If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
c:\windows\temp\rarsfx0\nero\ can't delete the temp folder,subfolders or contents??? AV says it's infected, Help!
hi all,
I am booted up in "real" dos mode... I was running a dos AV program, F-Protdos, and it indentified a lot of files in the the C:\windows\temp folder as being "a security risk", and so just to save some time, I manually deleted all the subfolders using the deltree command and it took all out with the exeption of the last 4 and it won't let me delete them. they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a "Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not let me delete, tells me "Access is denied". How do I force this to let me delete it. Is there a way to "unprotect" these folders? or simply unprotect the Temp folder and delete them all at once with the "deltree" command?? thanks, niteowl |
#2
|
|||
|
|||
"niteowl" wrote in message
... hi all, I am booted up in "real" dos mode... I was running a dos AV program, F-Protdos, and it indentified a lot of files in the the C:\windows\temp folder as being "a security risk", and so just to save some time, I manually deleted all the subfolders using the deltree command and it took all out with the exeption of the last 4 and it won't let me delete them. they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a "Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not let me delete, tells me "Access is denied". How do I force this to let me delete it. Is there a way to DOS ignores Windows restrictions that prevent your deleting a file currently loaded. You ought to be able to REName or DELTREE anything after a DOS boot. Nero is commonly CD RW control software, best handled by uninstalling (in Safe Mode) and reinstalling. It would be anomalous for Nero to leave anything in c:\windows\temp which is temporary free parking for instal processes, that ought to delete themselves on completion. But Nero software started as a hacker venture in the public domain sector, and does not necessarily behave as Bill Gates might like. -- Don Phillipson Carlsbad Springs (Ottawa, Canada) |
#3
|
|||
|
|||
On Wed, 18 Aug 2004 06:46:05 -0400, "Don Phillipson"
wrote: "niteowl" wrote in message .. . hi all, I am booted up in "real" dos mode... I was running a dos AV program, F-Protdos, and it indentified a lot of files in the the C:\windows\temp folder as being "a security risk", and so just to save some time, I manually deleted all the subfolders using the deltree command and it took all out with the exeption of the last 4 and it won't let me delete them. they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a "Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not let me delete, tells me "Access is denied". How do I force this to let me delete it. Is there a way to DOS ignores Windows restrictions that prevent your deleting a file currently loaded. You ought to be able to REName or DELTREE anything after a DOS boot. so what could be keeping me from deleting these folders/files in DOS? I am booting up from a custom made startup disk, loading CDRom drivers so I have CD access. Nothing about Nero on this startup disk.. ???? How can I determine what is protecting those folders? A complete scan of C, D, and E drives show only infections on C: plus there are still 2 other files that the AV program couldn't delete, c:\windows\msgcen~1.exe -(UPX) identified as W32/Otwar.A@adw and c:\windows\applic~1\downlo~1.exe-(UPX) also identified as W32/Otwar.A@adw. Nero is commonly CD RW control software, best handled by uninstalling (in Safe Mode) and reinstalling. It would be anomalous for Nero to leave anything in c:\windows\temp which is temporary free parking for instal processes, that ought to delete themselves on completion. But Nero software started as a hacker venture in the public domain sector, and does not necessarily behave as Bill Gates might like. |
#4
|
|||
|
|||
Perhaps the files/folders have read-only or system attributes set. Try
running ATTRIB on them (in dos) and see what it says (or look at the properties in Windows). niteowl wrote: hi all, I am booted up in "real" dos mode... I was running a dos AV program, F-Protdos, and it indentified a lot of files in the the C:\windows\temp folder as being "a security risk", and so just to save some time, I manually deleted all the subfolders using the deltree command and it took all out with the exeption of the last 4 and it won't let me delete them. they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a "Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not let me delete, tells me "Access is denied". How do I force this to let me delete it. Is there a way to "unprotect" these folders? or simply unprotect the Temp folder and delete them all at once with the "deltree" command?? thanks, niteowl |
#5
|
|||
|
|||
On Wed, 18 Aug 2004 09:52:19 -0400, WoofWoof
wrote: Perhaps the files/folders have read-only or system attributes set. Try running ATTRIB on them (in dos) and see what it says (or look at the properties in Windows). okay, I did that... the files don't even show, but the AV program still says they are there... ?? What's up with that? I'm not sure what's hanging up the bootup to normal windows.. how would I check that? What I did so far. booted up from win98 startup disk, I manually deleted all the c:\windows\Temporary Internet Files folder, and all the contents of the c:\windows\temp folder except those 4 I mentioned. Ran Fprotdos and it removed 3 of the 5 virus files it identified.. the other 2 don't appear to be there. booted up in Safe Mode, removed Norton's cause it wouldn't startup, Ran scandisk with the auto fix feature checked.. it did so, and am now in the process of defragging the 3 drives I have partitioned. So far I've been unable to bootup normally, I get the wallpaper, then the hourglass just sits there.. I was planning to reinstall Norton's and just wondering if I should do that in Safe Mode or if it has to be in normal windows before it will install correctly.. ?? Any suggestions are welcome... When it gets done defragging, I'll try to bootup again and see if I can get into normal windows. thanks, niteowl niteowl wrote: hi all, I am booted up in "real" dos mode... I was running a dos AV program, F-Protdos, and it indentified a lot of files in the the C:\windows\temp folder as being "a security risk", and so just to save some time, I manually deleted all the subfolders using the deltree command and it took all out with the exeption of the last 4 and it won't let me delete them. they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a "Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not let me delete, tells me "Access is denied". How do I force this to let me delete it. Is there a way to "unprotect" these folders? or simply unprotect the Temp folder and delete them all at once with the "deltree" command?? thanks, niteowl |
#6
|
|||
|
|||
niteowl wrote: On Wed, 18 Aug 2004 09:52:19 -0400, WoofWoof wrote: Perhaps the files/folders have read-only or system attributes set. Try running ATTRIB on them (in dos) and see what it says (or look at the properties in Windows). okay, I did that... the files don't even show, but the AV program still says they are there... ?? What's up with that? How did you use attrib ? Did you just do a generic "attrib" (to get a list)? Don't know whether it will show hidden/system files like that. Can you try something like attrib -h -s -r RARSFX0 Also, it seems you can boot in safe mode. Can you see these files in windows? (You'll need to turn on "show hidden files and folders" in folder options (or whatever the win98 equivalent is .... I'm using win2K here and I'm working from memory). Can you then left click and get the properties for each file/folder and change them? I'm not sure what's hanging up the bootup to normal windows.. how would I check that? What I did so far. booted up from win98 startup disk, I manually deleted all the c:\windows\Temporary Internet Files folder, and all the contents of the c:\windows\temp folder except those 4 I mentioned. Ran Fprotdos and it removed 3 of the 5 virus files it identified.. the other 2 don't appear to be there. booted up in Safe Mode, removed Norton's cause it wouldn't startup, Ran scandisk with the auto fix feature checked.. it did so, and am now in the process of defragging the 3 drives I have partitioned. So far I've been unable to bootup normally, I get the wallpaper, then the hourglass just sits there.. Can you start/run msconfig in safe mode and uncheck as many of the startup items as possible (be careful some are needed). Then try a normal boot. If you can do that you can add back the startup items one at a time until you find the offender. Failing that, what were you doing before this happened? Can you undo something in safe mode to reverse it? Do you have a registry backup from before the time the problem started? Use a Win98 Startup disk to boot to a DOS prompt, then type: scanreg /restore Scanreg should now display 5 backups by date to select from. Take the latest one (if any) that pre-dates the problem. bear in mind you'll lose any installations/changes you made after that date/time. I was planning to reinstall Norton's and just wondering if I should do that in Safe Mode or if it has to be in normal windows before it will install correctly.. ?? I'm a bit biased, actually, since I'm no great fan of Norton's (too many problems in the past). However, simple prudence would suggest that it shouldn't be re-installed until you get your machine running normally ... why complicate things? Any suggestions are welcome... When it gets done defragging, I'll try to bootup again and see if I can get into normal windows. thanks, niteowl niteowl wrote: hi all, I am booted up in "real" dos mode... I was running a dos AV program, F-Protdos, and it indentified a lot of files in the the C:\windows\temp folder as being "a security risk", and so just to save some time, I manually deleted all the subfolders using the deltree command and it took all out with the exeption of the last 4 and it won't let me delete them. they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a "Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not let me delete, tells me "Access is denied". How do I force this to let me delete it. Is there a way to "unprotect" these folders? or simply unprotect the Temp folder and delete them all at once with the "deltree" command?? thanks, niteowl |
#7
|
|||
|
|||
Hi,
was able to see those files in safe mode, and after uninstalling the version of Nero, was able to delete them just fine. not really sure if that did it, or what, was doing too many things at once I guess to really narrow it down. At any rate, after cleaning everything up with fprotdos, and getting everything as clean as possible, on first boot to normal windows only had 16 colors, and 640x480 resolution, when I changed to 800x600 at high color, the bootup process stalled again after the wallpaper.. so must have been something with the video stuff, hard to say, .... I just decided to format and reinstall windows... This is a friend's computer, and when I set it up, only installed windows to C: ALL other progs went to D: and E:, so it went fairly quickly.. and is now working perfectly once again... I've done all the critical updates and the win98 updates that I wanted, and installed adaware and spybot and Norton's and ran a complete system scan and all is clean again.. so will finish installing the last couple of progs for them and let their 15 yr. old have another stab at it... I keep telling her not to click on anything unless she's absolutely sure of what it is... but ....... she's 15 and the parents aren't that savvy so.. I get to do this every so often. ;-) I was just hoping to be able to clean it but there was obviously too much damage... Spent 24 hours trying to fix it, and about 4 hours just starting fresh. Thanks for your help and suggestions. niteowl On Wed, 18 Aug 2004 17:23:47 -0400, WoofWoof wrote: niteowl wrote: On Wed, 18 Aug 2004 09:52:19 -0400, WoofWoof wrote: Perhaps the files/folders have read-only or system attributes set. Try running ATTRIB on them (in dos) and see what it says (or look at the properties in Windows). okay, I did that... the files don't even show, but the AV program still says they are there... ?? What's up with that? How did you use attrib ? Did you just do a generic "attrib" (to get a list)? Don't know whether it will show hidden/system files like that. Can you try something like attrib -h -s -r RARSFX0 Also, it seems you can boot in safe mode. Can you see these files in windows? (You'll need to turn on "show hidden files and folders" in folder options (or whatever the win98 equivalent is .... I'm using win2K here and I'm working from memory). Can you then left click and get the properties for each file/folder and change them? I'm not sure what's hanging up the bootup to normal windows.. how would I check that? What I did so far. booted up from win98 startup disk, I manually deleted all the c:\windows\Temporary Internet Files folder, and all the contents of the c:\windows\temp folder except those 4 I mentioned. Ran Fprotdos and it removed 3 of the 5 virus files it identified.. the other 2 don't appear to be there. booted up in Safe Mode, removed Norton's cause it wouldn't startup, Ran scandisk with the auto fix feature checked.. it did so, and am now in the process of defragging the 3 drives I have partitioned. So far I've been unable to bootup normally, I get the wallpaper, then the hourglass just sits there.. Can you start/run msconfig in safe mode and uncheck as many of the startup items as possible (be careful some are needed). Then try a normal boot. If you can do that you can add back the startup items one at a time until you find the offender. Failing that, what were you doing before this happened? Can you undo something in safe mode to reverse it? Do you have a registry backup from before the time the problem started? Use a Win98 Startup disk to boot to a DOS prompt, then type: scanreg /restore Scanreg should now display 5 backups by date to select from. Take the latest one (if any) that pre-dates the problem. bear in mind you'll lose any installations/changes you made after that date/time. I was planning to reinstall Norton's and just wondering if I should do that in Safe Mode or if it has to be in normal windows before it will install correctly.. ?? I'm a bit biased, actually, since I'm no great fan of Norton's (too many problems in the past). However, simple prudence would suggest that it shouldn't be re-installed until you get your machine running normally ... why complicate things? Any suggestions are welcome... When it gets done defragging, I'll try to bootup again and see if I can get into normal windows. thanks, niteowl niteowl wrote: hi all, I am booted up in "real" dos mode... I was running a dos AV program, F-Protdos, and it indentified a lot of files in the the C:\windows\temp folder as being "a security risk", and so just to save some time, I manually deleted all the subfolders using the deltree command and it took all out with the exeption of the last 4 and it won't let me delete them. they a RARSFX0, RARSFX1, RARSFX2, and RARSFX3, all contain a "Nero" subfolder with 2 nero files, a .cfg and a .dll, and it will not let me delete, tells me "Access is denied". How do I force this to let me delete it. Is there a way to "unprotect" these folders? or simply unprotect the Temp folder and delete them all at once with the "deltree" command?? thanks, niteowl |
#8
|
|||
|
|||
Hi Niteowl,
Glad to see you got going again niteowl wrote: Hi, was able to see those files in safe mode, and after uninstalling the version of Nero, was able to delete them just fine. I just decided to format and reinstall windows... This is a friend's computer, and when I set it up, only installed windows to C: ALL other progs went to D: and E:, so it went fairly quickly.. and is now working perfectly once again... I tried that route once ... installing apps on a different partition than the boot drive ... on the mistaken impression that it would preserve them if the OS crashed and I had to re-install it. Of course, that isn't the case and you still have to re-install the apps (though in some cases, you can re-install over the original and preserve settings/data). Nowadays I don't worry too much about the apps but I do try to locate data off the boot partition (in a single directory structure so that it's easy to back up). |
#9
|
|||
|
|||
On Thu, 19 Aug 2004 09:37:01 -0400, WoofWoof
wrote: Nowadays I don't worry too much about the apps but I do try to locate data off the boot partition (in a single directory structure so that it's easy to back up). yep, I move the "My Documents" folder to the D: drive so 'most' things are automatically diverted there, and there is always those apps to be reinstalled - those that write to the windows\system folder.. but some work just fine without any other correction than to copy a shortcut back to the start menu. ;-) thanks for you help niteowl |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
can I delete the contents of these folders? | Donna | General | 1 | July 28th 04 04:11 AM |
Unable to delete temp. files | pas | Internet | 1 | July 22nd 04 04:23 PM |
Do I delete all files in TEMP folder? | Millie | General | 11 | July 5th 04 10:39 PM |
Restore \temp infected file | Mary | General | 5 | June 18th 04 12:39 AM |
Safely delete .exe files in "TEMP" folder?? | CNJ | General | 2 | June 14th 04 06:16 AM |