Ok, here's the deal. NT4 has sporadic support for WMI, which is what the script uses to identify the rogue explorer process. Since a failure in WMI doesn't mean a rogue process exists, I've changed the script to advise you when this situation occurs. Keep those cards and letters coming, folks! It only makes the tool better... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Cc: "CommuniGate Pro Discussions" <CGatePro@xxxxxxxxxxxxxxxx> Sent: Tuesday, August 07, 2001 23:45 Subject: [isalist] Code Red Sniffer http://www.ISAserver.org This is a multi-part message in MIME format. ---------------------------------------------------------------------------- ---- Hello weary Code Red battlers, I've created a script that searches your system to sniff out the Code Red worm. Since I had to help a hapless friend who's web farm was destroying itself, I had to make the search a little more streamlined. It does: 1. find the (presently) known droppings Code Red leaves in its wake 2. leave a log file on your system as "C:\CodeRed_insp_<MachName>.log" 3. tell you if definitely identifies Code Red It DOES NOT: 1. say that Code Red is NOT on your system 2. attempt to clean Code Red from your system; this is a box-flattening worm Since Code Red is known to sleep for at least 24 hours before trashing your box, you should run this script at least daily for the next several days to see if anything new shows up. It ain't much, but it's something, anyway... Good luck to all. Jim Harrison MCP(2K), A+, Network+, PCG ---------------------------------------------------------------------------- ---- ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')