| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Wayne_Dawson at inventuresolutions.com (Wayne Dawson) Subject: RE: Full-Disclosure digest, Vol 1 #1991 - 41 msgs First, you didn't say, so I'm wondering if you checked the simple things? I mean for why you couldn't see it or delete it? Like, does it have read and hidden attributes? OK, admittedly, even if the read attribute was taken off, being still in use, you might not be able to delete it. However, you may be able to rename it logon.txt and then reboot. Anyway, I don't know of a free utility, but you could always take the drive out and put it in another NTFS machine and access it that way. It wouldn't be running so it should be safe. Of course, I'm assuming that you've already done the usual checking of HKEY_LOCAL_MACHINE entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices for any reference to any file you deleted. Also, for each user there is a registry area named HKEY_USERS\[code number indicating user]\. Check the entry: HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\ and remove any reference to any file you deleted. Additionally, in case you didn't, make sure system restore has been disabled before doing your rescue operations. --__--__-- Message: 3 Date: Wed, 20 Oct 2004 17:37:26 +0100 From: "Richard Stevens" <richard@...net.co.uk> To: <full-disclosure@...sys.com> Subject: [Full-Disclosure] interesting trojan found A client had a problem home PC, after removal of all the usual spyware, adware and 6 month old viruses, there remained an unusual process in the process list, logon.exe, which Process Explorer pointed to it being from c:\windows\system32\logon.exe it tries to connect to a singnet ip address on port 3175. This file appeared almost invisible to the file system in both safe & normal mode, which struck me as being unusual. You could not delete it, copy it or see it in a directory listing (file not found), but you could execute it directly. I eventually got a copy of it by using an NTFS-reader boot disk, and ran it through virus total. Kaspersky was the only one to recognize it as Message: 3 Date: Wed, 20 Oct 2004 17:37:26 +0100 From: "Richard Stevens" <richard@...net.co.uk> To: <full-disclosure@...sys.com> Subject: [Full-Disclosure] interesting trojan found A client had a problem home PC, after removal of all the usual spyware, adware and 6 month old viruses, there remained an unusual process in the process list, logon.exe, which Process Explorer pointed to it being from c:\windows\system32\logon.exe it tries to connect to a singnet ip address on port 3175. This file appeared almost invisible to the file system in both safe & normal mode, which struck me as being unusual. You could not delete it, copy it or see it in a directory listing (file not found), but you could execute it directly. I eventually got a copy of it by using an NTFS-reader boot disk, and ran it through virus total. Kaspersky was the only one to recognize it as backdoor.win32.rbot.gen Just wondering really a: if anyone wants it for study. (off list replies pls, will be sent in passworded zip) b: anyone know a free boot disk that both reads & writes to NTFS, so I can delete it! Regards Richard Just wondering really a: if anyone wants it for study. (off list replies pls, will be sent in passworded zip) b: anyone know a free boot disk that both reads & writes to NTFS, so I can delete it! Regards Richard
Powered by blists - more mailing lists