RE: [Full-Disclosure] Looking for a tool

[Tiago Halm]

Title: Message

Paul,   Run FileMon and RegMon (both from SysInternals) while you do those delete actions you mention, then examine the log file and you may find something. FileMon makes use of "NTFS Change Journal" which I think may be behind those process and file/directory re-creations. "NTFS Change Journal" tracks every action in a NTFS file system. Just google for it for more info.   Hope it helps, Tiago Halm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmehl, Paul L Sent: segunda-feira, 1 de Mar�o de 2004 23:37 To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Looking for a tool -----Original Message----- From: Nick Jacobsen [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 5:31 PM To: Schmehl, Paul L; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Looking for a tool Well, I usually use *sysinternals* Process Exporer, and have yet to see it fail to list a process...  how do you know the process exists, if you can't list it?   Real simple.  I have randomly named processes (like gk5odre.exe) popping up, and when I kill them, another one takes their place.  *Something* has to be the parent than controls this.  I can delete an entire registry key and watch it be recreated in less than a second.  I can delete a directory with three dlls in it and watch it be recreated right before my eyes.  I can kill the randomly named process and watch it reappear using the same name or a completely different name.  I can delete the executable after killing the process, and it will be recreated in no time.  So *something* has to be controlling it, yet when I look at the process tree, the randomly named process appears to be the parent. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/