|
Junior Member
Join Date: Apr 2005
Posts: 3
|
Thanks ALL, for your input.
I'd like to take a few steps back and explain a few more things about this
problem.
...BTW I did send a zipped dir to mouton, however now that I have taken a closer look at the dir myself I don't see an .exe in it.
Using a program called Sec Task Man, which gives more detail than the built in task manager, infact the builtin task manager doesnt even show an entry for this running process, I see that ioFTPD.exe is categorized as a hidden program.
It also shows the program starts from khmer.exe. I did a search for "khmer" and "ioftp" in the sys registry and have found several entries for both. However, aside from the dir I found and sent to mouton, I havent found any .exe files with either of these names. Im not quite sure what this all means but I know either of these apps should not be on this system. Im not sure if you will be able to see these, but I have attached screen shots of the sec task man which shows details of ioftpd.exe as a hidden process, another that shows a registry key that points to "khmer.exe", and below I have the registry entry I found for "khmer.exe". Notice how SYSTEM32 and MANAGER are incorrectly spelt.
***************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ystems32]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,52,00,45,00,4 3,00,59,00,43,00,4c,00,45,00,
\
52,00,5c,00,52,00,65,00,63,00,79,00,63,00,6c,00,65 ,00,64,00,2e,00,7b,00,36,\ 00,34,00,35,00,46,00,46,00,30,00,34,00,30,00,2d,00 ,35,00,30,00,38,00,31,00,\
2d,00,31,00,30,00,31,00,42,00,2d,00,39,00,46,00,30 ,00,38,00,2d,00,30,00,30,\ 00,41,00,41,00,30,00,30,00,32,00,46,00,39,00,35,00 ,34,00,45,00,7d,00,5c,00,\
64,00,6c,00,6c,00,5c,00,63,00,6f,00,6d,00,31,00,5c ,00,62,00,6f,00,6e,00,67,\
00,74,00,68,00,6f,00,6d,00,5c,00,6b,00,68,00,6d,00 ,65,00,72,00,2e,00,65,00,\
78,00,65,00,00,00
"DisplayName"="System32 Manger"
"ObjectName"="LocalSystem"
"Description"="powerful System"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ystems32\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00 ,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01 ,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02 ,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00 ,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,3f,d1,64,02,00,00,18,00,8d ,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01 ,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,3f,d1,64,02,01,01,00 ,00,00,00,00,05,12,00,00,\
00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ystems32\Enum]
"0"="Root\\LEGACY_SYSTEMS32\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
*************************************
Once again thanks in advance, infact just going through the motions within this forum has helped. I now see clearly what I need to do.
HyperX
|