lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20050906135332.73ED8210@lists.grok.org.uk>
Date: Tue Sep  6 14:53:40 2005
From: y0himba at technolounge.org (y0himba)
Subject: Re: Shell32.dll.124.config

If you would have read the message, I stated that it showed up in scans but
could not be found on the system.  If you must have the exact text from the
log:

9/6/2005,9:37:59 WARNING: AVGuard detected a problem in the file
  C:\WINDOWS\SYSTEM32\SHELL32.DLL.124.CONFIG
      INFO: The access to the file has been denied!

If the information had contained something helpful, I would have posted it.
Also, to keep the messages to a smaller size, I didn't post the text from
Filemon.  I am quite sure that folks are smart enough to ask for the
information if they need it.

Thank you for the link! :)  Good reading although my computer is
experiencing none of the symptoms listed.




-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Dave Korn
Sent: Tuesday, September 06, 2005 9:40 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Re: Shell32.dll.124.config

> ----- Original Message -----
> From: "y0himba"
> Sent: Monday, September 05, 2005 4:33 PM

>> Yes I am a "noob".  I have a question though.  Google searches and a 
>> few other things can tell me nothing about "shell32.dll.124.config".  
>> I am on WindowsXP SP2, and keep seeing this file show up in antivirus 
>> scans, but cannot find it anywhere on the system!  I think it is 
>> dynamically created by something, but after sitting and watching 
>> Filemon
>> 7.02 for 20 minutes or so, I give up.  Has anyone heard of this file?
>> Antivir, Bitdefender, AVG and Clam all show it on the system, have 
>> scanned it, but have found nothing. I have never seen this file before...

----Original Message----
>From: Morning Wood
>Message-Id: BAY19-DAV10034B5749FF0FE3BCF10ED9A70@....gbl

> sounds like an ADS ( alternate data stream )

  No it doesn't.  ADS filenames have a ':' as a separator.  That name only
has dots in it and so is not an ADS.  It is part of some kind of known
malware:

http://forums.spywareinfo.com/index.php?showtopic=7447&st=15

  I guess y0himba's AV is detecting the attempt to access this file as
suspicious whether or not it actually exists, but he forgot to mention
anything about what the AV actually _says_ about it.  y0himba, next time
you're reporting an error message, how about actually quoting the text, huh?


    cheers,
      DaveK
--
Can't think of a witty .sigline today....



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ