How to examine "aux" directory inside c:\recycler on Win-2K system

Discussion in 'Anti-Virus' started by Virus Guy, Apr 6, 2006.

  1. Virus Guy

    Virus Guy Guest

    Does the presence of a directory named "aux" (located in each of 2
    subdirectory trees in c:\recycler) indicate a potential fingerprint
    for a current (or past) malware infection event?

    The name "aux" is reserved by the OS and theoretically it is
    impossible to create a subdirectory with that name (I think). I
    certainly can't navigate to that directory or examine it's contents
    from the command line.

    I'm unable to delete the contents of the recycle bin due to the
    presence of these aux directories.

    Thought I'd ask here before I post this to specific NT/2K forums...
     
    Virus Guy, Apr 6, 2006
    #1
    1. Advertisements

  2. Virus Guy

    jen Guest

    Try this: RD \\.\c:\path\path2\aux

    HTH,
    -jen
     
    jen, Apr 6, 2006
    #2
    1. Advertisements

  3. Virus Guy

    Art Guest

    Not clear to me exactly how it comes about, but it seems that
    a Unix ftp directory structure can somehow get copied to the drive
    file system, even when some directories are named with reserved
    words. Here's how MS suggests getting rid of such subdirectories:

    http://support.microsoft.com/?id=811176

    It's really screwy though that reserved word subdirs were created
    under \recycler.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Apr 6, 2006
    #3
  4. Virus Guy

    jen Guest

    Also see here:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q120716
     
    jen, Apr 6, 2006
    #4
  5. Virus Guy

    James Egan Guest

    I had a similar problem a while back in that a file called aux got
    created.

    It turned out that it was created on freebsd and backed up over the
    network (using samba on the freebsd box) to a windows hard disk where
    it resided quite happily until I tried to access it from windows.
    Robocopy on windows was used to do the backup.

    Removing it was a matter of renaming it on the bsd box and robocopy
    (/mirror) zapped it next time it was run. So it got deleted the same
    way it was (somehow) created.


    Jim.
     
    James Egan, Apr 7, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.