• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Need help with revealing a hidden windows folder.

Status
Not open for further replies.
E

Embracefate

New Member
Joined
Aug 29, 2021
Messages
13 (0.01/day)
Apologies if this is the wrong section for this I assumed it would be since it's hard drive based, I think someone got remote access to my server pc and dropped something on it, a new user was created called "adminololo" with administrator privilege's but nothing was on that user as far as I could tell and no recently accessed files/folder or browser history on my profile or the newly created one, the only thing malware bytes detected was a registry entry hidden as a Microsoft update file with the flags attrib +h +s on a folder called "documents and settings" dropped in c:\ but I tried viewing the file normally it wasn't there, tried checking show hidden folders and it's already turned on, checked the security settings of the c:/ drive and I had access to everything tried to open cmd in administrator cd into c:/ then do attrib -h -s "documents and settings" and a few other iterations of that same command with extra arguments and to no avail the file is still hidden and can't be accessed by cding into the folder and doing a dir list shows nothing, manually typing the file path into file explorer or any other means I've tried, any help to find a way to view and access the folder to see what it's contents are would be greatly appreciated! (I'm pretty sure if I dual booted a linux os I could manually navigate to the location and see the file and possibly it's content but I'm far to lazy to install and dual boot an entirely seperate os to see the contents of this folder)

(edit) I know the folder exists but I can't access it, I'm able to add items to the folder and view them through recent items but not by directly accessing them through typing out the file path in the file explorer or cding into the folder and dir listing them through cmd (returns the file doesn't exist) which is very strange, I made a new folder on c:\ with a empty text document named test renamed the new folder to documents and settings and it asked if I wanted to merge the folders with the current existing invisible one I hit yes the file disappears but I can still open the text document ONLY through the recent files section on the quick access tab
 
Run a malware and virus scan.

Trendmicro housecall too
 
eidairaman1 said:
Run a malware and virus scan.

Trendmicro housecall too
Click to expand...
running a eset scan right now already ran a full malwarebytes scan + rootkit detection and that's how I found the registry entries for the hidden folder it was detected as a backdoor, will try housecall as well and see if that finds anything will update with results

Ran 3 different anti virus scans and no results on any of them but someone remote connected to that computer while I was awake and tried connecting to my main computer through anydesk, just randomly received a request at 5 am from the server pc, quickly connected over to the server pc and turned it off since it's stored across the house from me in a room somebody is still sleeping in, not sure how they got access to the computer and how it's undetected from 3 separate anti viruses but I really don't wanna have to reformat the server pc to prevent them from connecting again, any Idea's on how to isolate where the breach their using to connect to it is? will check the anydesk logs while the computer is disconnected from the internet to see if their somehow bypassing the 16 digit random generated password I used for anydesk with unattended access on that computer but besides that the server pc only runs a modded minecraft server (for me and 2 other friends and is using a dns server to obscure our real ip anyway), discord music bot and plex media server nothing else is installed on it besides java, eset, malwarebytes and tendmicro housecall and nobody has access to it besides me and the person who is currently asleep in room it's stored in
 
Last edited:
(update) Ended up just formatting all my drives and reinstalling windows since it was a pretty much barebones install anyway besides a few items I was hosting that I can easily just resetup within a day, and couple hundred gigs of backed up movie discs and stuff for our plex server, found out how they were getting in and the ip addresses of all the people/webcrawlers who connected, they exploited the remote desktop feature (was disabled no clue how they did it or what vulnerability they exploited to do it) but they managed to exploit remote desktop then remotely drop an undetected rat and kept messing with me by changing adding new user accounts and changing the passwords for the user accounts, I had to boot into linux on a usb to swap cmd with utilmanager so i could get access to cmd as admin on the user login page to change the passwords back and check the log files, originally thought that it was a 0day exploit in anydesk since that was the only application I could think of that could be exploited to get remote access to the system (not sure why someone would want to blow a 0day on me but it was the first thing that came to mind) but I'm either dumb and left something turned on/open that I shouldn't have and they used some old known vulnerability to exploit my system with windows built in remote desktop (was disabled still unsure how they did it) or there is some new exploit people are using and setup webcrawlers to find vulnerable machines to exploit and I was just unfortunately one of them, not really too technically savvy to figure out what they were specifically exploiting in windows remote desktop to gain access just checked event viewer logs and stumbled upon the exploit they were using to gain access, fingers crossed it doesn't happen again, have all the event viewer logs and the file I couldn't access backed up (turns out it was just a copy of the user files from c:\users but showing up as a entirely hidden separate folder in c:\documents and settings that could only be accessed through a different operating system that doesn't care about windows security settings) willing to provide the logs to somebody that's a bit more technically savvy than me if they wanna snoop around and see if they can sniff out the vulnerability that was used from the files I managed to upload before wiping the system
 
Look for a command to purge it. You must have something a hscker wanted, dont use warez/supernova,morpheus,limewire/torrents etc...
 
Embracefate said:
(update) Ended up just formatting all my drives and reinstalling windows since it was a pretty much barebones install anyway besides a few items I was hosting that I can easily just resetup within a day, and couple hundred gigs of backed up movie discs and stuff for our plex server, found out how they were getting in and the ip addresses of all the people/webcrawlers who connected, they exploited the remote desktop feature (was disabled no clue how they did it or what vulnerability they exploited to do it) but they managed to exploit remote desktop then remotely drop an undetected rat and kept messing with me by changing adding new user accounts and changing the passwords for the user accounts, I had to boot into linux on a usb to swap cmd with utilmanager so i could get access to cmd as admin on the user login page to change the passwords back and check the log files, originally thought that it was a 0day exploit in anydesk since that was the only application I could think of that could be exploited to get remote access to the system (not sure why someone would want to blow a 0day on me but it was the first thing that came to mind) but I'm either dumb and left something turned on/open that I shouldn't have and they used some old known vulnerability to exploit my system with windows built in remote desktop (was disabled still unsure how they did it) or there is some new exploit people are using and setup webcrawlers to find vulnerable machines to exploit and I was just unfortunately one of them, not really too technically savvy to figure out what they were specifically exploiting in windows remote desktop to gain access just checked event viewer logs and stumbled upon the exploit they were using to gain access, fingers crossed it doesn't happen again, have all the event viewer logs and the file I couldn't access backed up (turns out it was just a copy of the user files from c:\users but showing up as a entirely hidden separate folder in c:\documents and settings that could only be accessed through a different operating system that doesn't care about windows security settings) willing to provide the logs to somebody that's a bit more technically savvy than me if they wanna snoop around and see if they can sniff out the vulnerability that was used from the files I managed to upload before wiping the system
Click to expand...

Maybe make a backup this time.
 
I usually have backups on machines I care about keeping the data on but there was really nothing worth saving on our server pc besides some dvd's we ripped and had saved for our plex server and some minecraft maps everything else I could setup within a hour or two and we already have most of the ripped dvd's saved on various other computers on the network I can just send over to the local storage drive in the server pc so just gonna take it as a lesson and learn more about how to secure our server better in the future to prevent this happening again, have backups on anything we plan on saving longer term and not have any remote desktop software on it anymore just do everything physically

eidairaman1 said:
Look for a command to purge it. You must have something a hscker wanted, dont use warez/supernova,morpheus,limewire/torrents etc...
Click to expand...
Already formatted all the drives and reinstalled windows, not sure it had anything a hacker would want on it since it was literally only hosting a few minecraft servers for us and a few friends, plex media server for digital dvd backups, and a open source discord music bot, assuming people were exploiting some known vulnerability that I didn't know about in windows remote desktop feature and got remote access and dropped a undetected rat stub and probably tried to make it a part of a botnet since it was more than one person who connected to it but only one person kept consistently connecting to it based on the ip's It had logged from the same subnet range and general location through geo-ip and that was the person messing with us I guess for the shits and giggles of messing with somebody but not really doing anything malicious besides changing local user passwords (super easy to fix with a old trick that windows never fixed) and downloading a password history ripper that did nothing since no accounts were ever signed into for anything on that pc and I'm super uptight about never saving password history in browsers regardless, and none of us really use any torrenting software, pretty confident it was just a webcrawler that found the vulnerability available for exploitation on our machine and someone manually used that exploit to gain remote access, changed from installing windows 10 pro to windows 10 home when I reinstalled as well and just got a cheap oem key, which should entirely stop that exploit since home doesn't have access to the remote desktop feature and I've been checking logs a couple times a day and nothing so far so I'm assuming whatever vulnerability they used can't be used anymore

Also is there a way I can set this post to solved and lock it so people don't have to waste their time reading it since the issue is no longer an issue, I feel bad making people read all this and wasting their time.
 
Thanks for the info and updates, OP. On a side note, I had a similar issue with one of my other clients. Could you toss me the log files in a PM? thanks!

Thread locked per OP request
 
Status
Not open for further replies.
Back
Top