Sign in with
Sign up | Sign in
Your question

Forcing removal of folders?

Tags:
Last response: in Windows 2000/NT
Share
June 13, 2005 9:45:58 PM

Archived from groups: microsoft.public.win2000.general (More info?)

I have a W2k Pro Sp4 computer on which files seem to have been maliciously
written under c:\inetpub\ftproot ( the IIS server is running as is the FTP
service and folder access is limited to authenticated users). The folders
show up in the explorer, there are 9 of them , some with a name , some show
just the folder icon but the name is either a space or some invisible
character), each of these folders has multiple levels of subfolders each
with garbage name, some like hehehe , which leads me to believe some bastard
has gotten access to the computer and written trash to it, yet the latest
Symantec antivirus corp. edition with the latest definitions did not find
any viruses on the machine. I can't delete any of these folders. When I try
I get an a message, Cannot delete file, cannnot read from source file or
disk.

Anyone had any similar problems and found a way around it? I want to try to
avoid reformatting the drive, its a production machine and I have several
programs running on it. Recreating it would be a very last resort.


Any help would be greatly appreciated.

RD.
Anonymous
June 13, 2005 9:47:18 PM

Archived from groups: microsoft.public.win2000.general (More info?)

I'm a bit old fashioned. From /fastdetect, /sos, or Safe Mode, bring up a
console and try DELTREE /Y <drive and path> .

From the Recovery Console, use DEL on every object in the directory (ATTRIB
as neccesary), then use DEL on the directory itself.


"RD" <nospam@nospam.net> wrote in message
news:%23$7g0FGcFHA.3712@TK2MSFTNGP12.phx.gbl...
>I have a W2k Pro Sp4 computer on which files seem to have been maliciously
> written under c:\inetpub\ftproot ( the IIS server is running as is the FTP
> service and folder access is limited to authenticated users). The folders
> show up in the explorer, there are 9 of them , some with a name , some
> show
> just the folder icon but the name is either a space or some invisible
> character), each of these folders has multiple levels of subfolders each
> with garbage name, some like hehehe , which leads me to believe some
> bastard
> has gotten access to the computer and written trash to it, yet the latest
> Symantec antivirus corp. edition with the latest definitions did not find
> any viruses on the machine. I can't delete any of these folders. When I
> try
> I get an a message, Cannot delete file, cannnot read from source file or
> disk.
>
> Anyone had any similar problems and found a way around it? I want to try
> to
> avoid reformatting the drive, its a production machine and I have several
> programs running on it. Recreating it would be a very last resort.
>
>
> Any help would be greatly appreciated.
>
> RD.
>
>
>
>
>
Anonymous
June 14, 2005 12:13:26 PM

Archived from groups: microsoft.public.win2000.general (More info?)

"RD" <nospam@nospam.net> wrote in message
news:%23$7g0FGcFHA.3712@TK2MSFTNGP12.phx.gbl...
> I have a W2k Pro Sp4 computer on which files seem to have been maliciously
> written under c:\inetpub\ftproot ( the IIS server is running as is the FTP
> service and folder access is limited to authenticated users). The folders
> show up in the explorer, there are 9 of them , some with a name , some
show
> just the folder icon but the name is either a space or some invisible
> character), each of these folders has multiple levels of subfolders each
> with garbage name, some like hehehe , which leads me to believe some
bastard
> has gotten access to the computer and written trash to it, yet the latest
> Symantec antivirus corp. edition with the latest definitions did not find
> any viruses on the machine. I can't delete any of these folders. When I
try
> I get an a message, Cannot delete file, cannnot read from source file or
> disk.
>
> Anyone had any similar problems and found a way around it? I want to try
to
> avoid reformatting the drive, its a production machine and I have several
> programs running on it. Recreating it would be a very last resort.
>
>
> Any help would be greatly appreciated.
>
> RD.

Try this:
1. Click Start / Run
2. Type cmd /f:o n {ok}
3. Navigate to the parent of your problem folder.
4. Type this: rd /s
5. Instead of pressing {Enter}, press Ctrl+F until the
name of the problem folder appears, then press Enter.

If this does not work, repeat the above process in Safe Mode.

If this does not work either, modify Step 4 like so:

rd /s "\\c:\SomeFolder\SomeSubFolder
then press Ctrl+F until the bad name comes up.
Related resources
June 14, 2005 12:13:27 PM

Archived from groups: microsoft.public.win2000.general (More info?)

Thanks a lot for your quick reply.

I tried it in normal mode, when I get to press the Ctrl-F the first name
that comes up is a double quote a space and another double quote which is
the folder I want to delete. (it shows up as a folder with no name in
explorer). I press Enter, it ask me are you sure, I reply Y, then it says
the system can not find the folder specified.

Since I'm doing this remotely on the machine I can't reboot it in safe mode
so I guess I'll have to go to the customer site and try the safe moce there,
but I suspect because the folder name is a space that I will have same
results. I'll try to schedule that for Wednesday.

In the mean time do you have any other ideas I might try remotely?

Again, thanks a lot

RD

"Pegasus (MVP)" <I.can@fly.com> wrote in message
news:u4U2gUGcFHA.580@TK2MSFTNGP15.phx.gbl...
>
> "RD" <nospam@nospam.net> wrote in message
> news:%23$7g0FGcFHA.3712@TK2MSFTNGP12.phx.gbl...
> > I have a W2k Pro Sp4 computer on which files seem to have been
maliciously
> > written under c:\inetpub\ftproot ( the IIS server is running as is the
FTP
> > service and folder access is limited to authenticated users). The
folders
> > show up in the explorer, there are 9 of them , some with a name , some
> show
> > just the folder icon but the name is either a space or some invisible
> > character), each of these folders has multiple levels of subfolders each
> > with garbage name, some like hehehe , which leads me to believe some
> bastard
> > has gotten access to the computer and written trash to it, yet the
latest
> > Symantec antivirus corp. edition with the latest definitions did not
find
> > any viruses on the machine. I can't delete any of these folders. When I
> try
> > I get an a message, Cannot delete file, cannnot read from source file or
> > disk.
> >
> > Anyone had any similar problems and found a way around it? I want to try
> to
> > avoid reformatting the drive, its a production machine and I have
several
> > programs running on it. Recreating it would be a very last resort.
> >
> >
> > Any help would be greatly appreciated.
> >
> > RD.
>
> Try this:
> 1. Click Start / Run
> 2. Type cmd /f:o n {ok}
> 3. Navigate to the parent of your problem folder.
> 4. Type this: rd /s
> 5. Instead of pressing {Enter}, press Ctrl+F until the
> name of the problem folder appears, then press Enter.
>
> If this does not work, repeat the above process in Safe Mode.
>
> If this does not work either, modify Step 4 like so:
>
> rd /s "\\c:\SomeFolder\SomeSubFolder
> then press Ctrl+F until the bad name comes up.
>
>
June 14, 2005 12:13:27 PM

Archived from groups: microsoft.public.win2000.general (More info?)

I also tried it on one of the folders that had a name "R 6058 " that folder
did not get deleted either.

I also tried a removal tool moveonboot, that did not work.

I'd like to have the SOB who did this standing in front of me, he'd have to
be AWFULLY big to walk away.

Thanks for your help.
RD
"Pegasus (MVP)" <I.can@fly.com> wrote in message
news:u4U2gUGcFHA.580@TK2MSFTNGP15.phx.gbl...
>
> "RD" <nospam@nospam.net> wrote in message
> news:%23$7g0FGcFHA.3712@TK2MSFTNGP12.phx.gbl...
> > I have a W2k Pro Sp4 computer on which files seem to have been
maliciously
> > written under c:\inetpub\ftproot ( the IIS server is running as is the
FTP
> > service and folder access is limited to authenticated users). The
folders
> > show up in the explorer, there are 9 of them , some with a name , some
> show
> > just the folder icon but the name is either a space or some invisible
> > character), each of these folders has multiple levels of subfolders each
> > with garbage name, some like hehehe , which leads me to believe some
> bastard
> > has gotten access to the computer and written trash to it, yet the
latest
> > Symantec antivirus corp. edition with the latest definitions did not
find
> > any viruses on the machine. I can't delete any of these folders. When I
> try
> > I get an a message, Cannot delete file, cannnot read from source file or
> > disk.
> >
> > Anyone had any similar problems and found a way around it? I want to try
> to
> > avoid reformatting the drive, its a production machine and I have
several
> > programs running on it. Recreating it would be a very last resort.
> >
> >
> > Any help would be greatly appreciated.
> >
> > RD.
>
> Try this:
> 1. Click Start / Run
> 2. Type cmd /f:o n {ok}
> 3. Navigate to the parent of your problem folder.
> 4. Type this: rd /s
> 5. Instead of pressing {Enter}, press Ctrl+F until the
> name of the problem folder appears, then press Enter.
>
> If this does not work, repeat the above process in Safe Mode.
>
> If this does not work either, modify Step 4 like so:
>
> rd /s "\\c:\SomeFolder\SomeSubFolder
> then press Ctrl+F until the bad name comes up.
>
>
Anonymous
June 14, 2005 2:20:40 PM

Archived from groups: microsoft.public.win2000.general (More info?)

Sorry, no other ideas for remote deletion. You can lend
your commands more punch by dealing with the disk in
an off-line mode, either by running it temporarily as a slave
disk in some other Win2000/XP PC, or by booting the
machine with a Bart PE boot CD (www.bootdisk.com).
If you have access to a Linux boot disk then you should
be able to delete the file under that OS.

How is your firewall?


"RD" <nospam@nospam.net> wrote in message
news:o MJCu0GcFHA.220@TK2MSFTNGP10.phx.gbl...
> Thanks a lot for your quick reply.
>
> I tried it in normal mode, when I get to press the Ctrl-F the first name
> that comes up is a double quote a space and another double quote which is
> the folder I want to delete. (it shows up as a folder with no name in
> explorer). I press Enter, it ask me are you sure, I reply Y, then it says
> the system can not find the folder specified.
>
> Since I'm doing this remotely on the machine I can't reboot it in safe
mode
> so I guess I'll have to go to the customer site and try the safe moce
there,
> but I suspect because the folder name is a space that I will have same
> results. I'll try to schedule that for Wednesday.
>
> In the mean time do you have any other ideas I might try remotely?
>
> Again, thanks a lot
>
> RD
>
> "Pegasus (MVP)" <I.can@fly.com> wrote in message
> news:u4U2gUGcFHA.580@TK2MSFTNGP15.phx.gbl...
> >
> > "RD" <nospam@nospam.net> wrote in message
> > news:%23$7g0FGcFHA.3712@TK2MSFTNGP12.phx.gbl...
> > > I have a W2k Pro Sp4 computer on which files seem to have been
> maliciously
> > > written under c:\inetpub\ftproot ( the IIS server is running as is the
> FTP
> > > service and folder access is limited to authenticated users). The
> folders
> > > show up in the explorer, there are 9 of them , some with a name , some
> > show
> > > just the folder icon but the name is either a space or some invisible
> > > character), each of these folders has multiple levels of subfolders
each
> > > with garbage name, some like hehehe , which leads me to believe some
> > bastard
> > > has gotten access to the computer and written trash to it, yet the
> latest
> > > Symantec antivirus corp. edition with the latest definitions did not
> find
> > > any viruses on the machine. I can't delete any of these folders. When
I
> > try
> > > I get an a message, Cannot delete file, cannnot read from source file
or
> > > disk.
> > >
> > > Anyone had any similar problems and found a way around it? I want to
try
> > to
> > > avoid reformatting the drive, its a production machine and I have
> several
> > > programs running on it. Recreating it would be a very last resort.
> > >
> > >
> > > Any help would be greatly appreciated.
> > >
> > > RD.
> >
> > Try this:
> > 1. Click Start / Run
> > 2. Type cmd /f:o n {ok}
> > 3. Navigate to the parent of your problem folder.
> > 4. Type this: rd /s
> > 5. Instead of pressing {Enter}, press Ctrl+F until the
> > name of the problem folder appears, then press Enter.
> >
> > If this does not work, repeat the above process in Safe Mode.
> >
> > If this does not work either, modify Step 4 like so:
> >
> > rd /s "\\c:\SomeFolder\SomeSubFolder
> > then press Ctrl+F until the bad name comes up.
> >
> >
>
>
June 15, 2005 2:07:35 AM

Archived from groups: microsoft.public.win2000.general (More info?)

Thanks for the ideas. I thought the firewall was OK. We are running a
watchguard router with all the non-essential ports closed. But obviously it
looks like thats not really enough.

Going over tomorrow to run the computer in safe mode and try to get rid of
the stuff (its about 100 clicks away from here). We'll see what that gives.

RD


"Pegasus (MVP)" <I.can@fly.com> wrote in message
news:e4BZnbHcFHA.464@TK2MSFTNGP15.phx.gbl...
> Sorry, no other ideas for remote deletion. You can lend
> your commands more punch by dealing with the disk in
> an off-line mode, either by running it temporarily as a slave
> disk in some other Win2000/XP PC, or by booting the
> machine with a Bart PE boot CD (www.bootdisk.com).
> If you have access to a Linux boot disk then you should
> be able to delete the file under that OS.
>
> How is your firewall?
>
>
> "RD" <nospam@nospam.net> wrote in message
> news:o MJCu0GcFHA.220@TK2MSFTNGP10.phx.gbl...
> > Thanks a lot for your quick reply.
> >
> > I tried it in normal mode, when I get to press the Ctrl-F the first name
> > that comes up is a double quote a space and another double quote which
is
> > the folder I want to delete. (it shows up as a folder with no name in
> > explorer). I press Enter, it ask me are you sure, I reply Y, then it
says
> > the system can not find the folder specified.
> >
> > Since I'm doing this remotely on the machine I can't reboot it in safe
> mode
> > so I guess I'll have to go to the customer site and try the safe moce
> there,
> > but I suspect because the folder name is a space that I will have same
> > results. I'll try to schedule that for Wednesday.
> >
> > In the mean time do you have any other ideas I might try remotely?
> >
> > Again, thanks a lot
> >
> > RD
> >
> > "Pegasus (MVP)" <I.can@fly.com> wrote in message
> > news:u4U2gUGcFHA.580@TK2MSFTNGP15.phx.gbl...
> > >
> > > "RD" <nospam@nospam.net> wrote in message
> > > news:%23$7g0FGcFHA.3712@TK2MSFTNGP12.phx.gbl...
> > > > I have a W2k Pro Sp4 computer on which files seem to have been
> > maliciously
> > > > written under c:\inetpub\ftproot ( the IIS server is running as is
the
> > FTP
> > > > service and folder access is limited to authenticated users). The
> > folders
> > > > show up in the explorer, there are 9 of them , some with a name ,
some
> > > show
> > > > just the folder icon but the name is either a space or some
invisible
> > > > character), each of these folders has multiple levels of subfolders
> each
> > > > with garbage name, some like hehehe , which leads me to believe some
> > > bastard
> > > > has gotten access to the computer and written trash to it, yet the
> > latest
> > > > Symantec antivirus corp. edition with the latest definitions did not
> > find
> > > > any viruses on the machine. I can't delete any of these folders.
When
> I
> > > try
> > > > I get an a message, Cannot delete file, cannnot read from source
file
> or
> > > > disk.
> > > >
> > > > Anyone had any similar problems and found a way around it? I want to
> try
> > > to
> > > > avoid reformatting the drive, its a production machine and I have
> > several
> > > > programs running on it. Recreating it would be a very last resort.
> > > >
> > > >
> > > > Any help would be greatly appreciated.
> > > >
> > > > RD.
> > >
> > > Try this:
> > > 1. Click Start / Run
> > > 2. Type cmd /f:o n {ok}
> > > 3. Navigate to the parent of your problem folder.
> > > 4. Type this: rd /s
> > > 5. Instead of pressing {Enter}, press Ctrl+F until the
> > > name of the problem folder appears, then press Enter.
> > >
> > > If this does not work, repeat the above process in Safe Mode.
> > >
> > > If this does not work either, modify Step 4 like so:
> > >
> > > rd /s "\\c:\SomeFolder\SomeSubFolder
> > > then press Ctrl+F until the bad name comes up.
> > >
> > >
> >
> >
>
>
!