Re: how do I work out who/what enabled a service
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: Tue, 4 Oct 2005 00:29:36 -0700
Once a machine has been compromised in that way, you need to
understand that any scanning tool can only tell you that it found
this or that, and cannot tell you that there is nothing to be found
(only that it failed to find it if it is there).
The only valid recommendation for your case is to rebuild the
machine starting with a format.
"Bruce Baker" <firstname.lastname@example.org> wrote in message
> Got a client which has had a virus which installed serv-u ftp service.
> Symantec and TrendMicro both give the machine a clean bill of health.
> We disabled the above service but last night it got reenabled (got the GFI
> network monitor on this server)
> How do I work out which process would have done it ?
> MBSA tells us we have all patches installed and no obvious risks.
> Somethings up. Any ideas ?
> All workstations inside the network also scan ok etc.