Full Disclosure mailing list archives
RE: Removal?
From: "axid3j1al axid3j1al" <axid3j1al () hotmail com>
Date: Wed, 04 Feb 2004 05:02:11 +0000
From: Paul Schmehl <pauls () utdallas edu> Reply-To: Paul Schmehl <pauls () utdallas edu>To: axid3j1al axid3j1al <axid3j1al () hotmail com>,full-disclosure () lists netsys comSubject: RE: [Full-disclosure] Removal? Date: Tue, 03 Feb 2004 19:07:14 -0600--On Wednesday, February 4, 2004 12:41 AM +0000 axid3j1al axid3j1al <axid3j1al () hotmail com> wrote:It was worth a shot. You could download pslist from sysinternals and use that to list the process id, and then use their pskill to kill it.usr_crtl.dll wont unregister and fag.exe is not in the process list.<http://www.sysinternals.com/ntw2k/utilities.shtml> (I would put these on a write-protected floppy.)
I checked before. No entires or deviations on these names.
Then you should be able to remove the files. I would also check the registry for entries. You can use Ctrl F to search for the file names "usr_crt.dll" and "faq.exe" in the registry and remove them. Then reboot, and you should be able to remove them.
Norton is fully patched to current as is windows update.Any idea how this got on your computer?Current versions of adaware, spybot (search & Destroy) or norton found any trace of the trojan. Even when pointed directly at that directory. Anything else that recgnises this?Did you try housecall.antivirus.com?
I did but it not find the files in question. Finally removed it by using msconfig -> general -> diagnostic startup.Then fag.exe was finally in the process list so I could kill it and then delete the directory
f~q.Is there a current virus/trojan checker that properly reports what this is/does?
Also on a fully patched xp system killing all the svchost.exe's causes the NT_AUTHORITY message to come up and gives a minute to reboot. Which MS update was meant to fix this?
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_________________________________________________________________E-mail just got a whole lot better. New ninemsn Premium. Click here http://ninemsn.com.au/premium/landing.asp
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Removal? axid3j1al axid3j1al (Feb 02)
- RE: Removal? Mike (Feb 03)
- Re: Removal? Nico Golde (Feb 03)
- <Possible follow-ups>
- RE: Removal? Schmehl, Paul L (Feb 03)
- RE: Removal? axid3j1al axid3j1al (Feb 03)
- RE: Removal? Paul Schmehl (Feb 03)
- Message not available
- Re: Removal? Anders (Feb 04)
- RE: Removal? Paul Schmehl (Feb 03)
- RE: Removal? axid3j1al axid3j1al (Feb 03)