Re: Files Associated With Client Component of TCP/IP Properties

"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:1IGdnT_1h4kwE9vYnZ2dnUVZ_oqdnZ2d@xxxxxxxxxxxxxxx
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:#4cjfHA$GHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:55Gdnb5QSKqsSaPYnZ2dnUVZ_rydnZ2d@xxxxxxxxxxxxxxx
"GreggMB" <GreggMB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D5A71317-8EB6-4936-B1A9-12EE7248C271@xxxxxxxxxxxxxxxx
All this does is affects the transport (or "infrastructure") the
Trojan
uses.
It has no affect on Trojan itself.

I think that depends on the implementation. One possible scenario is
that
the Trojan loads itself as a kernel rootkit virus through one of those
files, then allows the normal functionality to proceed.

I admit it is a long shot to find this thing in any case. Once a
rootkit
gets installed, it can hide activity in the kernel from you and make
things
seem clean when they are not.

Yes, but I found it interesting your initial post seemed to say
you had successfully cleansed it of some (mis)behaviors.
A rootkit implant would more normally remove traces of its
injection (or sloppy, or intended detractor?_)

Apparently I did cleanse it, if I believe the firewall. But probably
there
are still traces of it on the file system possibly in a form that would
recreate the original condition. I was hoping to get a list of affected
files just to see if I could make any sense of possible sources from that
list.


Sounds to me like you might regret not snap-shoting the reg first.

It seems an artifact in OSs today, including those with sub-100 million
lines of code, that things are largely left to be self-documenting.

--
ra


.