How do you delete a hacked directory that is hidden in Explorer but viewable in the Command prompt because it is not empty?

I have a folder in windows 2003 that is only visible from the command prompt and cannot be seen in Windows Explorer.  I cannot delete the folder using every avenue I have looked at.  Each time, I try I get, the directory is not empty.  The directory is completely hidden in Explorer and the only reason I know its there in the command prompt is because I'm tracking attempts to load viruses into that directory from the event view and Symantec AntiVirus.  I have tried KB 120716,  Have also tried to download RM and RMD.exe but they do not seem to be compatiable with Windows 2K3.  None of these attempts have worked.  If you attempt to create a directory with the same name even in explorer, it says the directory already exists eventhough you cannot actually see it.  How do I delete this folder or make it visible such that GUI tools to manage this file become active?
Who is Participating?
pgm554Connect With a Mentor Commented:
Well,if there are files that are hidden,I would run Rootkitrevealer from Sysinternals to get a better idea of what is out there.

Files that are loaded up during a boot can be locked open and cannot be deleted.

If that is the case ,you will have no choice but to boot into safe mode to a command prompt.

I would then create a .bat file that would remove the hidden stuff and have a user run it .

How did somebody get elevated priveleges to install a rootkit on a 2003 server?

What does this server do?

Server 2003 is pretty locked down right out of the box,so somebody has misconfigured or missed something that allowed for an attack like this to happen.
Hi comcityllc,
Have you tried safe mode?

comcityllcAuthor Commented:
Can't go into Safe Mode because this is a remote server.  My guess is there is a file in the directory neither I nor the Operating system can see because of Alt-characters.  Either that or there is some other way or attibute you can set to a directory that makes act like this.  I don't believe I would be able to see the file in Safe Mode either.   Safe Mode typically only disables the loading of services that might lock the file or folder.   No files are "locked"....they just are not visible.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Try using a Windows Explorer alternative that will make those hidden characters visible -- I think may do it, although I don't have a handy file to test it on right now.  But I had a similar problem a while back and I was able to rename the folder to normal characters using an alternative file manager (might have been the A43 tool in BartPE... can't remember... sorry!).  Then I still couldn't delete it because of a permission issue (nasty virus writers!) but I could then take ownership in Windows and finally got rid of it.
There are a few things you could try.

1.  Start - run - type cmd and hit ok - change the directory to the one before the hidden one (if its C:\windows\system32\thisone then go to C:\windows\system32) - then type in "attrib -r -a -s -h thisone" (without the quotes, and "thisone" should be the name of the file you have trouble with) to remove extra permissions from the drive.  Then type "del thisone" (no quotes) to delete the directory
2.  Open my computer - tools - folder options - View tab - Under Hidden files and folders ensure Show hidden files and folders is selected - hit ok to save changes.  See if you can see it now.  Then delete.
3.  Try
comcityllcAuthor Commented:
Ok, I'm an experienced I've done all the easy stuff already. I've run Attrib -A -S -H -R over a thousand times now.  Ok, I've already used "takeowner" and thats how I was able to delete the files and folder that were in the folder originally.

My explorer's hidden files and OS files properties are set.

I've also tried "unlocker -h" as well as SubInACL.

I've looked at KB after KB...and article after article on this.  I don't understand how hackers can do this but we can't fix it.  Seems like a hole in the OS big enough to drive a truck through, park it and then blow it up.

I'll try the alternative Explorer and Killbox...
comcityllcAuthor Commented:
Ok, the directory is not visible in xplorer lite...and there are no processes running in this folder so there are no processes to kill.  The problem is not the directory is locked due to running processes.  The problem to hide a file (other than attrib) inside an already hidden folder (hidden some other way than attrib).  Or the folder is "malformed" in some way that only part of the OS recognizes it.

I have already tried rmdir \\?\c:\windows\hacker_folder, del, erase everything using this command structure including quotes rmdir "\\?\c:\windows\hacker_folder" and rmdir \\?\"c:\windows\hacker_folder"
comcityllcAuthor Commented:
I just shared my c:\windows and using my remote personal computer I mapped to this share, now I can see files in this directory on my remote computer.  Very bizarre...I can see two files there I was not able to see on the computer.  However, I cannot delete the files for some reason.  In addition, I found a .ini file that is basically the hackers "cheat sheet" in text format which shows what they have done.  It looks like a "root type exploit".  But with the cheat sheat, I know what to back out....just don't know how to accomplish it.  Its like the hacker has better tools than me.

So...anybody know how I can proceed given now I know the files in the directory that are somehow "completely hidden" by the native OS but can seen with XP.  I found other hidden directories that I didn't even now where there, that I was able to delete based upon the cheat sheet.
comcityllcAuthor Commented:
If you get access to a machine, it still runs as the logged in user, typically adminstrator.  The problem is not running services.  The problem is that I can go to File manager turn off a folders "read-only" attribute and apply it to the folders and when I come back, its right back at read-only.  Its like Attributes are not working.

I'm trying to download a new antivirus program called F-secure...but everytime I download the file it immediately is hidden within any particular folder.  The only way I can see is with a file explorer of a different computer.
comcityllcAuthor Commented:
Ok yes it appears I was rootkit'd with backdoor.hackdefender.  I loaded up a beta program called F-Secure...incredible is what that program is.  It was able to unhide and rename all the files and there off now.  There was also a bunch of warez stuff it found and deleted as well.  It was like magically.  However, I had to track the os to load the F-Secure software.  It appears the hackers must have already heard about F-Secure because they had a copy of F-Secure already loaded onto the server as a "hidden" file.  So thats why I could not load it and it immediately became hidden.  I had to rename the F-secure executable something else like somefile.exe and then zip that up in a file called on a separate computer and transport it on to the server.  

I have a cheat sheet of other stuff that was done because it was all in an ini file that I looked at previously.  It doesn't look like the Fsecure found the other stuff...probably because the other stuff is not hidden but distinquised as other "normal" files.
The question is,how did they get access?

You can try to fix what is broken now,but how did they get in?

As for decent virus/malware scan,try Trend Micro House Call.

Works completly through a web browser.
No exe needed.
comcityllcAuthor Commented:
I don't know....
SQL server was at KB1, there is a KB4 I uploaded that.  It doesn't automatically "update" like most of the other programs.  Theres now a couple of ways to get in that way.

I'm concerned that there are a bunch of anonymous logins in the event viewer that are being accepted but from what I have read this is ok.  These are about the time of the exploit which occurred on 11/16 at roughly 10:30 am.

Successful Network Logon:
       User Name:      
       Logon ID:            (0x0,0x641C85F)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      CLOUD
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:
       Source Port:      0

For more information, see Help and Support Center at

And this one around the same time but a different type.

Logon attempt using explicit credentials:
 Logged on user:
       User Name:      NETWORK SERVICE
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x3E4)
       Logon GUID:      -
 User whose credentials were used:
       Target User Name:      IUSR_COMPUTERNAME
       Target Domain:      THESERVERNAME
       Target Logon GUID: -

 Target Server Name:      localhost
 Target Server Info:      localhost
 Caller Process ID:      3936
 Source Network Address:      -
 Source Port:      -

For more information, see Help and Support Center at
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.