os: win me, virus software: mcaffee, problem: i have a trojan that i can't delete. the file is _restore\temp\a0127475.cpy. when i go to dos and try to delete it i get access denied. when i try attrib, i get file not found. this sucks. i'm not very computer literate, i had to break out my dos for dummies book to try to figure it out. my son (age 19) turned me on to this site. i hope i can get some help. thanks alot, Sam

Go to DOS and try typing the filename followed by -h -r. Then try deleting it.

Moosoft has a program called "the cleaner" which is made specifically to remove trojans.
http://www.moosoft.com/download.php

I really appreciate the help, it's cool of you both. Thank you

Greetings:

Did this take care of your problem?

Go to DOS and try typing the filename followed by -h -r. Then try deleting it.

The command actually is: ATTRIB -h -r filename

This won't help, though. Files in the _RESTORE directory are in use by the OS. That's why access to those files is denied. (It's like your son preventing you from sawing off a branch you're actually sitting on: not a god idea).

The only solution - besides of the good old format-command : disinfection. If you could name the trojan, that would actually help.

Check out this link from microsoft about the _restore folder:

http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP

Hope this helps.

Hey try this out:

Format c: /a /s will rid you of most virs. :)

Format c: /a /s will rid you of most virs.

I bet format is the only DOS-command you know, Mr. know-it-all.
What's with the /a parameter anyway? And why should you use the /s parameter? Won't help if your system source is infected.

Being very constructive again, Mr. NoNecktoHoldmySuperBrain.

Good grief. This is a computer security site - We are supposed to be dispelling crap like "format C:" and "rm -rf /". Thank goodness DOS gives you a warning unlike *nix, but it is still bad that stuff like that is mentioned.

And don't even start on that "if they did it, then they deserve it" crap.

Negative - You and Ivan can each take one of my nutz in your mouth and hum the US national Anthem...

P.S. Negative....I have more "know-it-all" under my fingernails than your bitch ass. Now what fool?

-Quad

Negative - You and Ivan can each take one of my nutz in your mouth and hum the US national Anthem...
Would you trust me with one of your nutz in your mouth? You must be as dump as you sound like...
And as for the US national Anthem: will the Belgian national Anthem do? That's all me and my bitch ass know...
P.S. Negative....I have more "know-it-all" under my fingernails than your bitch ass. Now what fool?
What I don't see, wont break my heart.
-Quad
Been playing too much Quake, I bet.

Huh? Quake? I don't play games on the PC.

As for Format c: /a /s

You say that is the only dos command I know....I obviously know more than yourself because you had to ask what the /a switch was. HAHAHAHA.....moron.

Originally posted by ducksnbeavers
os: win me, virus software: mcaffee, problem: i have a trojan that i can't delete. the file is _restore\temp\a0127475.cpy. when i go to dos and try to delete it i get access denied. when i try attrib, i get file not found. this sucks. i'm not very computer literate, i had to break out my dos for dummies book to try to figure it out. my son (age 19) turned me on to this site. i hope i can get some help. thanks alot, Sam

Just in case it isn't fixed yet...

Okay, I've got a hunch. Let's look at the path/filename. It is:

c:\......\_restore\temp\a0127475.cpy , correct?

Now, I'd direct everyone's attention to the apparent underscore. In DOS, ASCII character #255 appears as a blank space, in WINDOWS it appears as an underscore. But when windows tries to do something to a file with that character in it's name, it makes weird errors.

I would suggest opening a dos window, and trying to go:

cd <alt-255>restore


To get into the directory. By '<alt-255>', I mean, Hold down alt, hit 2, hit 5, hit 5, release ALT.

Now, if the underscore really IS the #255 character, I don't see how you could have browsed the directory in windows, but oh well, you never know.

Now, I'd direct everyone's attention to the apparent underscore. In DOS, ASCII character #255 appears as a blank space, in WINDOWS it appears as an underscore. But when windows tries to do something to a file with that character in it's name, it makes weird errors.


The underscore charachter is the same in DOS and in Windows, so what you suggested wouldn't work. The alt-255 character appears both in Windows and DOS as a hidden character (it's no underscore in Windows). His problem was to get access to the file, not the directory.

Good thinking, though.


NoNeckJoe, you can't just tell me what the /a parameter is supposed to do, can you?
Anyone else? I know the /v, /f, /q, /s, /t, /n, but not the /a, no.

/A overwrites the default allocation unit. Dumbass....Enough said.

Originally posted by Negative



The underscore charachter is the same in DOS and in Windows, so what you suggested wouldn't work. The alt-255 character appears both in Windows and DOS as a hidden character (it's no underscore in Windows). His problem was to get access to the file, not the directory.


Uhm... I beg to differ. Just now, 30 seconds ago, I opened a DOS box and made a directory on my desktop, containing ASCII char #255. And I look on my desktop, and LO AND BEHOLD the blankspace (in dos) is shown as an underscore. (I am not saying that it IS and underscore, merely that that is how windows displays it).

Are you talking about Windows 98, or some other version? I'm talking about 98.

Edit: Just BTW FYI...

And if I try to delete the directory with #255 in it's name (on my desktop), I get a dialog,
titled: "Error Deleting File",
text:"Cannot delete file: File system error (1026)"

Double clicking shows a message twice, both times saying: "The Folder 'c:\windows\desktop\blah_test' does not exist."

Originally posted by NoNeckJoe
/A overwrites the default allocation unit. Dumbass....Enough said.

A good answer but not done in the style of Ms. Manners.

And I don't believe that 255 is the only ascii code where _ is written as default.

As for me...I am just going to have a drink.

:drink:

Anyone wish to join me?

Are you talking about Windows 98, or some other version? I'm talking about 98.

Tried it again in a Dosbox in WinMe... I did the same things you did: No problems. No underscore, just a blank character. No problem deleting the file.

Must have been 'fixed' in Me edition.

What I said before, still stands: I don't think the OP had a problem opening the _restore-directory, he did have a problem accessing the files in that directory.

Have done some testing on OP's problem, too: I infected 20 of my files with the Win32/Magistr worm, then cleaned them using AVG. Then I did an online scan (Trend), and guess what: Trend Pc-Cillin reported 20 Win32/Magistr infections, all located in the _Restore directory. The file names are A0032xxx.CPY. I tried to disinfect those, but that's where the OP's problem rose: access to those files is denied (as I stated before, as Trend confirmed, and as seen on http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP (thx for the link, root2600)) because those files are in use by the system... .

I've done the test with other numbers of infected files, and every time I got the same result: as many 'infected' files in the _Restore directory as were cleaned...

post deleted by user.

A little bit nervous to interject an idea after watching that exchange, but is booting off of a write protected system floppy an option? If the file is in use by the OS on the hdd, wouldn't booting off of a write protected floppy render this no longer a problem ?

Neb