Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't delete Recycler file from NTFS partition


  • Please log in to reply

#1
superba

superba

    New Member

  • Member
  • Pip
  • 1 posts
I have got a W2000 server with just two NTFS partitions that was attacked by a variant of (I think) fu rootkit. The only thing (I think!) I haven't been able to get rid of is a [temp] directory in d:\recycler ('access denied'). I can't even see what is in there.

Safe mode w/command prompt doesn't work. I've messed around with the permissions a bit--no soap there, either.

Since it's an NTFS system with RAID, I can't boot from Knoppix. Is there a safe way to boot to raw DOS in this system, without messing up the RAID and NTFS? Would you recommend--should I even worry about this? No other part of the infection was on that drive. It's quite possible that I have just bollocksed up the info2 file and that's why I can't empty the directory ...

A final question--do rootkits like fu rootkit commonly make use of alternate data streams, cloaked registry entries or any of this other freakish-sounding stuff that I have not detected? The registry is clean, TDS-3 is now clean, etc.

Basically, how paranoid should I be?

Thanks in advance (very much!) for your thoughts,

Maria.
  • 0

Advertisements


#2
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
too many questions....

yes, rootkits common make use of all of those....


you can boot to command line by choosing that option on the startup menu (tapping f8)

then delete the info2...refresh my memory....anyone...windows 2000 is c:\recycled or c:\recycler.....brain block at the moment and I don't have a win2000 machine around.
  • 0

#3
Murray S.

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
Howdy:

Took me a minute to recognize it again as well Gerry..

The "Recycler" folder is the Recycle Bin folder.. Access is normally denied to that folder..

Murray
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP