On Tue, 2004-03-02 at 00:36, Schmehl, Paul L wrote: > Well, I usually use *sysinternals* Process Exporer, and have > yet to see it fail to list a process... how do you know the > process exists, if you can't list it? > > Real simple. I have randomly named processes (like > gk5odre.exe) popping up, and when I kill them, another one > takes their place. *Something* has to be the parent than > controls this. I can delete an entire registry key and watch > it be recreated in less than a second. I can delete a > directory with three dlls in it and watch it be recreated > right before my eyes. I can kill the randomly named process > and watch it reappear using the same name or a completely > different name. I can delete the executable after killing the > process, and it will be recreated in no time. So *something* > has to be controlling it, yet when I look at the process tree, > the randomly named process appears to be the parent.
Probably a rootkit. Give a look to klister and patchfinder2, from www.rootkit.com ... Regards, -- Nicob <[EMAIL PROTECTED]> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
