viewing and deleting hacker created dirs

A

Agustin Chernitsky

Hi guys,

I found a service, which was created by a hacker, pointing to an exe file
with this path: c:\WINNT\system32\vxd\poissonbulle\here\nbthlp.exe

Now, I can browse up to c:\winnt\system32\vxd\, but if I do a "dir", I get
nothing:

<<<<
Directory of C:\WINNT\system32\vxd

20/01/2004 08:12a <DIR> .
20/01/2004 08:12a <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 37.210.169.344 bytes free
Still, if I do a cd \WINNT\system32\vxd\poissonbulle\here\ I can access
that directory:

<<<<
C:\>cd \WINNT\system32\vxd\poissonbulle\here
C:\WINNT\system32\vxd\poissonbulle\here>dir

Directory of C:\WINNT\system32\vxd\poissonbulle\here

31/01/2004 01:37p <DIR> .
31/01/2004 01:37p <DIR> ..
20/01/2004 08:48a <DIR> dmp
31/01/2004 01:37p 1.024 nbthlp.sys
31/01/2004 01:37p 49 ServUStartUpLog.txt
2 File(s) 1.073 bytes
3 Dir(s) 37.209.870.336 bytes free
The funny thing, is that doing a "cd .." I get:

<<<<
C:\WINNT\system32\vxd\poissonbulle\here>cd ..
The system cannot find the file specified.
As you can see, I can't see the .exe file also...

My question is, is there a way I can see these kind of directories?? I would
like to see if there are more directories hidden in my system like this...

I tried doing a dir /ad from C:\WINNT\system32\vxd\, but nothing...

I know I can remove the directory using rmdir \\.\c:\winnt\system32\vxd /s

By the way, since the directory is invalid, this service PID doesn't show in
any process viewer or taskmanager (good trick).

Thanks!

Agustin.
 
R

Robert Moir

I'd try installing a shell such as cygwin and use the 'ls' command from
there to see what that finds.

I assume you've checked that the folder isn't simply marked as hidden or as
a protected operating system object?

From the looks of whats been going on, I'd also suggest a full rebuild of
the problem machine, by the way.

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.
 
A

Agustin Chernitsky

Hi Robert,

yes, I checked that out. Still nothing.

Regarding the rebuild, I did a good forensics job, and I think I can avoid
that. I will do a sfc to check the file systems in case there were
modifications.

Thanks for the help!
 
R

Robert Moir

Cool. Did you try cygwin? Or Services For Unix? These use a different
"shell" which looks at the disk in a slightly different way and can show up
odd things like this.
 
K

Karl Levinson [x y] mvp

Since the process isn't showing up in task manager, it could be a windows
root kit was used... in which case your forensics job could be flawed
[especially if you did it all with the compromised version of Windows
running]. Windows root kits, as you may know, hide certain files, registry
values, processes, etc. from local access by hooking the API, even if you
are using trusted versions of your windows tools. Generally you can see
these things by connecting remotely across the network using Windows
networking, booting to an alternate OS, boot disk, Knoppix CD, slaving the
hard drive in another windows computer, etc.

If this is the case, www.rootkit.com and www.securityfocus.com have some
information on root kits.
 
N

news.microsoft.com

try this:
dir c:\winnt\system32\vxd /AH

Shai.

Agustin Chernitsky said:
Hi guys,

I found a service, which was created by a hacker, pointing to an exe file
with this path: c:\WINNT\system32\vxd\poissonbulle\here\nbthlp.exe

Now, I can browse up to c:\winnt\system32\vxd\, but if I do a "dir", I get
nothing:

<<<<
Directory of C:\WINNT\system32\vxd

20/01/2004 08:12a <DIR> .
20/01/2004 08:12a <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 37.210.169.344 bytes free

Still, if I do a cd \WINNT\system32\vxd\poissonbulle\here\ I can access
that directory:

<<<<
C:\>cd \WINNT\system32\vxd\poissonbulle\here
C:\WINNT\system32\vxd\poissonbulle\here>dir

Directory of C:\WINNT\system32\vxd\poissonbulle\here

31/01/2004 01:37p <DIR> .
31/01/2004 01:37p <DIR> ..
20/01/2004 08:48a <DIR> dmp
31/01/2004 01:37p 1.024 nbthlp.sys
31/01/2004 01:37p 49 ServUStartUpLog.txt
2 File(s) 1.073 bytes
3 Dir(s) 37.209.870.336 bytes free

The funny thing, is that doing a "cd .." I get:

<<<<
C:\WINNT\system32\vxd\poissonbulle\here>cd ..
The system cannot find the file specified.

As you can see, I can't see the .exe file also...

My question is, is there a way I can see these kind of directories?? I would
like to see if there are more directories hidden in my system like this...

I tried doing a dir /ad from C:\WINNT\system32\vxd\, but nothing...

I know I can remove the directory using rmdir \\.\c:\winnt\system32\vxd /s

By the way, since the directory is invalid, this service PID doesn't show in
any process viewer or taskmanager (good trick).

Thanks!

Agustin.
Click to expand...
 
A

Agustin Chernitsky

Hi Robert,

I'm trying to use posix toos in the reskit, but no way...

C:\WINNT\system32>rm -d "//C/WINNT/system32/v"
rm: //C/WINNT/system32/v: File exists.

I think I can't remove this directory....
 
A

Agustin Chernitsky

Hi Karl,

I found the hacker installed a service under the name: NetBIOS Helper...
Since I removed that, no more strange "processes running", including, the
process hidden (which exited as soon as I stopped that service).


Karl Levinson [x y] mvp said:
Since the process isn't showing up in task manager, it could be a windows
root kit was used... in which case your forensics job could be flawed
[especially if you did it all with the compromised version of Windows
running]. Windows root kits, as you may know, hide certain files, registry
values, processes, etc. from local access by hooking the API, even if you
are using trusted versions of your windows tools. Generally you can see
these things by connecting remotely across the network using Windows
networking, booting to an alternate OS, boot disk, Knoppix CD, slaving the
hard drive in another windows computer, etc.

If this is the case, www.rootkit.com and www.securityfocus.com have some
information on root kits.


Hi guys,

I found a service, which was created by a hacker, pointing to an exe file
with this path: c:\WINNT\system32\vxd\poissonbulle\here\nbthlp.exe

Now, I can browse up to c:\winnt\system32\vxd\, but if I do a "dir", I get
nothing:

<<<<
Directory of C:\WINNT\system32\vxd

20/01/2004 08:12a <DIR> .
20/01/2004 08:12a <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 37.210.169.344 bytes free

Still, if I do a cd \WINNT\system32\vxd\poissonbulle\here\ I can access
that directory:

<<<<
C:\>cd \WINNT\system32\vxd\poissonbulle\here
C:\WINNT\system32\vxd\poissonbulle\here>dir

Directory of C:\WINNT\system32\vxd\poissonbulle\here

31/01/2004 01:37p <DIR> .
31/01/2004 01:37p <DIR> ..
20/01/2004 08:48a <DIR> dmp
31/01/2004 01:37p 1.024 nbthlp.sys
31/01/2004 01:37p 49 ServUStartUpLog.txt
2 File(s) 1.073 bytes
3 Dir(s) 37.209.870.336 bytes free

The funny thing, is that doing a "cd .." I get:

<<<<
C:\WINNT\system32\vxd\poissonbulle\here>cd ..
The system cannot find the file specified.

As you can see, I can't see the .exe file also...

My question is, is there a way I can see these kind of directories?? I would
like to see if there are more directories hidden in my system like this...

I tried doing a dir /ad from C:\WINNT\system32\vxd\, but nothing...

I know I can remove the directory using rmdir \\.\c:\winnt\system32\vxd /s

By the way, since the directory is invalid, this service PID doesn't
Click to expand...
show
in
any process viewer or taskmanager (good trick).

Thanks!

Agustin.
Click to expand...
Click to expand...
 
Z

zeljko

Main problem is that you dont have permition to do anything with thi
folder!

Here is procedure that worked for me

Select drive c
Properties
Security
Owner
Choose Replace owner on subcntainers and objects

(It takes a while, but when it comes to c:system volume information i
asks if you are realy shure that you wont to change permission - YE
:) )

And after that you can freely write in explorer c:\system volum
information and you are in!
with use of shortcuts and properties of it I also manage to get it i
explorer tree and successfully deleted it!!!

Hope it will fork for rest of yo

zeljk
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

can't view directory created by hacker... 7
hack attempt 2
Trying to recreate bootable CD from zipped files 14
Microsoft Fax Service 2
Can't remove KB977165 with batch file 3
Conflict with Patch MS04-038 (834707) and MS04-037 (841356) 2
asptxn.dll in Windows 2000 but not in Windows 2003 1
Missing ?.NET? file in a C:\winnt\assembly "subdirectory" 1

Top