Servu & Other Trojans On My Pc

vnet576

Aug 6 2003, 11:38 PM

Well it looks like I found that another servudaemon is installed on my pc. I found this accidently when I tried to edit a servu file but got strange error. Also I checked my services and alot of them are turned off. I really don't wanna reformat my pc...I would have to backup so much stuff. Does anybody know how/where that servudaemon might be hidden. None of the usually suspects service, firedaemon, win.ini work. Any ideas how I could eliminate that and any other trojan that I might be running. A good trojan scanner..if anybody has any suggestions perhaps.

I'd really appreciate if u all helped me clean my system out without me having to resort to reformat.

w00dy

Aug 7 2003, 01:18 AM

Serv u is most likely in ur system directory c:/windows/system32

dcpartsguy

Aug 7 2003, 01:09 PM

Download and run the programs Ad-Aware by LavaSoft and SpyBot Search and Destroy from www.download.com Also use the latest version of Zone Alarm.

OneNight

Aug 7 2003, 01:48 PM

The way that works for me is try and look at creation dates to try and figure out what could be malicious.

And dont forget that the servu.exe, which uses the servudaemon.ini, can be hexed so that it can use a filename different to servudaemon.ini. (as long as the new filename is the exact same length as servudaemon.ini). When i install my services somewhere, i name my servudaemon.ini to a file called <11charshere>.ocx. And .ocx files are hard to detect and hard to delete

I hope you fix it man and if worse come to worse, a format is healthy for ur system once in a while...

DJohn84

Aug 7 2003, 04:26 PM

.ocx huh? I havent thought of that. But you can hex Servu to use a config file with a different lenght that 11 characters + extention. Least I was able to :\

One thing I'm playing with is hexing the servu.exe to report a different name. so it reports something like a valid windows service.

Have you looked in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run] or [HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Run] area of your registry?

Sometimes things can be hidden there. Best of luck!

OneNight

Aug 7 2003, 07:03 PM

- Going slightly off topic here -

Hey Djohn, have you been able to hex firedaemon.exe so that it can be named somethign else? I've tried it with no success and i'd like to call it a different name...

And yeah vnet, trawl through ur registry entries and see what you can find...

vnet576

Aug 7 2003, 08:27 PM

Yep gonna do that...thanks guys. I'll let u all know how this turns out.

DJohn84

Aug 8 2003, 02:18 AM

QUOTE (OneNight @ Aug 7 2003, 07:03 PM)

- Going slightly off topic here -

Hey Djohn, have you been able to hex firedaemon.exe so that it can be named somethign else? I've tried it with no success and i'd like to call it a different name...

And yeah vnet, trawl through ur registry entries and see what you can find...

Nah. I've never tried to hex firedaemon. I got tired as f*** of loosing systems due to that stupid Firedaemon: <servicename> thing in the service menu lineup.

sc.exe and srvany.exe work *really* well for me

Unless someone tells me otherwise.

Check your PMs because I'd like to talk more

vnet576

Aug 8 2003, 07:47 PM

found one of the trojans on my own. WEBDAV.exe..heard that that app is a trojan.

Gonna run virus checker now...see what else I come up with. Damn...when I "get" into other machines I never install so much crap for the owner of that machine...just a simple servu as a service.

DJohn84

Aug 8 2003, 09:42 PM

http://housecall.trendmicro.com

That online scanner is very good, and I use it all the time to check my PC and also to check my exploit files

Best of luck in finding the rest of the files

vnet576

Aug 8 2003, 10:05 PM

Looks like I got everything...It found over 1000 viruses on my pc. (Symantec Antivirus Corp). Plus it found a few trojans.backdoor. I quarantined then deleted those. I ran fport on my pc to check for open ports and it looks like everything bad was deleted!

Axl

Jan 9 2004, 04:56 PM

QUOTE (DJohn84 @ Aug 8 2003, 02:18 AM)

QUOTE (OneNight @ Aug 7 2003, 07:03 PM)

- Going slightly off topic here -

Hey Djohn, have you been able to hex firedaemon.exe so that it can be named somethign else? I've tried it with no success and i'd like to call it a different name...

And yeah vnet, trawl through ur registry entries and see what you can find...

Nah. I've never tried to hex firedaemon. I got tired as f*** of loosing systems due to that stupid Firedaemon: <servicename> thing in the service menu lineup.

sc.exe and srvany.exe work *really* well for me

Unless someone tells me otherwise.

Check your PMs because I'd like to talk more

I successfully hexed firedaemon to servicesnt

blackP0ster

Jan 9 2004, 07:45 PM

for finding the servudaemon you can run fport2.0
it lists all services and you can probably find the task with servudaemon.

anotherway is to check the autostart...

black

FiNaLBeTa

Jan 9 2004, 08:00 PM

90% change he just wanted to testdrive his mdded serv-u on his system, and he got an error 100.
and he forgot the serv-uadmin has installed serv-u on instal.
so you need to del that service before you can run enotherone.

Greetz

SNOZZ

Jan 11 2004, 07:32 PM

Might be worth running a root kit detector as well just to be on the safe side
Theres a good one called
Haxorcitos Rootkit Detector v0.3
Programmed by aT4r@3wdesign.es
h**p://www.3WDesign.es on the net as rkd3.zip if u cannot find it at that site.

manni

Jan 11 2004, 08:57 PM

get fport and check wich programs have 2 tcp ports open as servu usually do

vnet576

Jan 11 2004, 09:08 PM

Hehe..this topic is from so long ago..brings back good memories though. That dcom exploit really took me by surprise.

Jeeve5

Jan 14 2004, 01:58 PM

QUOTE (vnet576 @ Aug 6 2003, 11:38 PM)

Well it looks like I found that another servudaemon is installed on my pc. I found this accidently when I tried to edit a servu file but got strange error. Also I checked my services and alot of them are turned off. I really don't wanna reformat my pc...I would have to backup so much stuff. Does anybody know how/where that servudaemon might be hidden. None of the usually suspects service, firedaemon, win.ini work. Any ideas how I could eliminate that and any other trojan that I might be running. A good trojan scanner..if anybody has any suggestions perhaps.

I'd really appreciate if u all helped me clean my system out without me having to resort to reformat.

Well, some of the stuff has already been posted, but here is the way I take when removing rootkits or some lame script kiddies FTP or Iroffer Kits.

1. Run fport.exe and see what processes are running on which port. Use some common sense and find out which ones are suspicious.
2. Get a list of all services running and the dir which the file is located in, since poeple often put their kits somewhere else than %windir%\system32\...
3. Kill all suspicious services and see if windows still works

If yes remove!, not disbale, the services.
4. Goto the dir where the executables for the services were located and make a backup copy of all files if you like. After that rd the whole dir.
5. Goto the folder (if exists) where the executables found in step 1 are located and proceed like step 4. If the executables are located in the system32 dir or windir or something alike open regedit since it is likely that they are just service wrappers. Goto CurrentControlSetup and then to services and check out the entries. It is stated where the actual executable is located and what parameters are used to start it.
6. Get a decent AV prog, and by decent I don't mean Norton

Hope that helped

vnet576

Jan 14 2004, 08:02 PM

Thanks, but this is a very old topic and I solved all of the problems since.

Jeeve5

Jan 14 2004, 08:54 PM

hehe, my bad. i guess i kinda got carried away reading and not paiyng attention to dates ...

zero-maitimax

Jan 15 2004, 09:09 AM

QUOTE (DJohn84 @ Aug 8 2003, 09:42 PM)

http://housecall.trendmicro.com

That online scanner is very good, and I use it all the time to check my PC and also to check my exploit files

Best of luck in finding the rest of the files

tnx for the site it's usefull for me