[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DE6CCA02F4B32D41A35EFA494BCC373D0390C902@ivexch01.inventuresolutions.com>
From: Wayne_Dawson at inventuresolutions.com (Wayne Dawson)
Subject: RE: Full-Disclosure digest, Vol 1 #1991 - 41 msgs
First, you didn't say, so I'm wondering if you checked the simple
things? I mean for why you couldn't see it or delete it? Like, does
it have read and hidden attributes?
OK, admittedly, even if the read attribute was taken off, being still in
use, you might not be able to delete it. However, you may be able to
rename it logon.txt and then reboot.
Anyway, I don't know of a free utility, but you could always take the
drive out and put it in another NTFS machine and access it that way. It
wouldn't be running so it should be safe.
Of course, I'm assuming that you've already done the usual checking of
HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
for any reference to any file you deleted.
Also, for each user there is a registry area named HKEY_USERS\[code
number indicating user]\. Check the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
and remove any reference to any file you deleted.
Additionally, in case you didn't, make sure system restore has been
disabled before doing your rescue operations.
--__--__--
Message: 3
Date: Wed, 20 Oct 2004 17:37:26 +0100
From: "Richard Stevens" <richard@...net.co.uk>
To: <full-disclosure@...sys.com>
Subject: [Full-Disclosure] interesting trojan found
A client had a problem home PC, after removal of all the usual
spyware, adware and 6 month old viruses,
there remained an unusual process in the process list,
logon.exe, which
Process Explorer pointed to it being from
c:\windows\system32\logon.exe
it tries to connect to a singnet ip address on port 3175.
This file appeared almost invisible to the file system in both
safe & normal mode, which struck me as being unusual.
You could not delete it, copy it or see it in a directory
listing (file not found), but you could execute it directly.
I eventually got a copy of it by using an NTFS-reader boot disk,
and ran it through virus total.
Kaspersky was the only one to recognize it as Message: 3
Date: Wed, 20 Oct 2004 17:37:26 +0100
From: "Richard Stevens" <richard@...net.co.uk>
To: <full-disclosure@...sys.com>
Subject: [Full-Disclosure] interesting trojan found
A client had a problem home PC, after removal of all the usual
spyware, adware and 6 month old viruses,
there remained an unusual process in the process list,
logon.exe, which
Process Explorer pointed to it being from
c:\windows\system32\logon.exe
it tries to connect to a singnet ip address on port 3175.
This file appeared almost invisible to the file system in both
safe & normal mode, which struck me as being unusual.
You could not delete it, copy it or see it in a directory
listing (file not found), but you could execute it directly.
I eventually got a copy of it by using an NTFS-reader boot disk,
and ran it through virus total.
Kaspersky was the only one to recognize it as
backdoor.win32.rbot.gen
Just wondering really
a: if anyone wants it for study. (off list replies pls, will be
sent in passworded zip)
b: anyone know a free boot disk that both reads & writes to
NTFS, so I can delete it!
Regards
Richard
Just wondering really
a: if anyone wants it for study. (off list replies pls, will be
sent in passworded zip)
b: anyone know a free boot disk that both reads & writes to
NTFS, so I can delete it!
Regards
Richard
Powered by blists - more mailing lists