viewing and deleting hacker created dirs

From: Agustin Chernitsky (agustinchernitskyNOSPAM_at_hotmail.com)
Date: 01/31/04

• Next message: Robert Moir: "Re: viewing and deleting hacker created dirs"
• Previous message: Pat: "Re: Default Users properties"
• Next in thread: Robert Moir: "Re: viewing and deleting hacker created dirs"
• Reply: Robert Moir: "Re: viewing and deleting hacker created dirs"
• Reply: Karl Levinson [x y] mvp: "Re: viewing and deleting hacker created dirs"
• Reply: news.microsoft.com: "Re: viewing and deleting hacker created dirs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sat, 31 Jan 2004 15:21:06 -0300

Hi guys,

I found a service, which was created by a hacker, pointing to an exe file
with this path: c:\WINNT\system32\vxd\poissonbulle\here\nbthlp.exe

Now, I can browse up to c:\winnt\system32\vxd\, but if I do a "dir", I get
nothing:

<<<<
 Directory of C:\WINNT\system32\vxd

20/01/2004 08:12a <DIR> .
20/01/2004 08:12a <DIR> ..
               0 File(s) 0 bytes
               2 Dir(s) 37.210.169.344 bytes free
>>>>

Still, if I do a cd \WINNT\system32\vxd\poissonbulle\here\ I can access
that directory:

<<<<
C:\>cd \WINNT\system32\vxd\poissonbulle\here
C:\WINNT\system32\vxd\poissonbulle\here>dir

 Directory of C:\WINNT\system32\vxd\poissonbulle\here

31/01/2004 01:37p <DIR> .
31/01/2004 01:37p <DIR> ..
20/01/2004 08:48a <DIR> dmp
31/01/2004 01:37p 1.024 nbthlp.sys
31/01/2004 01:37p 49 ServUStartUpLog.txt
               2 File(s) 1.073 bytes
               3 Dir(s) 37.209.870.336 bytes free
>>>>

The funny thing, is that doing a "cd .." I get:

<<<<
C:\WINNT\system32\vxd\poissonbulle\here>cd ..
The system cannot find the file specified.
>>>>

As you can see, I can't see the .exe file also...

My question is, is there a way I can see these kind of directories?? I would
like to see if there are more directories hidden in my system like this...

I tried doing a dir /ad from C:\WINNT\system32\vxd\, but nothing...

I know I can remove the directory using rmdir \\.\c:\winnt\system32\vxd /s

By the way, since the directory is invalid, this service PID doesn't show in
any process viewer or taskmanager (good trick).

Thanks!

Agustin.

---

• Next message: Robert Moir: "Re: viewing and deleting hacker created dirs"
• Previous message: Pat: "Re: Default Users properties"
• Next in thread: Robert Moir: "Re: viewing and deleting hacker created dirs"
• Reply: Robert Moir: "Re: viewing and deleting hacker created dirs"
• Reply: Karl Levinson [x y] mvp: "Re: viewing and deleting hacker created dirs"
• Reply: news.microsoft.com: "Re: viewing and deleting hacker created dirs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: viewing and deleting hacker created dirs ... Shai. ... > I found a service, which was created by a hacker, pointing to an exe file ... (microsoft.public.win2000.security) Calling exe with parameter doesnt work.... ... I wish to use an exe file, ... //just to check if I'm pointing right ... catch (Exception exc) ... (microsoft.public.dotnet.framework.aspnet) Using command button to open another application ... Can Access open a (third party) program by pointing to the .exe file. ... Craig ... (microsoft.public.access.formscoding) Software that provides plug and play trojans ... that would allow a hacker to put an executable of his making into ... this exe file and another exe file and created a new exe file. ... recall the name of it, but would like to know something more about it ... Prev by Date: ... (comp.security.misc) Windows XP Task Manager is not working ... when pressing the following keys. ... Control-ALT-Delete and clicking Taskmanager ... The .exe file is located in both the C:\Windows and C:\Windows\System32 ... (microsoft.public.windowsxp.help_and_support)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)