lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DE6CCA02F4B32D41A35EFA494BCC373D0390C902@ivexch01.inventuresolutions.com>
From: Wayne_Dawson at inventuresolutions.com (Wayne Dawson)
Subject: RE: Full-Disclosure digest, Vol 1 #1991 - 41 msgs

First, you didn't say, so I'm wondering if you checked the simple
things?  I mean for why you couldn't see it or delete it?   Like, does
it have read and hidden attributes?  

OK, admittedly, even if the read attribute was taken off, being still in
use, you might not be able to delete it. However, you may be able to
rename it logon.txt and then reboot. 

Anyway, I don't know of a free utility, but you could always take the
drive out and put it in another NTFS machine and access it that way.  It
wouldn't be running so it should be safe.

Of course, I'm assuming that you've already done the usual checking of
HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

for any reference to any file you deleted.

Also, for each user there is a registry area named HKEY_USERS\[code
number indicating user]\. Check the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Additionally, in case you didn't, make sure system restore has been
disabled before doing your rescue operations.

	--__--__--

	Message: 3
	Date: Wed, 20 Oct 2004 17:37:26 +0100
	From: "Richard Stevens" <richard@...net.co.uk>
	To: <full-disclosure@...sys.com>
	Subject: [Full-Disclosure] interesting trojan found


	A client had a problem home PC, after removal of all the usual
spyware, adware and 6 month old viruses,

	there remained an unusual process in the process list,
logon.exe, which 

	Process Explorer pointed to it being from
c:\windows\system32\logon.exe

	it tries to connect to a singnet ip address on port 3175.

	This file appeared almost invisible to the file system in both
safe & normal mode, which struck me as being unusual.

	You could not delete it, copy it or see it in a directory
listing (file not found),  but you could execute it directly.

	I eventually got a copy of it by using an NTFS-reader boot disk,
and ran it through virus total.

	Kaspersky was the only one to recognize it as Message: 3
	Date: Wed, 20 Oct 2004 17:37:26 +0100
	From: "Richard Stevens" <richard@...net.co.uk>
	To: <full-disclosure@...sys.com>
	Subject: [Full-Disclosure] interesting trojan found


	A client had a problem home PC, after removal of all the usual
spyware, adware and 6 month old viruses,

	there remained an unusual process in the process list,
logon.exe, which 

	Process Explorer pointed to it being from
c:\windows\system32\logon.exe

	it tries to connect to a singnet ip address on port 3175.

	This file appeared almost invisible to the file system in both
safe & normal mode, which struck me as being unusual.

	You could not delete it, copy it or see it in a directory
listing (file not found),  but you could execute it directly.

	I eventually got a copy of it by using an NTFS-reader boot disk,
and ran it through virus total.

	Kaspersky was the only one to recognize it as
backdoor.win32.rbot.gen

	Just wondering really

	a: if anyone wants it for study. (off list replies pls, will be
sent in passworded zip)
	b: anyone know a free boot disk that both reads & writes to
NTFS, so I can delete it!


	Regards

	Richard


	Just wondering really

	a: if anyone wants it for study. (off list replies pls, will be
sent in passworded zip)
	b: anyone know a free boot disk that both reads & writes to
NTFS, so I can delete it!


	Regards

	Richard


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ