Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: Shell32.dll.124.config

From: "y0himba" <y0himba () technolounge org>
Date: Tue, 6 Sep 2005 09:53:30 -0400
If you would have read the message, I stated that it showed up in scans but
could not be found on the system.  If you must have the exact text from the
log:

9/6/2005,9:37:59 WARNING: AVGuard detected a problem in the file
  C:\WINDOWS\SYSTEM32\SHELL32.DLL.124.CONFIG
      INFO: The access to the file has been denied!

If the information had contained something helpful, I would have posted it.
Also, to keep the messages to a smaller size, I didn't post the text from
Filemon.  I am quite sure that folks are smart enough to ask for the
information if they need it.

Thank you for the link! :)  Good reading although my computer is
experiencing none of the symptoms listed.




-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Dave Korn
Sent: Tuesday, September 06, 2005 9:40 AM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Re: Shell32.dll.124.config


----- Original Message -----
From: "y0himba"
Sent: Monday, September 05, 2005 4:33 PM



Yes I am a "noob".  I have a question though.  Google searches and a 
few other things can tell me nothing about "shell32.dll.124.config".  
I am on WindowsXP SP2, and keep seeing this file show up in antivirus 
scans, but cannot find it anywhere on the system!  I think it is 
dynamically created by something, but after sitting and watching 
Filemon
7.02 for 20 minutes or so, I give up.  Has anyone heard of this file?
Antivir, Bitdefender, AVG and Clam all show it on the system, have 
scanned it, but have found nothing. I have never seen this file before...


----Original Message----

From: Morning Wood
Message-Id: BAY19-DAV10034B5749FF0FE3BCF10ED9A70 () phx gbl



sounds like an ADS ( alternate data stream )


  No it doesn't.  ADS filenames have a ':' as a separator.  That name only
has dots in it and so is not an ADS.  It is part of some kind of known
malware:

http://forums.spywareinfo.com/index.php?showtopic=7447&st=15

  I guess y0himba's AV is detecting the attempt to access this file as
suspicious whether or not it actually exists, but he forgot to mention
anything about what the AV actually _says_ about it.  y0himba, next time
you're reporting an error message, how about actually quoting the text, huh?


    cheers,
      DaveK
--
Can't think of a witty .sigline today....



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: