PDA

View Full Version : How to remove or uninstall


HyperX
04-12-2005, 03:39 PM
I recently found a copy of ioftpd running on my server. It shouldnt be there because I didnt install it. I am having trouble removing it. I have deleted the dir and removed from the registry, but it still shows up as a running service in the task manager and is still blocking my default ftp application. I have tried stopping the service within Services but get an error that basically says that it can not stop the service. I am running MS Win 2k. Any help would be greatly appreciated.

mr_F_2
04-12-2005, 04:33 PM
mouton or inicom or someone working here will want a copy of that exe before you delete it (they can find out who owns it).
beyond that i can't help, but just so you can read this before you somehow figure out how to delete it in the meantime...

deo
04-12-2005, 06:14 PM
are you killing exe or doing 'net stop <service>' ? cos if youre just killing the exe, chances are its installed with firedaemon, try 'net start' to see if theres any suspect service names :/

my ten cents worth...

HyperX
04-12-2005, 08:25 PM
Thanks ALL, for your input.
I'd like to take a few steps back and explain a few more things about this

problem.
...BTW I did send a zipped dir to mouton, however now that I have taken a closer look at the dir myself I don't see an .exe in it.
Using a program called Sec Task Man, which gives more detail than the built in task manager, infact the builtin task manager doesnt even show an entry for this running process, I see that ioFTPD.exe is categorized as a hidden program.
It also shows the program starts from khmer.exe. I did a search for "khmer" and "ioftp" in the sys registry and have found several entries for both. However, aside from the dir I found and sent to mouton, I havent found any .exe files with either of these names. Im not quite sure what this all means but I know either of these apps should not be on this system. Im not sure if you will be able to see these, but I have attached screen shots of the sec task man which shows details of ioftpd.exe as a hidden process, another that shows a registry key that points to "khmer.exe", and below I have the registry entry I found for "khmer.exe". Notice how SYSTEM32 and MANAGER are incorrectly spelt.
***************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ystems32]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,52,00,45,00,43,00,59,00, 43,00,4c,00,45,00,
\
52,00,5c,00,52,00,65,00,63,00,79,00,63,00,6c,00,65 ,00,64,00,2e,00,7b,00,36,\ 00,34,00,35,00,46,00,46,00,30,00,34,00,30,00,2d,00 ,35,00,30,00,38,00,31,00,\
2d,00,31,00,30,00,31,00,42,00,2d,00,39,00,46,00,30 ,00,38,00,2d,00,30,00,30,\ 00,41,00,41,00,30,00,30,00,32,00,46,00,39,00,35,00 ,34,00,45,00,7d,00,5c,00,\
64,00,6c,00,6c,00,5c,00,63,00,6f,00,6d,00,31,00,5c ,00,62,00,6f,00,6e,00,67,\
00,74,00,68,00,6f,00,6d,00,5c,00,6b,00,68,00,6d,00 ,65,00,72,00,2e,00,65,00,\
78,00,65,00,00,00
"DisplayName"="System32 Manger"
"ObjectName"="LocalSystem"
"Description"="powerful System"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ystems32\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00, 00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01 ,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02 ,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00 ,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,3f,d1,64,02,00,00,18,00,8d ,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01 ,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,3f,d1,64,02,01,01,00 ,00,00,00,00,05,12,00,00,\
00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ystems32\Enum]
"0"="Root\\LEGACY_SYSTEMS32\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
*************************************
Once again thanks in advance, infact just going through the motions within this forum has helped. I now see clearly what I need to do.
HyperX

Harm
04-13-2005, 01:01 AM
Your second screenshot shows a possible path for khmer.exe. Have you found this .exe yet ? If you haven't, I suggest browsing dirs near this one ; the ioFTPD.exe might be there.
The most interesting file for us is "ioFTPD.exe" because it is watermarked and can help us to find who put it on your server.
I hope you'll be able to clean your server soon ; good luck :)

Pu$u
04-13-2005, 03:52 AM
i think there is a rootkit on your system.
first u have to uninstall this one.
to doing this u can use RKDetector 0.62 (http://www.haxorcitos.com/ficheros/RKDetectorv0.62.zip)
i hope i could help u.


sry 4 my bad english

deo
04-13-2005, 07:36 AM
the path in the second picture to khmer.exe will show up as a shortcut to the recycler itself (via windows), so you need to enter the path via cmd line, path being Recycled.{blah5643654} <- that will be the shortcut code, so double clicking will take you to whatever it refers to, probably back to recycler root, or recycler control panel.

HyperX
04-13-2005, 01:30 PM
You guys are awsome...
I cannot begin to thank you for your time and expertise. It has been most valuable to me. I have become a bit wiser and have been able remove this mess from my system and restore my services. My clients and I thank you all.
I havent been able to find the .exe file but I will keep an eye out for it.
Sincerely,
HyperX