[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040609173951.90988.qmail@web51510.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: tvm.exe / poll each.exe / blehdefyreal toolbar
Mark,
> The idea here is to learn something from it.
> Reformatting the system is
> a good idea, but before that takes place it'd be
> nice to learn what the
> thing actually is and how it works.
"Once you understand the nature of a thing, you know
what it's capable of." - Blade
> This thing respawns itself without a reboot. Loading
> Tiny Personal
> Firewall apparently prevents it from respawning. TPF
> does something
> about preventing code from being injected into a
> process, so maybe
> that's why TPF keeps it at bay.
Ok, so it performs DLL injection. Does the user
account being used on the system have the privilege to
debug programs?
> This isn't on any system I use or manage. It's on a
> collegue's system
> and I am trying to help find a way to figure out
> what it does, how to
> get it shut down permanently, removed if possible.
I'll provide some input on this. First, run several
tools to get information from the
system...pslist/tlist/handle/listdlls to get process
information, openports to get process-to-port mapping
info (use both '-netstat' and '-fport' switches).
Check the usual Registry entries where this stuff
likes to hide...map unusual entries there to DLLs
injected into processes, if this is what's happening...
Powered by blists - more mailing lists