uninstall recovery console problem

Hello,

I am trying to uninstall the recovery console in Win XP, sp-3. The program would not allow me to slave hard drives other than the one that was slaved when I installed RC.

The Microsoft Knowledge Base says to delete the cmdcons folder on the root drive. I tried this and got the following error:

"Cannot delete 1394bus.sy_: access is denied

Make sure the disk is not full or write protected
and that the file is not currently in use. "

Therefore, i used the command line prompt, msconfig to delete the entry under the boot.ini tab. I then edited the command out of the boot.ini file itself and set back to deleting the cmdcons folder, only to get the same error.

Does anyone have any insight on this issue? I thought that perhaps there was a process using the files in the folder, but I do not know much about killing processes.

At this point I can slave any compatible drive that I want to my hard drive, but Recovery Console adds the restore files to the slaved drives the instant i restart with a new slave.

I believe that RC was a good idea that was completely underthought and I would love to get it completely off of my system.

Thank you in advance

 

Are you sure you're not confusing System Restore with the Recovery Console?

The recovery console shouldn't be doing anything with your hard drives, and it certainly isn't involved with restore files.

 

absotively

Yes wildfire, this is RC, I know it sounds weird, believe it or not.

I just did some searching in the MS knowledge base and I think I may have the solution. Administrative ownership of the files in the cmdcons folder.

 

Yep, that'll allow you to remove it but there must be something else going on here...

The recovery console won't start unless you choose it from the boot menu, otherwise it's benign. I'm still confused how/why it's creating these files if you haven't even started it.

 

not sure either

That is my understanding of RC as well, I'm not sure how this would happen either. Is it possible that this is due to a telnet attack or some other type?

 

You may think about asking for malware assistance, if you do link to this thread in your initial post.

Please read this and post requested logs in the Malware and virus removal board.
NOTE:

Be aware that only Malware analysts will advise and they are often busy. Your post will be taken on a first come first served basis but it may take a while before you receive a reply.

 

we'll do

OK wildfire,

I will go ahead and remove RC and go to the malware forum in a bit. I have to run my wife to work here shortly. I will close this thread after I successfully complete the removal and I'll remember to link to this thread.

Thanks so much for your help.

 

bare with me

OK, I’ve uninstalled Recovery Console using the administrative technique outlined by the MS Knowledge Base. While using the admin. security settings I found that there were several administrative groups with inherited permissions, one in particular scares me, entitled "unknown userâ€, and it had an alpha-numeric ID in parentheses behind it.

Now, as I am studying web development, I have an interest in ethical hacking. I recall reading an article on how to get rid of a hacker. In this article a gentleman definitely had a hacker that he could not get rid of to save his life. He employed the help of a "geekâ€, who gave him instructions on how to alleviate his problem, involving the use of admin. security settings. The instructions are as follows:

1.) Take ownership of all files and folders, including the hard drive itself, using your own administrative account.

2.) Set all permissions to your own account.

3.) Delete all other administrative accounts or groups.

4.) Change your administrative password to a strong one that has never been used on your computer or the internet.

5.) Reboot. (windows will not boot at this point because it does not have read/write permissions)

6.) Change your modem or do what is necessary to change your IP address .

7.) Use your windows installation disk to repair windows. (do not reinstall) This will give windows back all of its necessary permissions.

8.) Use a boot sector scanner to find and repair any problems on the boot sector of your hard drive.

9.) Reinstall all Security programs and choose a strong, never before used passwords for them.

10.) Your done, happy surfing!

I am currently beginning step seven of this process, hopefully the guys in malware and viruses will have something better than Avast Free Edition for step eight.

I will post back to let you know that everything went well with the repair of windows.

 

oops

It has been quite some time since I read the article, I must have forgotten some steps. I will have to reinstall windows and go from there.

Windows repair would not load a bunch of files. Upon completion of the repair the NTLDR file was missing

 

install complete

OK wildfire,

I have reinstalled windows, now I would think that the next step before putting the computer back online would be to get a clear picture of what administrative groups are installed by windows, SP1. I will be searching the MS Knowledge Base to find this out. If you have knowledge of this or can find it easily, please post back. I will keep my email open in a separate tab and check it often.

 

Sorry, I'm not a malware analyst, hence the reason for my previous post.

I'll leave you too it for now but if you have further issues lket us know.