Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do you delete a hacked directory that is hidden in Explorer but viewable in the Command prompt because it is not empty?

Posted on 2006-11-13
15
Medium Priority
?
433 Views
Last Modified: 2010-04-03
I have a folder in windows 2003 that is only visible from the command prompt and cannot be seen in Windows Explorer.  I cannot delete the folder using every avenue I have looked at.  Each time, I try I get, the directory is not empty.  The directory is completely hidden in Explorer and the only reason I know its there in the command prompt is because I'm tracking attempts to load viruses into that directory from the event view and Symantec AntiVirus.  I have tried KB 120716, http://support.microsoft.com/kb/120716/EN-US/.  Have also tried to download RM and RMD.exe but they do not seem to be compatiable with Windows 2K3.  None of these attempts have worked.  If you attempt to create a directory with the same name even in explorer, it says the directory already exists eventhough you cannot actually see it.  How do I delete this folder or make it visible such that GUI tools to manage this file become active?
0
Comment
Question by:comcityllc
13 Comments
 
LVL 9

Expert Comment

by:JamesTX10
ID: 17931521
Hi comcityllc,
Have you tried safe mode?

JamesTX10
0
 

Author Comment

by:comcityllc
ID: 17931621
Can't go into Safe Mode because this is a remote server.  My guess is there is a file in the directory neither I nor the Operating system can see because of Alt-characters.  Either that or there is some other way or attibute you can set to a directory that makes act like this.  I don't believe I would be able to see the file in Safe Mode either.   Safe Mode typically only disables the loading of services that might lock the file or folder.   No files are "locked"....they just are not visible.
0
 
LVL 14

Expert Comment

by:yessirnosir
ID: 17931851
Try using a Windows Explorer alternative that will make those hidden characters visible -- I think http://zabkat.com/x2lite.htm may do it, although I don't have a handy file to test it on right now.  But I had a similar problem a while back and I was able to rename the folder to normal characters using an alternative file manager (might have been the A43 tool in BartPE... can't remember... sorry!).  Then I still couldn't delete it because of a permission issue (nasty virus writers!) but I could then take ownership in Windows and finally got rid of it.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:Smacky311
ID: 17932249
There are a few things you could try.

1.  Start - run - type cmd and hit ok - change the directory to the one before the hidden one (if its C:\windows\system32\thisone then go to C:\windows\system32) - then type in "attrib -r -a -s -h thisone" (without the quotes, and "thisone" should be the name of the file you have trouble with) to remove extra permissions from the drive.  Then type "del thisone" (no quotes) to delete the directory
AND
2.  Open my computer - tools - folder options - View tab - Under Hidden files and folders ensure Show hidden files and folders is selected - hit ok to save changes.  See if you can see it now.  Then delete.
AND
3.  Try http://www.killbox.net
0
 

Author Comment

by:comcityllc
ID: 17932349
Ok, I'm an experienced admin....so I've done all the easy stuff already. I've run Attrib -A -S -H -R over a thousand times now.  Ok, I've already used "takeowner" and thats how I was able to delete the files and folder that were in the folder originally.

My explorer's hidden files and OS files properties are set.

I've also tried "unlocker -h" as well as SubInACL.

I've looked at KB after KB...and article after article on this.  I don't understand how hackers can do this but we can't fix it.  Seems like a hole in the OS big enough to drive a truck through, park it and then blow it up.

I'll try the alternative Explorer and Killbox...
0
 

Author Comment

by:comcityllc
ID: 17932431
Ok, the directory is not visible in xplorer lite...and there are no processes running in this folder so there are no processes to kill.  The problem is not the directory is locked due to running processes.  The problem to hide a file (other than attrib) inside an already hidden folder (hidden some other way than attrib).  Or the folder is "malformed" in some way that only part of the OS recognizes it.

I have already tried rmdir \\?\c:\windows\hacker_folder, del, erase everything using this command structure including quotes rmdir "\\?\c:\windows\hacker_folder" and rmdir \\?\"c:\windows\hacker_folder"
0
 

Author Comment

by:comcityllc
ID: 17934915
Ok....
I just shared my c:\windows and using my remote personal computer I mapped to this share, now I can see files in this directory on my remote computer.  Very bizarre...I can see two files there I was not able to see on the computer.  However, I cannot delete the files for some reason.  In addition, I found a .ini file that is basically the hackers "cheat sheet" in text format which shows what they have done.  It looks like a "root type exploit".  But with the cheat sheat, I know what to back out....just don't know how to accomplish it.  Its like the hacker has better tools than me.

So...anybody know how I can proceed given now I know the files in the directory that are somehow "completely hidden" by the native OS but can seen with XP.  I found other hidden directories that I didn't even now where there, that I was able to delete based upon the cheat sheet.
0
 
LVL 30

Accepted Solution

by:
pgm554 earned 2000 total points
ID: 17935248
Well,if there are files that are hidden,I would run Rootkitrevealer from Sysinternals to get a better idea of what is out there.


http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Files that are loaded up during a boot can be locked open and cannot be deleted.

If that is the case ,you will have no choice but to boot into safe mode to a command prompt.

I would then create a .bat file that would remove the hidden stuff and have a user run it .

How did somebody get elevated priveleges to install a rootkit on a 2003 server?

What does this server do?

Server 2003 is pretty locked down right out of the box,so somebody has misconfigured or missed something that allowed for an attack like this to happen.
0
 

Author Comment

by:comcityllc
ID: 17935470
If you get access to a machine, it still runs as the logged in user, typically adminstrator.  The problem is not running services.  The problem is that I can go to File manager turn off a folders "read-only" attribute and apply it to the folders and when I come back, its right back at read-only.  Its like Attributes are not working.

I'm trying to download a new antivirus program called F-secure...but everytime I download the file it immediately is hidden within any particular folder.  The only way I can see is with a file explorer of a different computer.
0
 

Author Comment

by:comcityllc
ID: 17935689
Ok yes it appears I was rootkit'd with backdoor.hackdefender.  I loaded up a beta program called F-Secure...incredible is what that program is.  It was able to unhide and rename all the files and there off now.  There was also a bunch of warez stuff it found and deleted as well.  It was like magically.  However, I had to track the os to load the F-Secure software.  It appears the hackers must have already heard about F-Secure because they had a copy of F-Secure already loaded onto the server as a "hidden" file.  So thats why I could not load it and it immediately became hidden.  I had to rename the F-secure executable something else like somefile.exe and then zip that up in a file called somefile.zip on a separate computer and transport it on to the server.  

I have a cheat sheet of other stuff that was done because it was all in an ini file that I looked at previously.  It doesn't look like the Fsecure found the other stuff...probably because the other stuff is not hidden but distinquised as other "normal" files.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 17936005
The question is,how did they get access?

You can try to fix what is broken now,but how did they get in?

As for decent virus/malware scan,try Trend Micro House Call.

Works completly through a web browser.
No exe needed.
0
 

Author Comment

by:comcityllc
ID: 17936053
I don't know....
SQL server was at KB1, there is a KB4 now...so I uploaded that.  It doesn't automatically "update" like most of the other programs.  Theres now a couple of ways to get in that way.

I'm concerned that there are a bunch of anonymous logins in the event viewer that are being accepted but from what I have read this is ok.  These are about the time of the exploit which occurred on 11/16 at roughly 10:30 am.

Successful Network Logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0x641C85F)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      CLOUD
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      70.17.43.139
       Source Port:      0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And this one around the same time but a different type.

Logon attempt using explicit credentials:
 Logged on user:
       User Name:      NETWORK SERVICE
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x3E4)
       Logon GUID:      -
 User whose credentials were used:
       Target User Name:      IUSR_COMPUTERNAME
       Target Domain:      THESERVERNAME
       Target Logon GUID: -

 Target Server Name:      localhost
 Target Server Info:      localhost
 Caller Process ID:      3936
 Source Network Address:      -
 Source Port:      -


For more information, see Help and Support Center at
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
The question appears often enough, how do I transfer my data from my old server to the new server while preserving file shares, share permissions, and NTFS permisions.  Here are my tips for handling such a transfer.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question