> > > > How do I tell where these executables are? And when I find them, how do > > I runs strings on them? > > Find one of the processes that's still alive and do "ls -l /proc/<pid>". > That will give you some info about it. The exe entry should be a link to > the executable itself. Well, I get: ls -l /proc/6446 total 0 dr-xr-xr-x 2 hotmail hotmail 0 Feb 5 03:40 attr -r-------- 1 hotmail hotmail 0 Feb 5 03:40 auxv -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 cmdline lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 cwd -> /dev/shm/.. /nt -r-------- 1 hotmail hotmail 0 Feb 5 03:40 environ lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 exe -> /dev/shm/.. /nt/f dr-x------ 2 hotmail hotmail 0 Feb 5 03:39 fd -rw-r--r-- 1 hotmail hotmail 0 Feb 5 03:40 loginuid -r-------- 1 hotmail hotmail 0 Feb 5 03:40 maps -rw------- 1 hotmail hotmail 0 Feb 5 03:40 mem -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:40 mounts lrwxrwxrwx 1 hotmail hotmail 0 Feb 5 03:40 root -> / -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 stat -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 statm -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:39 status dr-xr-xr-x 3 hotmail hotmail 0 Feb 5 03:40 task -r--r--r-- 1 hotmail hotmail 0 Feb 5 03:40 wchan Here's an ls -al on /dev/shm ls -al /dev/shm total 0 drwxrwxrwt 3 root root 60 Feb 2 19:27 . drwxr-xr-x 8 root root 5700 Jan 18 09:26 .. drwxr-xr-x 3 hotmail hotmail 80 Feb 2 19:28 .. Sorry for my ignorance, but I'm still not finding the executable. Guess I don't understand the symlink. Also, does this mean that I was compromised on Feb 2? Thanks, James