Solved

rmdir command issued during Windows 98SE boot sequence

Posted on 2004-03-25
33
965 Views
Last Modified: 2013-12-28
Unfortunately, I am sharing a single user Windows 98SE PC with others who always swear, they never did anything when things go wrong.  After removing i.exe, a Trojan Horse downloader successfully with AVG 6.0 free edition, build 639 (3/22/04), suddenly the message:

C:\rmdir C:\WINDOWS\TEMP\_ISTMP5.DIR\_ISTMP0.DIR
Invalid path, not directory,
or directory not empty

C:\>

which occurs after Windows 98 loads and right before the desktop is loaded and displays.  I did a step-by-step boot by holding F8 down and saw nothing out of the ordinary.  I do not know what issues the rmdir command described above, only that is being issued after all the drivers have been loaded.  But then, goind to the C:\WINDOWS\TEMP directory, I find 5 of these strange subdirectories:

_istmp0.dir
_istmp1.dir
_istmp2.dir
_istmp4.dir
_istmp5.dir  which contains the following files:
_ins5576._mp      544 KB     _MP File
_wutl951.dll           46KB      Application
ZDatal51.dll            52KB      Application

None of this exists on a parallel Windows 98SE PC and my attention to these folders and files was only drawn to it by the above mentioned failing rmdir command, the failure of which is prominently echoed at each boot, because there apparently is no _ISTMP0.DIR subdirectory inside of the _ISTMP5.DIR directory.  The only other weird files I could not find by comparison on my parallel Windows 98SE PC are strange .exe files in the root directory, which also worry me:  There is link.exe, gd.exe and best.exe and they have just the DOS executable program logo, no information whatsoever and recent dates.  Then there is HXDLAZWM.exe with a weird yellow spiral logo and ss_IGN7_setup.exe with a logo with a tiny PC, a tiny white horse on a black background, a CD shown in front with a tiny open box to the right.  My suspicion is that these files should for starters not be in the root directory at all and that they probably left-overs from previous clean-ups, viruses, Trojan Horses, installed crap or the like. I have not re-installed Windows 98SE on this PC since 9/03/03, hence there could be a lot of trash.

1)  What issues the above rmdir command?
2)  How can I stop it?
3)  Are these _istmpx.dir directories and these strange files of any importance, or can they be deleted?  Is there a risk in deleting them?
4)  Are the unidentified .exe files in the root directory valid, invalid, or even a risk, so that they should be removed?

Thank you very much in advance.

Sincerely,
Bernard
0
Comment
Question by:brnbrg
  • 12
  • 11
  • 10
33 Comments
 
LVL 67

Assisted Solution

by:sirbounty
sirbounty earned 75 total points
ID: 10679249
Click Start->Run->SYSEDIT to edit the autoexec.bat (if you don't know how).
Place a double-colon in front of the RMDIR line
::RMDIR blah blah
to prevent it from loading...

You may want to do a thorough scan as well:

Check for Spyware:
  Ad-Aware --> http://www.netsecurity.about.com/library/blfreespyware.htm
  HijackThis -->http://www.spychecker.com/program/hijackthis.html
  Spybot-S&D -->http://www.safer-networking.org/
  Web Shredder -->http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

Check for Viruses with online scanners:
  Symantec --> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
  Trend Micro --> http://housecall.antivirus.com/housecall/start_corp.asp
  Panda ActiveScan --> http://www.pandasoftware.com/activescan/
0
 
LVL 29

Accepted Solution

by:
blue_zee earned 75 total points
ID: 10679382

The rmdir command removes each requested directory.
Each directory must be empty for rmdir to be successful.

Have you checked autoexec.bat, msconfig?

Anyway you do have loads of adware/spyware cleanup to do.

BEFORE anything else:

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. Update and run this regularly to get rid of most "spyware/hijackware" on your machine. If it has to fix things, be sure to re-boot and rerun AdAware again and repeat this cycle until you get a clean scan. The reason is that it may have to remove things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy available here:
http://security.kolla.de/
I recommend using both normally.
After fixing things with SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until you get a clean "no red" scan. The reason is that SpyBot sometimes has to remove things which are currently "in use" before it can then clean up others.

Once you get this cleaned up, you might want to consider installing the SpywareBlaster and SpywareGuard here to help prevent this kind of thing from happening in the future:

http://www.wilderssecurity.com/spywareblaster.html
Prevents malware Active X installs.
SpyWare Blaster is not memory resident ... no CPU or memory load - but keep it updated.
The latest version as of this writing will prevent installation or prevent the malware from running if it is already installed, and it provides information and fixit-links for a variety of parasites.

http://www.wilderssecurity.net/spywareguard.html
Monitors for attempts to install malware.

Both very highly recommended.

Zee





0
 
LVL 29

Expert Comment

by:blue_zee
ID: 10679408

Sorry sirbounty, took me too long typing my message...

Poster please disregard my answer.

It is adware/spyware.

Zee
0
 

Author Comment

by:brnbrg
ID: 10679861
Unfortunately, I did most of this...  I have AdAware and SpyBot installed, as well as AVG and meticulously keep them at the latest build (I check daily for updates and install them).  This is the only line in my autoexec.bat file:

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe

and I therefore suspect that I interrupted AVG during the removal of some of that crap I listed in my original question, hence, the rmdir command may be passed as an argument to that bootup.exe file.  But I am not sure, the rmdir command may be issued later - is the autoexec.bat file the absolute last thing being executed before the desktop is displayed?

Also, AVG, AdAware & SpyBot all finish clean, meaning that the few questionable TEMP subdirectories as well as those questionable .exe files in the root directories are now still there after I ran everything 3 times after fresh boots - what is your opinion about removing all that manually?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10679994
Your temp stuff can be removed manually - sure.
You might just try sliding .0 under .5 so that maybe this cleanup script will be able to complete successfully.

Otherwise, try Start->Run->MSCONFIG and see if you can find anything there.
You might also try Start->Run->Regedit
and navigate to
HKEY_Local_Machine\Software\Microsoft\Windows\Currentversion\Run
and
HKEY_Current_User\Software\Microsoft\Windows\Currentversion\Run
(possible check other variations of Run as well (Run-, RunOnce, etc)).
If you find the item there, you can either delete it or export it first (from the file menu) and then delete it...
0
 

Author Comment

by:brnbrg
ID: 10681447
That clean-up script somehow got stuck - I suspect, either I or one of those Einsteinian room mates of mine interrupted AVG in a panic, then rebooted, and the subdirectory was deleted, yet the scipt did not get to complete the first time.  I think this because autoexec.bat has only this one line to execute AVG, and I suspect the clean-up script is passed to it as an argument.  I also religiously run msconfig, followed by regedit and clean all RUN- keys out after deleting them from Startup.  On a second boot, AdAware and SpyBot always get all the remaining keys, hence, the crap that's laying around must be from incomplete or poorly executed clean-up procedures.

What is your opinion about link.exe, gd.exe, best.exe,  HXDLAZWM.exe with a weird yellow spiral logo and ss_IGN7_setup.exe as described above, which in my opinion should not be in the root directory, even if they were valid files - should I simply delete them?  The TEMP directory is one thing, but I sure would not like to screw something up in the root directory...
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 10682112
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10682134
Link.exe (C++ compiler?)
gd.exe - possibly General Dialer - read: http://www.pestpatrol.com/pest_info/de/g/general_dialer_1_00a.asp
HXDLAZWM.exe -Possibly remnant from Adware (not Ad-Aware)- read: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=adw_ruledor.c
 (note the section for Deleting Adware Files and Folder)
ss_IGN7_setup.exe makes me a bit nervous...
Could you perhaps post the results from Hijackthis (first post)?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10682140
Sorry blue_zee, took me too long typing my message...

Poster please disregard my answer.

It is adware/spyware.

~sirbounty (tee hee) LOL
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 10682181

ROFL...

hehehe
0
 

Author Comment

by:brnbrg
ID: 10691987
I thank you very much for your tips.  It seems, however, that you guys are a little bit in each other's hairs, which means I'll have to split the points.  Now, I'm not in your league with this subject matter, because I am from another discipline, where quantitative analysis does not leave me all that much time to be up to snuff on everthing else, so I apologize for being a little naive here.

                                SUMMARY

The bottom line is, what you both said, was quite accurate, I just finished extensive tests of the many software packages on this PC and they all did not need any of these .exe files.   A program called best.exe without any properties information, sitting in the root directory, would make me nervous in any case - I renamed and moved all of this garbage to another location and so far, no program is missing it.  In my book, it all goes down as leftover spyware garbage and I thank you particularly for the tip to install SpywareBlaster, which makes a real difference and works well with the free ZoneAlarm.  As discussed, I'm using this along with the latest builds of the free AVG 6.0 anti-virus, AdAware 6 and SpyBot.

Sincerely,
Bernard
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 10692074

Bernard,

Thank you for your comprehensive comments and I'm really glad you found the answers useful.

I'm sorry the dialogue between me and sirbounty lead you to a misinterpretation of the situation. Please believe me there was no bad intentions or hard feelings towards sirbounty in my comments and I'm sure he feels the same.

One of the reasons EE works so well is exactly the competiton between experts that usually ends with answers that do help askers solve their problems.

And you are another good example of that.

Cheers,

Zee
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10692090
No way jose'!
Mr. Zee is one of the many experts that I admire on this site and am honored to work alongside him in many posts.

Glad you got it working though - thanx!
0
 

Author Comment

by:brnbrg
ID: 10718749
            SUMMARY UPDATE:

After reinstalling AVG 6.0 free edition, build 642 (3/28/04), the above discussed message:

C:\rmdir C:\WINDOWS\TEMP\_ISTMP5.DIR\_ISTMP0.DIR
Invalid path, not directory,
or directory not empty

C:\>

still appears, despite a clean uninstall with removal of the entire grisoft directory & subdirectory tree, empty autoexec.bat and empty config.sys file.  It is a complete riddle to me, from where the rmdir command is issued, but the only executable statement is the new one and only line in my autoexec.bat file:

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe

and I have no idea, what or how the rmdir command is still being passed to boot.exe and would appreciate what else I could do besides this complete re-install - thanks.
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 10719176

Did the message disappear when you uninstalled AVG?



0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10719392
Post the log from my first post of Hijackthis...we should find it...
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:brnbrg
ID: 10721373
Re:  "Did the message disappear when you uninstalled AVG?"

Well, I'm no expert, so I worry and do things thoroughly - there was nothing in the autoexec.bat file at all while I rebooted before the clean re-install of AVG and I did not see the message.  But once I installed the latest build of AVG 6.0 free edition, the line

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe

was placed once more into the normally empty autoexec.bat file.  I was stunned to see the rmdir command reappear - from where?  The uninstall was ultra-clean - there were none of the ususal leftovers like an empty Grisoft directory tree in Program Files - all references to Grisoft were gone, and so was the above line in the autoexec.bat file.  I saw nothing in the Run- keys in the registry either, nor any reference to AVG or Grisoft in Startup or the file system in general.  Where could that script have come from?  Or is it possible that there is a switch set from a leftover cleanup problem that causes even the newly installed AVG 6.0 to think it has to issue that rmdir command?  I would do another clean uninstall and then check again by hand if there is any reference to anything left over, but I have done that already and it would make only sense, if there is a clue what else I could remove.  Maybe I should do the complete uninstall again, but this time run in between AdAware and SpyBot in succession 3 times after 3 fresh boots and see if there may have been some spyware remains that cause the new AVG to think it has to reissue that rmdir command.  This is really weird, especially because I removed all these _istempx.dir files long ago AND they never reappeared - what do you think?
0
 

Author Comment

by:brnbrg
ID: 10721383
By the way, how do I find your first post of Hijackthis - am I authorized to get it?
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 10721447

Probably, and I'm guessing, that command is intended to clean the temp folder created during the install of AVG.

Edit the autoexec.bat file and insert REM before the command line. Make it look like this:

REM @C:\PROGRA~1\GRISOFT\AVG6\bootup.exe

Reboot and check if you see the error message again.

Post back.

Zee
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10724249
>>By the way, how do I find your first post of Hijackthis - am I authorized to get it? <<

http://www.spychecker.com/program/hijackthis.html

Download and install (it's free).
0
 

Author Comment

by:brnbrg
ID: 10729117
Ah - looky here  - seems like I did not pay attention...  rem-ed out the autoexec.bat line and STILL got the rmdir command - therefore, what is running after autoexec.bat is executed and just before the desktop is being displayed?  My conclusion is that I did not pay attention and got that message even during the one-time boot while uninstalling AVG, and before and after continued to attribute it to incorrectly to AVG.  But it may be something else - I can clearly see the rem-ed out statement echoed by the execution of autoexec.bat, then there is a pause and, of course, no boot virus check, and then that rmdir message appears just before the desktop does - hence, we're still in DOS under Windows 98SE - so, what else could be issuing that command?

Re your suspicion:  "Probably, and I'm guessing, that command is intended to clean the temp folder created during the install of AVG."  - I have to disagree, because the rmdir message started after a cleanup a few days ago (around 3/17/04) and I had NOT reinstalled AVG since September 22, 2003 at this time.  I only subsequently reinstalled AVG with a build of 3/22/04, but by then we were already trying to solve for what caused that rmdir message.

0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10729130
Check for a Start.bat in C:\windows (or perform a file search for it)
If found, right click and click edit - see if your friend is there... :D
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 10730323

You may want to try a step-by-step or a logged startup.

Press CTRL or F8 during startup until you see the start menu.

If you go for step-by-step, you need to confirm every startup command. Doing carefully and reading each command may lead you to find the culprit. A trial and error statup test will also help (saying no to the "suspicious" commands and checking if the error message persists).

A logged startup will create a bootlog.txt file in C:\ that you can read and analyse.

Zee
0
 

Author Comment

by:brnbrg
ID: 10731006
This thing is turning into a bitch...  First, there is no start.bat in the entire file system.  Secondly, step-by-step booting does NOT reveal who or what is issuing the rmdir command - it is just being issued in a DOS prompt environment - and there is not a single refernce to the string "rmdir" in bootlog.txt - so, it's a command from HELL!

On a calmer note, I'm beginning to wonder what else could execute so close to the desktop being displayed - maybe that is a clue for specialists like you - the rmdir command appears to come a little late, kind of like long after autoexec.bat finishes executing, and only a second before the desktop displays...

Since Spyware Blaster is always on, I totally uninstalled and re-installed that, too, but that didn't help.  I also didn't change anything, the same programs are in startup as before the rmdir message began, and I run AdAware and SpyBot on demand only. Could the free version ZoneAlarm 4.5.x issue a rmdir command at boot?

Could something sit in the registry, or a key be set to issue that command?

Confused Bernard (turning into Krazzy Eddie)
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10735875
Well, if it's in the registry - then you can perform a search for rmdir - shouldn't be too many instances of it, if any - hopefully just one. ;)
Do a search of your hard drive for all .BAT files...
One other BAT files is lingering in the back of my mind that might run at that point, but I don't recall the name...
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 10739111

Maybe you could do a search for:

*.bat

But make sure you can see all files: My Computer > View > Folder Options > View tab: select "Show all files"

If you post back the files you find maybe sirbounty can help you there.

Zee
0
 

Author Comment

by:brnbrg
ID: 10746968
Congratulations - you have a much better nose to sniff this stuff out than I do - there are even 3 .bat files in C:\WINDOWS with recent dates and here are their contents and how they are linked:

winstart.bat contains the following (surprise, surprise):

rmdir C:\WINDOWS\TEMP\_ISTMP5.DIR\_ISTMP0.DIR

tmpdelis.bat contains the following:

@if exist C:\WINDOWS\tmpcpyis.bat del C:\WINDOWS\tmpcpyis.bat
@if exist C:\WINDOWS\winstart.bat C:\WINDOWS\winstart.bat

Given the above del command, I do not understand why tmpcpyis.bat exists, BUT IT DOES, and tmpcpyis.bat contains the following:

@rd C:\WINDOWS\TEMP\_ISTMP2.DIR\_ISTMP0.DIR
@rd C:\WINDOWS\TEMP\_ISTMP2.DIR
@rd C:\WINDOWS\TEMP\_ISTMP3.DIR
@rd C:\WINDOWS\TEMP\_ISTMP2.DIR
@if exist C:\WINDOWS\winstart.bat del C:\WINDOWS\winstart.bat
@if exist C:\WINDOWS\winstart.isk ren C:\WINDOWS\winstart.isk winstart.bat
@C:\WINDOWS\tmpdelis.bat

The winstart.isk file referenced above is not on the file system, as this command seems to force it to be renamed to winstart.bat anyway, which it is.

Since the date coincides with my build 639 of AVG 6.0 free Edition, it looks as if AVG is the source of this.  Other than these 3 there is only dosstart.bat with an old date to run my Logitech mouse and autoexec.bat with that 1 line to run AVG as stated before.  The only other .bat files are those 3 and they all have the date of 3/24/04, a day after the build of the new AVG.  Can I simply delete all 3 of them?  I am just somwhat confused why these conditional delete commands do not seem to execute and why all 3 of these files sit around.  The only thing that is for sure is that winstart.bat still executes evey time I boot.  What should I do - should I leave it there empty, or can it be removed?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10747289
WIN-Start!  Of course... :D Don't know why I was thinking start.bat....

You can certainly delete them, but if you feel more comfortable - either rename them, or simply precede each line with a double-colon (::)
::rmdir blah blah...

Then save it - those lines won't run...

Glad you found it.  Hooray!
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 10747878

:)
0
 

Author Comment

by:brnbrg
ID: 10749795
I first removed all 3, but then saw on my vanilla copy/backup PC that the 3/22/04 build 639 of AVG 6.0 Free Edition left in that C:\WINDOWS directory the conditional tmpdelis.bat without me having ever had a virus or any istmpX.dir directories on that machine - because I keep it disconnected and use it only locally to print long jobs or for long calculations, or for emergencies to compare PCs.  The reason I think AVG put these .bat files there is because I have only AVG running on the second PC - no AdAware, SpyBot, SpywareBlaster etc., because it stays disconnected, and that file appeared the day I updated AVG, before contacting you.

How do you read the logic starting with tmpdelis.bat - should tmpdelis.bat maybe ALWAYS stay in C:\WINDOWS, or would tmpdelis.bat again be recreated if AVG encountered an istmpX.dir subdirectory structure?

Obviously, one cannot see the AVG source code and whether they thought of one or more of such permanent prophylactic .bat files, but I tend more toward leaving tmpdelis.bat there than removing it - also, I could leave all 3 there and merely empty winstart.bat - what do you think?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10750449
I'm fairly certain that the tmpcpyis.bat can be deleted...
Winstart can either be deleted or just remarked out as noted above.

to read tmpdelis...

if tmpcpyis.bat is stored under the windows folder, then delete it.
if winstart.bat is stored under the windows folder - then run it...

0
 

Author Comment

by:brnbrg
ID: 10751662
I read tmpdelis the same way as you do, therefore, I find no answer why tmpcpyis does even exist (remember, all 3 .bat files were neatly in the C:\WINDOWS directory, hence, there is no way that they did not see each other...).

For the last 2 days, I have removed all 3 of them, and will now re-install tmpdelis the same way as AVG seems to have done it on PC#2 (with the same commands, by the way), because I suspect this to be what that later build of AVG 6.0 intended.  I see no harm in tmpdelis being there and since this is the free version of AVG, I cannot ask questions.  So, you will hear only from me again, if this causes something dramatic to happen.  If this causes me to miss a virus or spyware within the next 2-3 weeks, I will post accordingly here.

This was weird stuff and I thank you very much for your patience and help!

Sincerely,
Bernard, now Krazzy Eddie
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10751773
Rock on Krazzy Eddie!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now