You're pretty much stuck re-installing the whole thing. The whole problem is that your client has had a wide open back door into the server where any manner of *other* backdoors could have been installed. You can remove the worm and it's backdoors (that's more than just that root.exe file) but unless your client has had something like tripwire running you won't have any way of knowing whether there are other backdoors into the system. The only way you can be certain of what's on that machine is by taking it offline, backing up the *data*, erasing all the media and start again. I suppose you could pose that as a business decision to your client. They can opt to take the risk that nothing else has happened or they can have the server re-imaged. It's their call. Joshua Jore Minneapolis Ward 3, precinct 10 "The irony of this man being imprisoned in the United States and longing to return to once-Communist Russia so he can regain his right to free speach is simply staggering." On Fri, 10 Aug 2001, Nate Carlson wrote: > What do you need to do to get rid of Code Red v2 (the one that installs > /scripts/root.exe?) > > One of my clients has it, installed the patch from MS, but > /scripts/root.exe still works.. does he just need to delete the file? > > -- > Nate Carlson <natecars at real-time.com> | Phone : (952)943-8700 > http://www.real-time.com | Fax : (952)943-8500 > > > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list >