[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Removal?

To: pauls@utdallas.edu, full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Removal?
From: "axid3j1al axid3j1al" <axid3j1al@hotmail.com>
Date: Wed, 04 Feb 2004 05:02:11 +0000

From: Paul Schmehl <pauls@utdallas.edu> Reply-To: Paul Schmehl <pauls@utdallas.edu> To: axid3j1al axid3j1al <axid3j1al@hotmail.com>,full-disclosure@lists.netsys.com Subject: RE: [Full-Disclosure] Removal? Date: Tue, 03 Feb 2004 19:07:14 -0600

--On Wednesday, February 4, 2004 12:41 AM +0000 axid3j1al axid3j1al <axid3j1al@hotmail.com> wrote:
usr_crtl.dll wont unregister and fag.exe is not in the process list.

It was worth a shot. You could download pslist from sysinternals and use that to list the process id, and then use their pskill to kill it.

<http://www.sysinternals.com/ntw2k/utilities.shtml>

(I would put these on a write-protected floppy.)

I checked before. No entires or deviations on these names.

Then you should be able to remove the files. I would also check the registry for entries. You can use Ctrl F to search for the file names "usr_crt.dll" and "faq.exe" in the registry and remove them. Then reboot, and you should be able to remove them.

Norton is fully patched to current as is windows update.

Any idea how this got on your computer?
Current versions of  adaware, spybot (search & Destroy) or norton found
any trace of the trojan. Even when pointed directly at that directory.
Anything else that recgnises this?
Did you try housecall.antivirus.com?

I did but it not find the files in question.

Finally removed it by using msconfig -> general -> diagnostic startup. Then fag.exe was finally in the process list so I could kill it and then delete the directory f~q.

Is there a current virus/trojan checker that properly reports what this is/does?

Also on a fully patched xp system killing all the svchost.exe's causes the NT_AUTHORITY message to come up and gives a minute to reboot. Which MS update was meant to fix this?


Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________ E-mail just got a whole lot better. New ninemsn Premium. Click here http://ninemsn.com.au/premium/landing.asp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] Removal?
Next by Date: [Full-Disclosure] [SECURITY] [DSA 433-1] New Linux 2.4.17 packages fix local root exploit (mips+mipsel)
Previous by thread: Re: [Full-Disclosure] Removal?
Next by thread: [Full-Disclosure] Re:
Index(es):
- Date
- Thread