Re: tvm.exe / poll each.exe / blehdefyreal toolbar

[Harlan Carvey <keydet89 () yahoo com>]

Mark,
 
> The idea here is to learn something from it.
> Reformatting the system is
> a good idea, but before that takes place it'd be
> nice to learn what the
> thing actually is and how it works. 

"Once you understand the nature of a thing, you know
what it's capable of." - Blade

> This thing respawns itself without a reboot. Loading
> Tiny Personal
> Firewall apparently prevents it from respawning. TPF
> does something
> about preventing code from being injected into a
> process, so maybe
> that's why TPF keeps it at bay. 

Ok, so it performs DLL injection.  Does the user
account being used on the system have the privilege to
debug programs?
 
> This isn't on any system I use or manage. It's on a
> collegue's system
> and I am trying to help find a way to figure out
> what it does, how to
> get it shut down permanently, removed if possible. 

I'll provide some input on this.  First, run several
tools to get information from the
system...pslist/tlist/handle/listdlls to get process
information, openports to get process-to-port mapping
info (use both '-netstat' and '-fport' switches). 
Check the usual Registry entries where this stuff
likes to hide...map unusual entries there to DLLs
injected into processes, if this is what's happening...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html