[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Removal?

To: pauls@utdallas.edu, full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Removal?
From: "axid3j1al axid3j1al" <axid3j1al@hotmail.com>
Date: Wed, 04 Feb 2004 00:41:48 +0000

From: "Schmehl, Paul L" <pauls@utdallas.edu> To: "axid3j1al axid3j1al" <axid3j1al@hotmail.com>, <full-disclosure@lists.netsys.com> Subject: RE: [Full-Disclosure] Removal? Date: Tue, 3 Feb 2004 14:02:29 -0600

> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
> axid3j1al axid3j1al
> Sent: Tuesday, February 03, 2004 12:03 AM
> To: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] Removal?
>
>
> How do I delete the virus that is not detectable by norton av (latest
> definitions)
>
http://housecall.antivirus.com/
>
> but has the files
> c:\windows\system32\f~q\fag.exe
> c:\windows\system32\f~q\usr_crt.dll
>
> i.e. what program do I kill to do a attrib -h -r -s *.* ; del. ?
>

Good Idea.

But did not work.

usr_crtl.dll wont unregister and fag.exe is not in the process list.

regsvr32 /u c:\windows\system32\f~q\usr_crt.dll
del c:\windows\system32\f~q\usr_crt.dll
Ctrl-Alt-Del/Task Manager/Processes
Locate fag.exe and End Process

Get your AV software up to date and keep it that way.
Go to Windows Update and patch to current.

Norton is fully patched to current as is windows update.

Current versions of adaware, spybot (search & Destroy) or norton found any trace of the trojan. Even when pointed directly at that directory. Anything else that recgnises this?


Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________ E-mail just got a whole lot better. New ninemsn Premium. Click here http://ninemsn.com.au/premium/landing.asp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Removal?
  - From: Paul Schmehl <pauls@utdallas.edu>

Prev by Date: Re: [Full-Disclosure] sco.com Press Release
Next by Date: RE: [Full-Disclosure] Removal?
Previous by thread: RE: [Full-Disclosure] Removal?
Next by thread: RE: [Full-Disclosure] Removal?
Index(es):
- Date
- Thread