Full Disclosure mailing list archives
[Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1991 - 41 msgs
From: "Wayne Dawson" <Wayne_Dawson () inventuresolutions com>
Date: Thu, 21 Oct 2004 02:38:00 -0700
First, you didn't say, so I'm wondering if you checked the simple things? I mean for why you couldn't see it or delete it? Like, does it have read and hidden attributes? OK, admittedly, even if the read attribute was taken off, being still in use, you might not be able to delete it. However, you may be able to rename it logon.txt and then reboot. Anyway, I don't know of a free utility, but you could always take the drive out and put it in another NTFS machine and access it that way. It wouldn't be running so it should be safe. Of course, I'm assuming that you've already done the usual checking of HKEY_LOCAL_MACHINE entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices for any reference to any file you deleted. Also, for each user there is a registry area named HKEY_USERS\[code number indicating user]\. Check the entry: HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\ and remove any reference to any file you deleted. Additionally, in case you didn't, make sure system restore has been disabled before doing your rescue operations. --__--__-- Message: 3 Date: Wed, 20 Oct 2004 17:37:26 +0100 From: "Richard Stevens" <richard () tccnet co uk> To: <full-disclosure () netsys com> Subject: [Full-disclosure] interesting trojan found A client had a problem home PC, after removal of all the usual spyware, adware and 6 month old viruses, there remained an unusual process in the process list, logon.exe, which Process Explorer pointed to it being from c:\windows\system32\logon.exe it tries to connect to a singnet ip address on port 3175. This file appeared almost invisible to the file system in both safe & normal mode, which struck me as being unusual. You could not delete it, copy it or see it in a directory listing (file not found), but you could execute it directly. I eventually got a copy of it by using an NTFS-reader boot disk, and ran it through virus total. Kaspersky was the only one to recognize it as Message: 3 Date: Wed, 20 Oct 2004 17:37:26 +0100 From: "Richard Stevens" <richard () tccnet co uk> To: <full-disclosure () netsys com> Subject: [Full-disclosure] interesting trojan found A client had a problem home PC, after removal of all the usual spyware, adware and 6 month old viruses, there remained an unusual process in the process list, logon.exe, which Process Explorer pointed to it being from c:\windows\system32\logon.exe it tries to connect to a singnet ip address on port 3175. This file appeared almost invisible to the file system in both safe & normal mode, which struck me as being unusual. You could not delete it, copy it or see it in a directory listing (file not found), but you could execute it directly. I eventually got a copy of it by using an NTFS-reader boot disk, and ran it through virus total. Kaspersky was the only one to recognize it as backdoor.win32.rbot.gen Just wondering really a: if anyone wants it for study. (off list replies pls, will be sent in passworded zip) b: anyone know a free boot disk that both reads & writes to NTFS, so I can delete it! Regards Richard Just wondering really a: if anyone wants it for study. (off list replies pls, will be sent in passworded zip) b: anyone know a free boot disk that both reads & writes to NTFS, so I can delete it! Regards Richard _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1991 - 41 msgs Wayne Dawson (Oct 21)