[Vol-users] Chasing evil or my tail?

Working on a system that has been beaconing out to bad places and noticed this in the 'pstree' output (abbreviated): Name Pid PPid -------------------------------------------------- ------ ------ 0x894ca030:csrss.exe 580 484 ... 0x8f25b5b0:wininit.exe 632 484 ... . 0x8f379d40:services.exe 692 632 ... .. 0xb12484c0:FireSvc.exe 2064 692 ... .. 0xaecc6d40:svchost.exe 3332 692 ... ... .. 0xb3eeb030:svchost.exe 3780 692 ... .. 0x85e518e8:msdtc.exe 5332 692 ... ... 0x82651d40:explorer.exe 5400 5332 ... .... 0x85dcc3b0:pmcs.exe 1608 5400 ... .... 0x85dc9240:EpePcMonitor.e 6108 5400 ... .... 0x85c92030:BTTray.exe 4744 5400 ... .... 0x8652c928:iexplore.exe 7028 5400 ... ..... 0x86721030:iexplore.exe 7364 7028 ... ...... 0x866f2030:jp2launcher.ex 5356 7364 ... ....... 0x8678c408:java.exe 7700 5356 ... ... Is it just me or is msdtc.exe a very odd parent for explorer.exe? I would normally expect userinit.exe to start explorer and then exit, leaving it with no visible parent. Any input appreciated... -=[ Steve ]=-