lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: keydet89 at yahoo.com (Harlan Carvey) Subject: tvm.exe / poll each.exe / blehdefyreal toolbar Mark, > The idea here is to learn something from it. > Reformatting the system is > a good idea, but before that takes place it'd be > nice to learn what the > thing actually is and how it works. "Once you understand the nature of a thing, you know what it's capable of." - Blade > This thing respawns itself without a reboot. Loading > Tiny Personal > Firewall apparently prevents it from respawning. TPF > does something > about preventing code from being injected into a > process, so maybe > that's why TPF keeps it at bay. Ok, so it performs DLL injection. Does the user account being used on the system have the privilege to debug programs? > This isn't on any system I use or manage. It's on a > collegue's system > and I am trying to help find a way to figure out > what it does, how to > get it shut down permanently, removed if possible. I'll provide some input on this. First, run several tools to get information from the system...pslist/tlist/handle/listdlls to get process information, openports to get process-to-port mapping info (use both '-netstat' and '-fport' switches). Check the usual Registry entries where this stuff likes to hide...map unusual entries there to DLLs injected into processes, if this is what's happening...
Powered by blists - more mailing lists