Mark, > The idea here is to learn something from it. > Reformatting the system is > a good idea, but before that takes place it'd be > nice to learn what the > thing actually is and how it works.
"Once you understand the nature of a thing, you know what it's capable of." - Blade > This thing respawns itself without a reboot. Loading > Tiny Personal > Firewall apparently prevents it from respawning. TPF > does something > about preventing code from being injected into a > process, so maybe > that's why TPF keeps it at bay. Ok, so it performs DLL injection. Does the user account being used on the system have the privilege to debug programs? > This isn't on any system I use or manage. It's on a > collegue's system > and I am trying to help find a way to figure out > what it does, how to > get it shut down permanently, removed if possible. I'll provide some input on this. First, run several tools to get information from the system...pslist/tlist/handle/listdlls to get process information, openports to get process-to-port mapping info (use both '-netstat' and '-fport' switches). Check the usual Registry entries where this stuff likes to hide...map unusual entries there to DLLs injected into processes, if this is what's happening... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
