Hi guys,

I found a service, which was created by a hacker, pointing to an exe file
with this path: c:\WINNT\system32\vxd\poissonbulle\here\nbthlp.exe

Now, I can browse up to c:\winnt\system32\vxd\, but if I do a "dir", I get
nothing:

<<<<
Directory of C:\WINNT\system32\vxd

20/01/2004 08:12a <DIR> .
20/01/2004 08:12a <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 37.210.169.344 bytes free
>>>>

Still, if I do a cd \WINNT\system32\vxd\poissonbulle\here\ I can access
that directory:

<<<<
C:\>cd \WINNT\system32\vxd\poissonbulle\here
C:\WINNT\system32\vxd\poissonbulle\here>dir

Directory of C:\WINNT\system32\vxd\poissonbulle\here

31/01/2004 01:37p <DIR> .
31/01/2004 01:37p <DIR> ..
20/01/2004 08:48a <DIR> dmp
31/01/2004 01:37p 1.024 nbthlp.sys
31/01/2004 01:37p 49 ServUStartUpLog.txt
2 File(s) 1.073 bytes
3 Dir(s) 37.209.870.336 bytes free
>>>>

The funny thing, is that doing a "cd .." I get:

<<<<
C:\WINNT\system32\vxd\poissonbulle\here>cd ..
The system cannot find the file specified.
>>>>

As you can see, I can't see the .exe file also...

My question is, is there a way I can see these kind of directories?? I would
like to see if there are more directories hidden in my system like this...

I tried doing a dir /ad from C:\WINNT\system32\vxd\, but nothing...

I know I can remove the directory using rmdir \\.\c:\winnt\system32\vxd /s

By the way, since the directory is invalid, this service PID doesn't show in
any process viewer or taskmanager (good trick).

Thanks!

Agustin

Note: x-posted from microsoft.public.win2000.security

Hello,
There may be some easier ways of doing this, such as using posix commands and maybe even the MS-DOS RD command. However, you should be able to
use diskprobe and search for the file name using a UNICODE search. You can speed the search up if you knew the offset to be looking for and don't forget
about the short filename. I don't remember the offsets for the file name. It may be 0F2 for long filenames and 016A for short filenames. Oh, also select ignore
case while doing the search.

When you find the file name, change it or remove some of the name so that it has white spaces. Or even better, removed most of the information on that sector.
Quit diskprobe and run chkdsk. Chkdsk should fix the file and then you should be able to delete it.

Joe Griffin [MS]
Windows 2000 Server Setup Team

--
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Joe,

I ran POSIX toos from reskit, but no way... Look:

C:\WINNT\system32>rm -d "//C/WINNT/system32/v"
rm: //C/WINNT/system32/v: File exists.

I even tried this:

C:\WINNT\system32>rm -r "//C/WINNT/system32/v/poissonbulle/here/"
rm: //C/WINNT/system32/v/poissonbulle/here/: File exists.

so.. I'm stuck here....

Any ideas?? Or I will have to live with this directory forever?

Cheers!

"Joe Griffin [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
> There may be some easier ways of doing this, such as using posix commands
and maybe even the MS-DOS RD command. However, you should be able to
> use diskprobe and search for the file name using a UNICODE search. You
can speed the search up if you knew the offset to be looking for and don't
forget
> about the short filename. I don't remember the offsets for the file name.
It may be 0F2 for long filenames and 016A for short filenames. Oh, also
select ignore
> case while doing the search.
>
> When you find the file name, change it or remove some of the name so that
it has white spaces. Or even better, removed most of the information on
that sector.
> Quit diskprobe and run chkdsk. Chkdsk should fix the file and then you
should be able to delete it.
>
> Joe Griffin [MS]
> Windows 2000 Server Setup Team
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>

Use diskprobe as I suggested. I have successfully removed files this way in the past.
Joe Griffin
Windows 2000 Server Setup Team
--
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, Agustin.

The old DOS tricks might work. Open a "DOS" window and navigate to the
..\vxd folder. Then type: dir /a /x

This should give you the usual Directory listing, but the /a will show ALL
files and folders, including those with attributes (system, hidden,
read-only) set. And the /x will add a column showing Short File Names (also
known as SFN or 8.3 filenames).

If you are sure that you want to wipe out EVERYTHING in the poissonbulle
folder, then get its SFN and type at the command prompt: rd <SFN> /s When
it asks "are you sure", say Yes.

This should Remove the Directory, including all subdirectories and files.

If you need (or want) to be more selective, then use the Dir command - with
switches - to find SFNs for your various files and folders and navigate
through them.

RC
--
R. C. White, CPA
San Marcos, TX
(E-Mail Removed)
Microsoft Windows MVP

"Agustin Chernitsky" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi guys,
>
> I found a service, which was created by a hacker, pointing to an exe file
> with this path: c:\WINNT\system32\vxd\poissonbulle\here\nbthlp.exe
>
> Now, I can browse up to c:\winnt\system32\vxd\, but if I do a "dir", I get
> nothing:
>
> <<<<
> Directory of C:\WINNT\system32\vxd
>
> 20/01/2004 08:12a <DIR> .
> 20/01/2004 08:12a <DIR> ..
> 0 File(s) 0 bytes
> 2 Dir(s) 37.210.169.344 bytes free
> >>>>
>
> Still, if I do a cd \WINNT\system32\vxd\poissonbulle\here\ I can access
> that directory:
>
> <<<<
> C:\>cd \WINNT\system32\vxd\poissonbulle\here
> C:\WINNT\system32\vxd\poissonbulle\here>dir
>
> Directory of C:\WINNT\system32\vxd\poissonbulle\here
>
> 31/01/2004 01:37p <DIR> .
> 31/01/2004 01:37p <DIR> ..
> 20/01/2004 08:48a <DIR> dmp
> 31/01/2004 01:37p 1.024 nbthlp.sys
> 31/01/2004 01:37p 49 ServUStartUpLog.txt
> 2 File(s) 1.073 bytes
> 3 Dir(s) 37.209.870.336 bytes free
> >>>>
>
> The funny thing, is that doing a "cd .." I get:
>
> <<<<
> C:\WINNT\system32\vxd\poissonbulle\here>cd ..
> The system cannot find the file specified.
> >>>>
>
> As you can see, I can't see the .exe file also...
>
> My question is, is there a way I can see these kind of directories?? I
would
> like to see if there are more directories hidden in my system like this...
>
> I tried doing a dir /ad from C:\WINNT\system32\vxd\, but nothing...
>
> I know I can remove the directory using rmdir \\.\c:\winnt\system32\vxd /s
>
> By the way, since the directory is invalid, this service PID doesn't show
in
> any process viewer or taskmanager (good trick).
>
> Thanks!
>
> Agustin

Hi R. C.,

The DOS trick doesn't work... I can't get a list of any files... and the RD
<SFN> /s gives "directory not empty" error.

I will need to use diskprobe....

Thanks anyway!

"R. C. White" <(E-Mail Removed)> wrote in message
news:#NdEj4$(E-Mail Removed)...
> Hi, Agustin.
>
> The old DOS tricks might work. Open a "DOS" window and navigate to the
> .\vxd folder. Then type: dir /a /x
>
> This should give you the usual Directory listing, but the /a will show ALL
> files and folders, including those with attributes (system, hidden,
> read-only) set. And the /x will add a column showing Short File Names
(also
> known as SFN or 8.3 filenames).
>
> If you are sure that you want to wipe out EVERYTHING in the poissonbulle
> folder, then get its SFN and type at the command prompt: rd <SFN> /s
When
> it asks "are you sure", say Yes.
>
> This should Remove the Directory, including all subdirectories and files.
>
> If you need (or want) to be more selective, then use the Dir command -
with
> switches - to find SFNs for your various files and folders and navigate
> through them.
>
> RC
> --
> R. C. White, CPA
> San Marcos, TX
> (E-Mail Removed)
> Microsoft Windows MVP
>
> "Agustin Chernitsky" <(E-Mail Removed)> wrote in
message
> news:(E-Mail Removed)...
> > Hi guys,
> >
> > I found a service, which was created by a hacker, pointing to an exe
file
> > with this path: c:\WINNT\system32\vxd\poissonbulle\here\nbthlp.exe
> >
> > Now, I can browse up to c:\winnt\system32\vxd\, but if I do a "dir", I
get
> > nothing:
> >
> > <<<<
> > Directory of C:\WINNT\system32\vxd
> >
> > 20/01/2004 08:12a <DIR> .
> > 20/01/2004 08:12a <DIR> ..
> > 0 File(s) 0 bytes
> > 2 Dir(s) 37.210.169.344 bytes free
> > >>>>
> >
> > Still, if I do a cd \WINNT\system32\vxd\poissonbulle\here\ I can access
> > that directory:
> >
> > <<<<
> > C:\>cd \WINNT\system32\vxd\poissonbulle\here
> > C:\WINNT\system32\vxd\poissonbulle\here>dir
> >
> > Directory of C:\WINNT\system32\vxd\poissonbulle\here
> >
> > 31/01/2004 01:37p <DIR> .
> > 31/01/2004 01:37p <DIR> ..
> > 20/01/2004 08:48a <DIR> dmp
> > 31/01/2004 01:37p 1.024 nbthlp.sys
> > 31/01/2004 01:37p 49 ServUStartUpLog.txt
> > 2 File(s) 1.073 bytes
> > 3 Dir(s) 37.209.870.336 bytes free
> > >>>>
> >
> > The funny thing, is that doing a "cd .." I get:
> >
> > <<<<
> > C:\WINNT\system32\vxd\poissonbulle\here>cd ..
> > The system cannot find the file specified.
> > >>>>
> >
> > As you can see, I can't see the .exe file also...
> >
> > My question is, is there a way I can see these kind of directories?? I
> would
> > like to see if there are more directories hidden in my system like
this...
> >
> > I tried doing a dir /ad from C:\WINNT\system32\vxd\, but nothing...
> >
> > I know I can remove the directory using rmdir \\.\c:\winnt\system32\vxd
/s
> >
> > By the way, since the directory is invalid, this service PID doesn't
show
> in
> > any process viewer or taskmanager (good trick).
> >
> > Thanks!
> >
> > Agustin
>
>

Hi Joe,

Sorry I am following up this so late. I have time now to expermient on this.
I am using dskprobe on a test server... I am trying to rename a file, but I
can´t seem to make it work.

I created a "test file.txt", and using dskprobe, I found 2 strings matching
in sector 19646 & 36714. Both beggin with the FILE attribute.

I tried renaming the file in both sectors (instead of "test file.txt" to
"ttst file.txt"), wrote the sector, quit dskprobe and ran chkdsk Still, I
can see the original directory name, like nothing changed.

Am I missing something? Looks like I am....

Any help would really be apreciated!

Cheers!

"Joe Griffin [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
> There may be some easier ways of doing this, such as using posix commands
and maybe even the MS-DOS RD command. However, you should be able to
> use diskprobe and search for the file name using a UNICODE search. You
can speed the search up if you knew the offset to be looking for and don't
forget
> about the short filename. I don't remember the offsets for the file name.
It may be 0F2 for long filenames and 016A for short filenames. Oh, also
select ignore
> case while doing the search.
>
> When you find the file name, change it or remove some of the name so that
it has white spaces. Or even better, removed most of the information on
that sector.
> Quit diskprobe and run chkdsk. Chkdsk should fix the file and then you
should be able to delete it.
>
> Joe Griffin [MS]
> Windows 2000 Server Setup Team
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>

Forget it...

I had a Rootkit installed. I rebooted the server, and since I renamed a
directory, the rootkit never started up... I could remove the dirs with no
probs.


"Agustin" <(E-Mail Removed)> wrote in message
news:c2l0if$1ugqtt$(E-Mail Removed)...
> Hi Joe,
>
> Sorry I am following up this so late. I have time now to expermient on
this.
> I am using dskprobe on a test server... I am trying to rename a file, but
I
> can´t seem to make it work.
>
> I created a "test file.txt", and using dskprobe, I found 2 strings
matching
> in sector 19646 & 36714. Both beggin with the FILE attribute.
>
> I tried renaming the file in both sectors (instead of "test file.txt" to
> "ttst file.txt"), wrote the sector, quit dskprobe and ran chkdsk Still, I
> can see the original directory name, like nothing changed.
>
> Am I missing something? Looks like I am....
>
> Any help would really be apreciated!
>
> Cheers!
>
> "Joe Griffin [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hello,
> > There may be some easier ways of doing this, such as using posix
commands
> and maybe even the MS-DOS RD command. However, you should be able to
> > use diskprobe and search for the file name using a UNICODE search. You
> can speed the search up if you knew the offset to be looking for and don't
> forget
> > about the short filename. I don't remember the offsets for the file
name.
> It may be 0F2 for long filenames and 016A for short filenames. Oh, also
> select ignore
> > case while doing the search.
> >
> > When you find the file name, change it or remove some of the name so
that
> it has white spaces. Or even better, removed most of the information on
> that sector.
> > Quit diskprobe and run chkdsk. Chkdsk should fix the file and then you
> should be able to delete it.
> >
> > Joe Griffin [MS]
> > Windows 2000 Server Setup Team
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
>
>