Re: WINSRV32.exe
From: Dolemite (yomama@nospam.com)
Date: 04/22/03
- Next message: DSW: "Patch for blocking unauthorized 'favorites' additions??"
- Previous message: Vijay Kumar: "Re: WINSRV32.exe"
- In reply to: Vijay Kumar: "Re: WINSRV32.exe"
- Next in thread: NoneOfBusiness: "Re: WINSRV32.exe"
- Reply: NoneOfBusiness: "Re: WINSRV32.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dolemite" <yomama@nospam.com> Date: Tue, 22 Apr 2003 00:32:55 -0700
cert.org
"Vijay Kumar" <vramnarayan@triniti.com> wrote in message
news:#tgpAqJCDHA.33548@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> Do we have a Check RootKit for windows.
> ( software which checks for common backdoors )
>
> I did find a psexec.exe file on my Windows 2000 Server and have deleted
it.
> It was in the fonts folder.
>
> Please give me some links/documents/softwares for checkng the system for
> malacious activities..
>
> Thank You,
> Vijay
>
> "NoneOfBusiness" <NoneofBusiness@nob.com> wrote in message
> news:4829avctbg47gh0angq906cdqdf194jh55@4ax.com...
> > Also look and see if you have any services running called:
> > firedaemon, srvany, psexec, or any other strange service you are not
> > familiar with. srvany is a valid one if you set it up from the NT
> > resource kit, otherwise i would be suspicious.. Disable them then
> > start a registry search for them and delete the keys.. you should then
> > be able to delete WINSRV32.exe file
> >
> > On Tue, 15 Apr 2003 10:16:02 -0700, "Dolemite" <yomama@nospam.com>
> > wrote:
> >
> > >Try using the Kill command util in the NT4 Res Kit. This can kill the
> > >process. If the tojan has set itself up as a service you may want to
see
> if
> > >you can disable the service and then reboot.
> > >
> > >
> > >"Jeff" <jeffadams@qwest.net> wrote in message
> > >news:BAC0400E.3253%jeffadams@qwest.net...
> > >> My NAV identified WINSRV32.exe as a BACKDOOR.WINSHELL trojan but will
> not
> > >> delete or quarantine it because WINSRV32.exe is running (I assume
that
> is
> > >> why NAV will not do it's thing with it). I went to SARC to see how to
> > >remove
> > >> manually but the reg keys they say to remove are not there.
> > >> I also checked my services and neither BACKDOOR or WINSERV32 are
there.
> > >I
> > >> then checked in the task manager and WINSERV32 is there but won't
let
> me
> > >> terminate it.
> > >> Any idea how to get rid of this thing???
> > >>
> > >> I am running WIN NT4 server.
> > >>
> > >> Thanks,
> > >> Jeff Adams
> > >>
> > >
> >
>
>
- Next message: DSW: "Patch for blocking unauthorized 'favorites' additions??"
- Previous message: Vijay Kumar: "Re: WINSRV32.exe"
- In reply to: Vijay Kumar: "Re: WINSRV32.exe"
- Next in thread: NoneOfBusiness: "Re: WINSRV32.exe"
- Reply: NoneOfBusiness: "Re: WINSRV32.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
