if I can get into normal windows.

thanks,
niteowl

niteowl wrote:

hi all,

I am booted up in "real" dos mode...

I was running a dos AV program, F-Protdos, and it indentified a lot of
files in the the C:\windows\temp folder as being "a security risk",
and so just to save some time, I manually deleted all the subfolders
using the deltree command and it took all out with the exeption of the
last 4 and it won't let me delete them.

they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a
"Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not
let me delete, tells me "Access is denied".

How do I force this to let me delete it. Is there a way to
"unprotect" these folders? or simply unprotect the Temp folder and
delete them all at once with the "deltree" command??

thanks,
niteowl

niteowl wrote:

On Wed, 18 Aug 2004 09:52:19 -0400, WoofWoof
wrote:

Perhaps the files/folders have read-only or system attributes set. Try
running ATTRIB on them (in dos) and see what it says (or look at the
properties in Windows).

okay, I did that... the files don't even show, but the AV program
still says they are there... ?? What's up with that?


How did you use attrib ? Did you just do a generic "attrib" (to get a
list)? Don't know whether it will show hidden/system files like that.
Can you try something like attrib -h -s -r RARSFX0

Also, it seems you can boot in safe mode. Can you see these files in
windows? (You'll need to turn on "show hidden files and folders" in
folder options (or whatever the win98 equivalent is .... I'm using
win2K here and I'm working from memory). Can you then left click and
get the properties for each file/folder and change them?




I'm not sure what's hanging up the bootup to normal windows.. how
would I check that?

What I did so far.
booted up from win98 startup disk, I manually deleted all the
c:\windows\Temporary Internet Files folder, and all the contents of
the c:\windows\temp folder except those 4 I mentioned.
Ran Fprotdos and it removed 3 of the 5 virus files it identified.. the
other 2 don't appear to be there.

booted up in Safe Mode, removed Norton's cause it wouldn't startup,
Ran scandisk with the auto fix feature checked.. it did so, and am now
in the process of defragging the 3 drives I have partitioned.

So far I've been unable to bootup normally, I get the wallpaper, then
the hourglass just sits there..


Can you start/run msconfig in safe mode and uncheck as many of the
startup items as possible (be careful some are needed). Then try a
normal boot. If you can do that you can add back the startup items one
at a time until you find the offender.

Failing that, what were you doing before this happened? Can you undo
something in safe mode to reverse it?

Do you have a registry backup from before the time the problem
started? Use a Win98 Startup disk to boot to a DOS prompt, then
type: scanreg /restore

Scanreg should now display 5 backups by date to select from. Take the
latest one (if any) that pre-dates the problem. bear in mind you'll
lose any installations/changes you made after that date/time.



I was planning to reinstall Norton's and just wondering if I should do
that in Safe Mode or if it has to be in normal windows before it will
install correctly.. ??


I'm a bit biased, actually, since I'm no great fan of Norton's (too
many problems in the past). However, simple prudence would suggest
that it shouldn't be re-installed until you get your machine running
normally ... why complicate things?



Any suggestions are welcome... When it gets done defragging, I'll try
to bootup again and see if I can get into normal windows.

thanks,
niteowl

niteowl wrote:

hi all,

I am booted up in "real" dos mode...

I was running a dos AV program, F-Protdos, and it indentified a lot of
files in the the C:\windows\temp folder as being "a security risk",
and so just to save some time, I manually deleted all the subfolders
using the deltree command and it took all out with the exeption of the
last 4 and it won't let me delete them.

they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a
"Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not
let me delete, tells me "Access is denied".

How do I force this to let me delete it. Is there a way to
"unprotect" these folders? or simply unprotect the Temp folder and
delete them all at once with the "deltree" command??

thanks,
niteowl

Hi,

was able to see those files in safe mode, and after uninstalling the
version of Nero, was able to delete them just fine.

not really sure if that did it, or what, was doing too many things at
once I guess to really narrow it down. At any rate, after cleaning
everything up with fprotdos, and getting everything as clean as
possible, on first boot to normal windows only had 16 colors, and
640x480 resolution, when I changed to 800x600 at high color, the
bootup process stalled again after the wallpaper.. so must have been
something with the video stuff, hard to say, ....

I just decided to format and reinstall windows... This is a friend's
computer, and when I set it up, only installed windows to C: ALL
other progs went to D: and E:, so it went fairly quickly.. and is
now working perfectly once again...

I've done all the critical updates and the win98 updates that I
wanted, and installed adaware and spybot and Norton's and ran a
complete system scan and all is clean again.. so will finish
installing the last couple of progs for them and let their 15 yr. old
have another stab at it... I keep telling her not to click on
anything unless she's absolutely sure of what it is... but .......
she's 15 and the parents aren't that savvy so.. I get to do this every
so often. ;-) I was just hoping to be able to clean it but there was
obviously too much damage...

Spent 24 hours trying to fix it, and about 4 hours just starting
fresh.

Thanks for your help and suggestions.

niteowl



On Wed, 18 Aug 2004 17:23:47 -0400, WoofWoof
wrote:



niteowl wrote:

On Wed, 18 Aug 2004 09:52:19 -0400, WoofWoof
wrote:

Perhaps the files/folders have read-only or system attributes set. Try
running ATTRIB on them (in dos) and see what it says (or look at the
properties in Windows).

okay, I did that... the files don't even show, but the AV program
still says they are there... ?? What's up with that?


How did you use attrib ? Did you just do a generic "attrib" (to get a
list)? Don't know whether it will show hidden/system files like that.
Can you try something like attrib -h -s -r RARSFX0

Also, it seems you can boot in safe mode. Can you see these files in
windows? (You'll need to turn on "show hidden files and folders" in
folder options (or whatever the win98 equivalent is .... I'm using
win2K here and I'm working from memory). Can you then left click and
get the properties for each file/folder and change them?




I'm not sure what's hanging up the bootup to normal windows.. how
would I check that?

What I did so far.
booted up from win98 startup disk, I manually deleted all the
c:\windows\Temporary Internet Files folder, and all the contents of
the c:\windows\temp folder except those 4 I mentioned.
Ran Fprotdos and it removed 3 of the 5 virus files it identified.. the
other 2 don't appear to be there.

booted up in Safe Mode, removed Norton's cause it wouldn't startup,
Ran scandisk with the auto fix feature checked.. it did so, and am now
in the process of defragging the 3 drives I have partitioned.

So far I've been unable to bootup normally, I get the wallpaper, then
the hourglass just sits there..


Can you start/run msconfig in safe mode and uncheck as many of the
startup items as possible (be careful some are needed). Then try a
normal boot. If you can do that you can add back the startup items one
at a time until you find the offender.

Failing that, what were you doing before this happened? Can you undo
something in safe mode to reverse it?

Do you have a registry backup from before the time the problem
started? Use a Win98 Startup disk to boot to a DOS prompt, then
type: scanreg /restore

Scanreg should now display 5 backups by date to select from. Take the
latest one (if any) that pre-dates the problem. bear in mind you'll
lose any installations/changes you made after that date/time.



I was planning to reinstall Norton's and just wondering if I should do
that in Safe Mode or if it has to be in normal windows before it will
install correctly.. ??


I'm a bit biased, actually, since I'm no great fan of Norton's (too
many problems in the past). However, simple prudence would suggest
that it shouldn't be re-installed until you get your machine running
normally ... why complicate things?



Any suggestions are welcome... When it gets done defragging, I'll try
to bootup again and see if I can get into normal windows.

thanks,
niteowl

niteowl wrote:

hi all,

I am booted up in "real" dos mode...

I was running a dos AV program, F-Protdos, and it indentified a lot of
files in the the C:\windows\temp folder as being "a security risk",
and so just to save some time, I manually deleted all the subfolders
using the deltree command and it took all out with the exeption of the
last 4 and it won't let me delete them.

they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a
"Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not
let me delete, tells me "Access is denied".

How do I force this to let me delete it. Is there a way to
"unprotect" these folders? or simply unprotect the Temp folder and
delete them all at once with the "deltree" command??

thanks,
niteowl

Hi Niteowl,

Glad to see you got going again

niteowl wrote:

Hi,

was able to see those files in safe mode, and after uninstalling the
version of Nero, was able to delete them just fine.

I just decided to format and reinstall windows... This is a friend's
computer, and when I set it up, only installed windows to C: ALL
other progs went to D: and E:, so it went fairly quickly.. and is
now working perfectly once again...

I tried that route once ... installing apps on a different partition
than the boot drive ... on the mistaken impression that it would
preserve them if the OS crashed and I had to re-install it. Of course,
that isn't the case and you still have to re-install the apps (though
in some cases, you can re-install over the original and preserve
settings/data).

Nowadays I don't worry too much about the apps but I do try to locate
data off the boot partition (in a single directory structure so that
it's easy to back up).

On Thu, 19 Aug 2004 09:37:01 -0400, WoofWoof
wrote:

Nowadays I don't worry too much about the apps but I do try to locate
data off the boot partition (in a single directory structure so that
it's easy to back up).


yep, I move the "My Documents" folder to the D: drive so 'most' things
are automatically diverted there, and there is always those apps to be
reinstalled - those that write to the windows\system folder.. but
some work just fine without any other correction than to copy a
shortcut back to the start menu. ;-)

thanks for you help

niteowl