Full Disclosure mailing list archives

RE: Removal?

From: "axid3j1al axid3j1al" <axid3j1al () hotmail com>
Date: Wed, 04 Feb 2004 05:02:11 +0000

From: Paul Schmehl <pauls () utdallas edu>
Reply-To: Paul Schmehl <pauls () utdallas edu>
To: axid3j1al axid3j1al<axid3j1al () hotmail com>,full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Removal?
Date: Tue, 03 Feb 2004 19:07:14 -0600
--On Wednesday, February 4, 2004 12:41 AM +0000 axid3j1al axid3j1al<axid3j1al () hotmail com> wrote:
usr_crtl.dll wont unregister and fag.exe is not in the process list.
It was worth a shot. You could download pslist from sysinternals and usethat to list the process id, and then use their pskill to kill it.
<http://www.sysinternals.com/ntw2k/utilities.shtml>

(I would put these on a write-protected floppy.)


I checked before. No entires or deviations on these names.

Then you should be able to remove the files. I would also check theregistry for entries. You can use Ctrl F to search for the file names"usr_crt.dll" and "faq.exe" in the registry and remove them. Then reboot,and you should be able to remove them.


Norton is fully patched to current as is windows update.

Any idea how this got on your computer?

Current versions of  adaware, spybot (search & Destroy) or norton found
any trace of the trojan. Even when pointed directly at that directory.
Anything else that recgnises this?

Did you try housecall.antivirus.com?


I did but it not find the files in question.


Finally removed it by using msconfig -> general -> diagnostic startup.

Then fag.exe was finally in the process list so I could kill it and thendelete the directory

f~q.

Is there a current virus/trojan checker that properly reports what thisis/does?

Also on a fully patched xp system killing all the svchost.exe's causes theNT_AUTHORITY message to come up and gives a minute to reboot. Which MSupdate was meant to fix this?


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_________________________________________________________________

E-mail just got a whole lot better. New ninemsn Premium. Click herehttp://ninemsn.com.au/premium/landing.asp


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Removal? axid3j1al axid3j1al (Feb 02)
- RE: Removal? Mike (Feb 03)
- Re: Removal? Nico Golde (Feb 03)
- <Possible follow-ups>
- RE: Removal? Schmehl, Paul L (Feb 03)
- RE: Removal? axid3j1al axid3j1al (Feb 03)
  - RE: Removal? Paul Schmehl (Feb 03)
    - Message not available
    - Re: Removal? Anders (Feb 04)
- RE: Removal? axid3j1al axid3j1al (Feb 03)