Go Back   FlashFXP Forums > > > >

ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD.

Reply
 
Thread Tools Rate Thread Display Modes
Old 04-12-2005, 03:39 PM   #1
HyperX
Junior Member
 
Join Date: Apr 2005
Posts: 3
Post How to remove or uninstall

I recently found a copy of ioftpd running on my server. It shouldnt be there because I didnt install it. I am having trouble removing it. I have deleted the dir and removed from the registry, but it still shows up as a running service in the task manager and is still blocking my default ftp application. I have tried stopping the service within Services but get an error that basically says that it can not stop the service. I am running MS Win 2k. Any help would be greatly appreciated.
HyperX is offline   Reply With Quote
Old 04-12-2005, 04:33 PM   #2
mr_F_2
Senior Member
 
Join Date: Jan 2004
Posts: 203
Default

mouton or inicom or someone working here will want a copy of that exe before you delete it (they can find out who owns it).
beyond that i can't help, but just so you can read this before you somehow figure out how to delete it in the meantime...
mr_F_2 is offline   Reply With Quote
Old 04-12-2005, 06:14 PM   #3
deo
Banned
 
Join Date: Feb 2005
Posts: 46
Default

are you killing exe or doing 'net stop <service>' ? cos if youre just killing the exe, chances are its installed with firedaemon, try 'net start' to see if theres any suspect service names :/

my ten cents worth...
deo is offline   Reply With Quote
Old 04-12-2005, 08:25 PM   #4
HyperX
Junior Member
 
Join Date: Apr 2005
Posts: 3
Thumbs up

Thanks ALL, for your input.
I'd like to take a few steps back and explain a few more things about this

problem.
...BTW I did send a zipped dir to mouton, however now that I have taken a closer look at the dir myself I don't see an .exe in it.
Using a program called Sec Task Man, which gives more detail than the built in task manager, infact the builtin task manager doesnt even show an entry for this running process, I see that ioFTPD.exe is categorized as a hidden program.
It also shows the program starts from khmer.exe. I did a search for "khmer" and "ioftp" in the sys registry and have found several entries for both. However, aside from the dir I found and sent to mouton, I havent found any .exe files with either of these names. Im not quite sure what this all means but I know either of these apps should not be on this system. Im not sure if you will be able to see these, but I have attached screen shots of the sec task man which shows details of ioftpd.exe as a hidden process, another that shows a registry key that points to "khmer.exe", and below I have the registry entry I found for "khmer.exe". Notice how SYSTEM32 and MANAGER are incorrectly spelt.
***************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ystems32]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,52,00,45,00,4 3,00,59,00,43,00,4c,00,45,00,
\
52,00,5c,00,52,00,65,00,63,00,79,00,63,00,6c,00,65 ,00,64,00,2e,00,7b,00,36,\ 00,34,00,35,00,46,00,46,00,30,00,34,00,30,00,2d,00 ,35,00,30,00,38,00,31,00,\
2d,00,31,00,30,00,31,00,42,00,2d,00,39,00,46,00,30 ,00,38,00,2d,00,30,00,30,\ 00,41,00,41,00,30,00,30,00,32,00,46,00,39,00,35,00 ,34,00,45,00,7d,00,5c,00,\
64,00,6c,00,6c,00,5c,00,63,00,6f,00,6d,00,31,00,5c ,00,62,00,6f,00,6e,00,67,\
00,74,00,68,00,6f,00,6d,00,5c,00,6b,00,68,00,6d,00 ,65,00,72,00,2e,00,65,00,\
78,00,65,00,00,00
"DisplayName"="System32 Manger"
"ObjectName"="LocalSystem"
"Description"="powerful System"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ystems32\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00 ,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01 ,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02 ,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00 ,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,3f,d1,64,02,00,00,18,00,8d ,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01 ,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,3f,d1,64,02,01,01,00 ,00,00,00,00,05,12,00,00,\
00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ystems32\Enum]
"0"="Root\\LEGACY_SYSTEMS32\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
*************************************
Once again thanks in advance, infact just going through the motions within this forum has helped. I now see clearly what I need to do.
HyperX
Attached Images
File Type: gif ioftpd-snaps.gif (41.4 KB, 120 views)
HyperX is offline   Reply With Quote
Old 04-13-2005, 01:01 AM   #5
Harm
Too much time...
Ultimate Scripter
 
Join Date: Jul 2003
Posts: 1,430
Default

Your second screenshot shows a possible path for khmer.exe. Have you found this .exe yet ? If you haven't, I suggest browsing dirs near this one ; the ioFTPD.exe might be there.
The most interesting file for us is "ioFTPD.exe" because it is watermarked and can help us to find who put it on your server.
I hope you'll be able to clean your server soon ; good luck
Harm is offline   Reply With Quote
Old 04-13-2005, 03:52 AM   #6
Pu$u
Member
 
Join Date: Jul 2004
Posts: 36
Default

i think there is a rootkit on your system.
first u have to uninstall this one.
to doing this u can use RKDetector 0.62
i hope i could help u.


sry 4 my bad english
Pu$u is offline   Reply With Quote
Old 04-13-2005, 07:36 AM   #7
deo
Banned
 
Join Date: Feb 2005
Posts: 46
Default

the path in the second picture to khmer.exe will show up as a shortcut to the recycler itself (via windows), so you need to enter the path via cmd line, path being Recycled.{blah5643654} <- that will be the shortcut code, so double clicking will take you to whatever it refers to, probably back to recycler root, or recycler control panel.
deo is offline   Reply With Quote
Old 04-13-2005, 01:30 PM   #8
HyperX
Junior Member
 
Join Date: Apr 2005
Posts: 3
Thumbs up Nothing but thanks & praise here!!!

You guys are awsome...
I cannot begin to thank you for your time and expertise. It has been most valuable to me. I have become a bit wiser and have been able remove this mess from my system and restore my services. My clients and I thank you all.
I havent been able to find the .exe file but I will keep an eye out for it.
Sincerely,
HyperX
HyperX is offline   Reply With Quote
Reply

Tags
application, default, ftp, running, service

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:01 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)