Hi Guys,

i got a problem, somebody hacked my server and is running a hook or anything.

after i was running rk detector the following:

-Searching for Rootkit Modules........
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\winnt\system32\tsappcmp.dll
-------------------------------------------------------------------------------
*WARNING! MODULE c:\winnt\system32\msvcrt.dll SEEMS TO BE HOOKED
-------------------------------------------------------------------------------
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

when i try to delete the files i get Access Denied.

how can i delete the shit?

i cant use SafeMod because its located on another Place as my home.

thx..

Just use this program that moves any file that is 'undeletable' in a normal windows ...

The program is called moveonboot, and.. delet files on teh next reboot..
Good program, also one of mine

DOWNLOAD MOVEONBOOT

Greetz

Zen

Thanks, but same as before :/

thats a nice program any good fro get the sams when you have no administrator access?

boot into safemode then delete it (will hopefully work unless the hacker is using serviceDaemon!)

use blacklight it will find if they are using rootkit

I cant use SafeMode because i use Terminal Services!

Blacklight finding nothing :/

shit, plz help

i think its hooked in some windows process

well ask the admin who runs the server to do this for you.

well, i found a way with the moveonboot!

1000 thanks to you! zed

tell us how you get it
and upload the files if you have them

create 2 dll files like the same before and enter any letters and save.

give them attribute write protected

run moveonboot

let it delete the 2 hooked .dll files in System32 Directory and copy your new dll files to the System32 Direcoty.

thats it =)

(filtered) shit, they are back

Are you 100% sure that these are suspicious files?

I mean they are both Valid DLL filenames (Not that that means anything) Could be that an app that is running on the machine needs these files. If they are coming back, check to see if they are anywhere else on the machine.

Also, something else you could try would be to get hold of the DLL's on the net and check size/version etc to see if they are the same as the ones on your box.

Cheers
Erra

i think its some error from RK Detector because the files a published by microsoft...

uhhh...
WARNING! MODULE c:\winnt\system32\msvcrt.dll SEEMS TO BE HOOKED

You definately DO NOT want to delete this dll. If it's hooked, then it's hooked only in memory. You just need to remove the startup method of whatever program is hooking it, then reboot. The hook will be gone.