Not much to that one, if that is what it is... http://securityresponse.symantec.com/avcenter/venc/data/w32.dos.trinoo.h tml -----Original Message----- From: Danny [mailto:nocmonkey@xxxxxxxxx] Sent: Thursday, May 05, 2005 14:13 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Being Attacked...HELPED http://www.ISAserver.org On 5/5/05, Clarke, Scott <Scott.Clarke@xxxxxxxxxxxx> wrote: > Easier said than done. We have 26 branch offices with their own routers/switches. Is there > a removal/detection tool for Trinoo because I believe the infection is here at our main office? Why do you think it is Trinoo? If your AV software detected, then it should be quite capable of removing it. Patch your systems, ASAP. Delete C:\WINDOWS\SYSTEM\service.exe AND HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"System Services"="service.exe" ...D