Forcing removal of folders?

[RD]

I have a W2k Pro Sp4 computer on which files seem to have been maliciously
written under c:\inetpub\ftproot ( the IIS server is running as is the FTP
service and folder access is limited to authenticated users). The folders
show up in the explorer, there are 9 of them , some with a name , some show
just the folder icon but the name is either a space or some invisible
character), each of these folders has multiple levels of subfolders each
with garbage name, some like hehehe , which leads me to believe some bastard
has gotten access to the computer and written trash to it, yet the latest
Symantec antivirus corp. edition with the latest definitions did not find
any viruses on the machine. I can't delete any of these folders. When I try
I get an a message, Cannot delete file, cannnot read from source file or
disk.

Anyone had any similar problems and found a way around it? I want to try to
avoid reformatting the drive, its a production machine and I have several
programs running on it. Recreating it would be a very last resort.


Any help would be greatly appreciated.

RD.

 

[Pegasus \(MVP\)]

I have a W2k Pro Sp4 computer on which files seem to have been maliciously
written under c:\inetpub\ftproot ( the IIS server is running as is the FTP
service and folder access is limited to authenticated users). The folders
show up in the explorer, there are 9 of them , some with a name , some show
just the folder icon but the name is either a space or some invisible
character), each of these folders has multiple levels of subfolders each
with garbage name, some like hehehe , which leads me to believe some bastard
has gotten access to the computer and written trash to it, yet the latest
Symantec antivirus corp. edition with the latest definitions did not find
any viruses on the machine. I can't delete any of these folders. When I try
I get an a message, Cannot delete file, cannnot read from source file or
disk.

Anyone had any similar problems and found a way around it? I want to try to
avoid reformatting the drive, its a production machine and I have several
programs running on it. Recreating it would be a very last resort.


Any help would be greatly appreciated.

RD.

Try this:
1. Click Start / Run
2. Type cmd /fn {ok}
3. Navigate to the parent of your problem folder.
4. Type this: rd /s
5. Instead of pressing {Enter}, press Ctrl+F until the
name of the problem folder appears, then press Enter.

If this does not work, repeat the above process in Safe Mode.

If this does not work either, modify Step 4 like so:

rd /s "\\c:\SomeFolder\SomeSubFolder
then press Ctrl+F until the bad name comes up.

 

[RD]

Thanks a lot for your quick reply.

I tried it in normal mode, when I get to press the Ctrl-F the first name
that comes up is a double quote a space and another double quote which is
the folder I want to delete. (it shows up as a folder with no name in
explorer). I press Enter, it ask me are you sure, I reply Y, then it says
the system can not find the folder specified.

Since I'm doing this remotely on the machine I can't reboot it in safe mode
so I guess I'll have to go to the customer site and try the safe moce there,
but I suspect because the folder name is a space that I will have same
results. I'll try to schedule that for Wednesday.

In the mean time do you have any other ideas I might try remotely?

Again, thanks a lot

RD

 

[RD]

I also tried it on one of the folders that had a name "R 6058 " that folder
did not get deleted either.

I also tried a removal tool moveonboot, that did not work.

I'd like to have the SOB who did this standing in front of me, he'd have to
be AWFULLY big to walk away.

Thanks for your help.
RD

 

[j9]

I'm a bit old fashioned. From /fastdetect, /sos, or Safe Mode, bring up a
console and try DELTREE /Y <drive and path> .

From the Recovery Console, use DEL on every object in the directory (ATTRIB
as neccesary), then use DEL on the directory itself.

 

[Pegasus \(MVP\)]

Sorry, no other ideas for remote deletion. You can lend
your commands more punch by dealing with the disk in
an off-line mode, either by running it temporarily as a slave
disk in some other Win2000/XP PC, or by booting the
machine with a Bart PE boot CD (www.bootdisk.com).
If you have access to a Linux boot disk then you should
be able to delete the file under that OS.

How is your firewall?

 

[RD]

Thanks for the ideas. I thought the firewall was OK. We are running a
watchguard router with all the non-essential ports closed. But obviously it
looks like thats not really enough.

Going over tomorrow to run the computer in safe mode and try to get rid of
the stuff (its about 100 clicks away from here). We'll see what that gives.

RD