lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <LAW12-F58B5Rw1SSfWX00066de8@hotmail.com>
From: axid3j1al at hotmail.com (axid3j1al axid3j1al)
Subject: Removal?



>From: Paul Schmehl <pauls@...allas.edu>
>Reply-To: Paul Schmehl <pauls@...allas.edu>
>To: axid3j1al axid3j1al 
><axid3j1al@...mail.com>,full-disclosure@...ts.netsys.com
>Subject: RE: [Full-Disclosure] Removal?
>Date: Tue, 03 Feb 2004 19:07:14 -0600
>
>--On Wednesday, February 4, 2004 12:41 AM +0000 axid3j1al axid3j1al 
><axid3j1al@...mail.com> wrote:
>>
>>usr_crtl.dll wont unregister and fag.exe is not in the process list.
>>
>It was worth a shot.  You could download pslist from sysinternals and use 
>that to list the process id, and then use their pskill to kill it.
>
><http://www.sysinternals.com/ntw2k/utilities.shtml>
>
>(I would put these on a write-protected floppy.)
>

I checked before. No entires or deviations on these names.


>Then you should be able to remove the files.  I would also check the 
>registry for entries.  You can use Ctrl F to search for the file names 
>"usr_crt.dll" and "faq.exe" in the registry and remove them.  Then reboot, 
>and you should be able to remove them.

>>
>>Norton is fully patched to current as is windows update.
>>
>Any idea how this got on your computer?
>
>>Current versions of  adaware, spybot (search & Destroy) or norton found
>>any trace of the trojan. Even when pointed directly at that directory.
>>Anything else that recgnises this?
>>
>Did you try housecall.antivirus.com?

I did but it not find the files in question.


Finally removed it by using msconfig -> general -> diagnostic startup.
Then fag.exe was finally in the process list so I could kill it and then 
delete the directory
f~q.

Is there a current virus/trojan checker that properly reports what this 
is/does?

Also on a fully patched xp system killing all the svchost.exe's causes the 
NT_AUTHORITY message  to come up and gives a minute to reboot. Which MS 
update was meant to fix this?




>
>Paul Schmehl (pauls@...allas.edu)
>Adjunct Information Security Officer
>The University of Texas at Dallas
>AVIEN Founding Member
>http://www.utdallas.edu
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________
E-mail just got a whole lot better. New ninemsn Premium. Click here  
http://ninemsn.com.au/premium/landing.asp


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ