NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2004-03

Re: [Full-Disclosure] Looking for a tool

From: Lan Guy (rlanguyhotmail.com)
Date: Tue Mar 02 2004 - 02:12:41 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

MessageI have this happen with a dll attached to iexplore.exe.
The dll was placing pornography in a new IE window everytime any action was done in IE, even opening the Internet options opened a new IE window with Porn.

I had to boot up Windows Recovery command window to delete the dll from system32 and dllcache.

BTW dllcache is where windows stores it's back up copies of files.
Lan Guy
  ----- Original Message -----
  From: Schmehl, Paul L
  To: full-disclosurelists.netsys.com
  Sent: Tuesday, March 02, 2004 1:36 AM
  Subject: RE: [Full-Disclosure] Looking for a tool

    -----Original Message-----
    From: Nick Jacobsen [mailto:nickethicsdesign.com]
    Sent: Monday, March 01, 2004 5:31 PM
    To: Schmehl, Paul L; full-disclosurelists.netsys.com
    Subject: RE: [Full-Disclosure] Looking for a tool

Well, I usually use *sysinternals* Process Exporer, and have yet to see it fail to list a process... how do you know the process exists, if you can't list it?

    Real simple. I have randomly named processes (like gk5odre.exe) popping up, and when I kill them, another one takes their place. *Something* has to be the parent than controls this. I can delete an entire registry key and watch it be recreated in less than a second. I can delete a directory with three dlls in it and watch it be recreated right before my eyes. I can kill the randomly named process and watch it reappear using the same name or a completely different name. I can delete the executable after killing the process, and it will be recreated in no time. So *something* has to be controlling it, yet when I look at the process tree, the randomly named process appears to be the parent.
    Paul Schmehl (paulsutdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]