BAckdoor and hacked ftp files in invisible folders

Hi Folks

My webserver was hacked and although I have cleaned all the ftp files vaious antispyware software has revealed Wiback and mroot.sys. These are located in hidden directories. By locating some of the hackers log and ini files Ihave managed to remove some of these by typing in the path in dos and FTP software. But there are still hidden folders and files in some locations and without knowing their names its seems impossible to see them.

Can any one help me make these folder visible? (btw I have tried Explorer show all files etc, attrib from DOS, Ztree etc - Security task manager tells me mroot.exe is running but it cannot close it due to the fact the location seems not to exist.

 

Hi,

Searching for hidden files can be very difficult, but fortunately there are a number of solutions to help.

F-Secure BlackLight Rootkit Elimination Technology Free - http://www.f-secure.com/blacklight/

RootkitRevealer an advanced rootkit detection utility Free - http://www.sysinternals.com/Utilities/RootkitRevealer.html

IceSword the Highly acclaimed RK Detector - IceSword 1.12 English version Free - http://xfocus.net/tools/200509/1085.html

Also you might some of the Find Hidden files/process Apps in this thread useful - http://www.sysinternals.com/Forum/forum_posts.asp?TID=962&PN=0&TPN=2 - Most of them are Free too !


StevieO

 

Two other programs I would add are Process Explorer and Autoruns by
Sysinternals. In Autoruns look at drivers and you may see some with no discription. Also look at the services.

http://www.sysinternals.com/Forum/default.asp

controler