[<prev] [next>] [day] [month] [year] [list]
Message-ID: <LAW12-F58B5Rw1SSfWX00066de8@hotmail.com>
From: axid3j1al at hotmail.com (axid3j1al axid3j1al)
Subject: Removal?
>From: Paul Schmehl <pauls@...allas.edu>
>Reply-To: Paul Schmehl <pauls@...allas.edu>
>To: axid3j1al axid3j1al
><axid3j1al@...mail.com>,full-disclosure@...ts.netsys.com
>Subject: RE: [Full-Disclosure] Removal?
>Date: Tue, 03 Feb 2004 19:07:14 -0600
>
>--On Wednesday, February 4, 2004 12:41 AM +0000 axid3j1al axid3j1al
><axid3j1al@...mail.com> wrote:
>>
>>usr_crtl.dll wont unregister and fag.exe is not in the process list.
>>
>It was worth a shot. You could download pslist from sysinternals and use
>that to list the process id, and then use their pskill to kill it.
>
><http://www.sysinternals.com/ntw2k/utilities.shtml>
>
>(I would put these on a write-protected floppy.)
>
I checked before. No entires or deviations on these names.
>Then you should be able to remove the files. I would also check the
>registry for entries. You can use Ctrl F to search for the file names
>"usr_crt.dll" and "faq.exe" in the registry and remove them. Then reboot,
>and you should be able to remove them.
>>
>>Norton is fully patched to current as is windows update.
>>
>Any idea how this got on your computer?
>
>>Current versions of adaware, spybot (search & Destroy) or norton found
>>any trace of the trojan. Even when pointed directly at that directory.
>>Anything else that recgnises this?
>>
>Did you try housecall.antivirus.com?
I did but it not find the files in question.
Finally removed it by using msconfig -> general -> diagnostic startup.
Then fag.exe was finally in the process list so I could kill it and then
delete the directory
f~q.
Is there a current virus/trojan checker that properly reports what this
is/does?
Also on a fully patched xp system killing all the svchost.exe's causes the
NT_AUTHORITY message to come up and gives a minute to reboot. Which MS
update was meant to fix this?
>
>Paul Schmehl (pauls@...allas.edu)
>Adjunct Information Security Officer
>The University of Texas at Dallas
>AVIEN Founding Member
>http://www.utdallas.edu
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
_________________________________________________________________
E-mail just got a whole lot better. New ninemsn Premium. Click here
http://ninemsn.com.au/premium/landing.asp
Powered by blists - more mailing lists