I've been hacked!

[mikmik]

/I been HACKED! I asked about a suspicion I had a week ago,now, ha ha, I havs an SQL Db for free -and man, does it pump out the broacasts!

I have been suspecting for over a week and a half, but when my connection started jamming up every time I tried to get on the net, and I had to renew the DHCP manually. I KNEW there was something going, slow downs, unheard of dropped connections - you think I could grab a packet? Uh- uh, not when I was looking! and the task manager, ONCE, for about two seconds I thought is had two explorer.EXEs going, but I was almost 100% convinced when I saw two 'mikmik.fooyoo' running.
Don't get many of that one ha ahhA!

i mean get this

Quote:

??2@YAPAXI@Z .wcscpy 1wcslen ãmemmove swscanf swprintf 
_ftol Å
_purecall msvcrt.dll ï _except_handler3 WINMM.dll InitializeCriticalSection w DeleteCriticalSection Œ EnterCriticalSection 6LeaveCriticalSection õSetEvent `
GetLastError H CreateEventW , CloseHandle nWaitForMultipleObjectsEx pWaitForSingleObjectEx f CreateThread N CreateFileW §ReleaseSemaphore InterlockedExchange c CreateSemaphoreW
InterlockedDecrement € DeviceIoControl InterlockedIncrement ²ResetEvent ‚
GetOverlappedResult Y CreateMutexW ¦ReleaseMutex ]
GetHandleInformation Ï
GetVersionExW ? DisableThreadLibraryCalls ê FreeLibrary :LoadLibraryW ©lstrlenW ZMultiByteToWideChar ¨lstrlenA k
GetModuleFileNameA ¦lstrcpynW mWaitForMultipleObjects oWaitForSingleObject ®
GetSystemInfo bVirtualFree _VirtualAlloc Ž
GetProcAddress "SetThreadPriority KERNEL32.dll È
RegCloseKey ì
RegQueryValueExW ×
RegEnumKeyW â
RegOpenKeyExW Ð
RegDeleteKeyW Ö
RegEnumKeyExW ù
RegSetValueExW ú
RegSetValueW Î
RegCreateKeyW ADVAPI32.dll ÚwsprintfW USER32.dll d CoTaskMemFree c CoTaskMemAlloc  CoCreateInstance × IIDFromString F
StringFromGUID2 h CoUninitialize  CoFreeUnusedLibraries : CoInitialize ole32.dll OLEAUT32.dll 
SetupDiDestroyDeviceInfoList B
SetupDiGetDeviceInterfaceAlias h
SetupDiOpenDeviceInterfaceRegKey i
SetupDiOpenDeviceInterfaceW 
SetupDiCreateDeviceInfoListExW D
SetupDiGetDeviceInterfaceDetailW 
SetupDiEnumDeviceInterfaces 0
SetupDiGetClassDevsW SETUPAPI.dll  KsCreateTopologyNode
KsCreateClock KsCreateAllocator  KsCreatePin ksuser.dll A _CIpow òRtlNtStatusToDosError ntdll.dll InterlockedCompareExchange µResumeThread ®Æí= ¹



¸¸
à¸
¹

Q
bQ
(3 03 c
èÖ FÔ ìÏ Ï ¸Ð '¹
7¹
I¹
[¹
o¹
~¹
’¹
¯¹
ù
ß¹

       ksproxy.ax DllCanUnloadNow DllGetClassObject DllRegisterServer DllUnregisterServer KsGetMediaType KsGetMediaTypeCount KsGetMultiplePinFactoryItems KsOpenDefaultDevice KsResolveRequiredAttributes KsSynchronousDeviceControl Xð`Hð`Õ}ð` $ð`ð`?‰ñ` àð`Ðð`Ï?ñ` ¨ð`˜ð`¡”ñ` lð`\ð`[šñ` <ð`,ð`´§ñ` ð`ôð`g§ñ

Lot's of these

Quote:

program cannot be run in DOS mode.$

I was wondering whewr all the default user accounts were coming from ha '

Quote:

QueryPerformanceCounter Ä
GetTickCount 7
GetCurrentThreadId 5
GetCurrentProcessId ²
GetSystemTimeAsFileTime ? DisableThreadLibraryCalls Ž
GetProcAddress m
GetModuleHandleA ;TerminateProcess 4
GetCurrentProcess KERNEL32.dll  ??3@YAXPAX@Z  ??2@YAPAXI@Z Å
_purecall msvcrt.dll WINMM.dll È
RegCloseKey ì
RegQueryValueExW â
RegOpenKeyExW Ð
RegDeleteKeyW Ö
RegEnumKeyExW ù
RegSetValueExW ú
RegSetValueW Î
RegCreateKeyW ADVAPI32.dll ÚwsprintfW USER32.dll  CoCreateInstance h CoUninitialize  CoFreeUnusedLibraries : CoInitialize c CoTaskMemAlloc d CoTaskMemFree F
StringFromGUID2 ole32.dll OLEAUT32.dll Ï
GetVersionExW ¦lstrcpynW ©lstrlenW ?lstrcmpW ê FreeLibrary :LoadLibraryW ZMultiByteToWideChar ¨lstrlenA `
GetLastError k
G

The latest craze: 'escalating permissions

Quote:

;[connect name] will modify the connection if ADC.connect="name"
;[connect default] will modify the connection if name is not found
;[sql name] will modify the Sql if ADC.sql="name(args)"
;[sql default] will modify the Sql if name is not found
;Override strings: Connect, UserId, Password, Sql.
;Only the Sql strings support parameters using "?"
;The override strings must not equal "" or they are ignored
;A Sql entry must exist in each sql section or the section is ignored
;An Access entry must exist in each connect section or the section is ignored
;Access=NoAccess
;Access=ReadOnly
;Access=ReadWrite
;[userlist name] allows specific users to have special access
;The Access is computed as follows:
; (1) First take the access of the connect section.
; (2) If a user entry is found, it will override.

[connect default]
;If we want to disable unknown connect values, we set Access to NoAccess
Access=NoAccess

[sql default]
;If we want to disable unknown sql values, we set Sql to an invalid query.
Sql=" "

Man, I was tired on Sunday when this started to get going good!

Goodight ;o) G

[trsiyengar]

Mike,

To invite everyone's attention, you have already posted this topic in Wen's own world of "Yesterday, today and tomorrow thread! Now, opening a new topic with same post for the few, who never visit the break room?

Arise and awake, from your deep sleep. After a week's tried and tired period, you must now feel happy, as you found Hacker, the Mikmik!

[paulhiles]

Quote:

Originally Posted by trsiyengar

Mike,
To invite everyone's attention, you have already posted this topic in Wen's own world of "Yesterday, today and tomorrow thread! Now, opening a new topic with same post for the few, who never visit the break room?

Arise and awake, from your deep sleep. After a week's tried and tired period, you must now feel happy, as you found Hacker, the Mikmik!

Actually that was me trsiyengar, I've just split Mik's post from the "Is Today Today, or is Tomorrow Yesterday" thread. I felt it needed to be highlighted, and was in danger of becoming over-looked in the 'other' thread.

If anyone can identify the root of Mik's problem here, or can offer suggestions (helpful ones please!) then I'm sure he'd be most grateful!! By the way Mik, what exactly were you trying to do with these beauties? Kernel Streaming Proxy Exported Functions

Good luck Mik, let us know how you get on!

Paul

[trsiyengar]

paulhils good wishes:

Actually that was me trsiyengar, I've just split Mik's post from the "Is Today Today, or is Tomorrow Yesterday" thread. I felt it needed to be highlighted, and was in danger of becoming over-looked in the 'other' thread.

Good luck Mik, let us know how you get on!

But Paul, MSDN is Mike's home! You're giving the wrong address to the right person. Anyway, there NO WRONG TIME FOR DOING THE RIGHT THINGS. Let's see if Mike overcomes from hacking his own site!

[paulhiles]

I'm confused... I need to lie down for a while! :o)

we'll wait for Mik to post back... if we don't hear anything in 24 hours we'll send out a scouting party!

[ronniethedodger]

I have been in touch with Mik and he is in serios trouble. It appears that something has got ahold of his computer and is set up to do Remote Access and is running a 'server of sorts' from his location.

Everytime he tries to shut down Apache (I think he said he is running this) the operating system reboots on him and of course it will restart the Apache Service.

There seems to be a Porn Dialer involved, although not sure if it is connected. Virtual drives are being configured also, of which he is not allowed access to.

The following is a cut and paste from communications that I have had with him (from the another forum, but I felt it important enough to bring over here for anyone who knows or recognizes what is happening to him).

It picks up after we were discussing one of Miks email accounts bouncing mail (thus the mention of it here and it has nothing to do with his computer system)

Quote:

Everybody, I have a serious problem with my computer here, and I have been trying to get onto the internet, but my connection is swamped with hijacked bandwidth being used as virtual servers for who knows what.

There are 8 monitors (virtual) installed on my computer, remote access authorization that I cannot shut down, all sorts of heavy duty hacking processes running on a virtual drive that is placed in hidden directories.

I am trying to get this under control, I will go to my ISP today.

Thanks, please pass the message.

Quote:

Thanks, I have tried all of that. This is a serious mofo, and I am not kidding.

I got another hard drive and did a remote scan, and nada.

All the two or three weeks I have tried online scans etc, etc, but like I was always complaining about wierdness, and of course that makes one suspicious, I never found a thing.

Just from the scan I did with Norton to the slaved drive, the one with norton on it got attacked and overrun!

This is serious scary, and another reason I'm not around to much the last while.

So I will not be sending to many emails anymore.

It hides in virtual directoried, and uses the restore service as a source for feeding the desktop. If you look in the recycler , threre aremultiple hidden accounts in there,

Look for ' user32.dll 'that is the main account they create.

And you know what?

File etensions '.au' !! at the core.

****.

Thanks dodger, I have tried to shut down services, etc.

I EVEN DELETED the whole windows directory and shut off the computer, and it still did not do anything!! It is a virtual desktop, and I have tried attacking all the video services they have ruuning. I did get to a blank white screen, so was close, but it is quick.

That is when I try moging files around, filling my clipboard with cut'n'pasts, and generally wreaking havoc so that it might slow down enough to give me a shot at wiping the kernal.

No way, it is dangerous, this one.

Quote:

I can barely get on the ******* internet for ******* sakes!!!!!!!!!!!!!!!!

I have remote access routers all over the nplace, I tolds you to delete my emails if they are a ******* problem, dodger, i don't know what you are talking about, because I have never used my email here.
I never get any natifications of any ******* emails.

My dcomputer is seriousely hacked and taken over, it is all blocked from me. I am being shown a virtual deaktop here, I don't even know what I'm seeing for sure half the time

I showed you the screen shot before when we were joking around aabout being paranoid, that WAS A HAQCK!!!!!!!!!!!!!!

There is no escalation of priveledge during an install likre that, it ids a spoofed logfife

Quote:

I havbebeen working my ass off trying to get some sort of an internet connection going here, every time I try to shut down the servers and virtual pucky , my computer shuts down.

I have all sorts of evidence and loge files, I try to transfer stuuf to another hard drive.

The porn auto dialer account that have hijacked this computer are blocked from my permissions, like I showed you last week.

I have hundreds of files and sreen shots, but I can't do anything, because I am unable to get to my emails most the time.

I tried mto get here, and I tried to send email to centaur when I found out whaT was ggoing on.

I manages to get some stuff to floppy, but it is almost impossible because all the proccesses running on here are on a virtual partition, and encrypted, and I don't have permission, they are all access denied

Quote:

Dodger, I apologize again, I am hard to understand at the best of times, let alone when I am losing my connection all the time .Mostly it is really slow but the bandwidth use has been moderated.
I was going all over my computer and finding the inf files and router, dialers, etc, and I found several account profiles, so I started moving them around and breaking the threads and handles of the running processes at the same time.
Then I would suddenly hit thepower off before (hopefully) they could copy them, thus causing problems for them and 'enticing' them to goaway.

This situation is unlike anything I have ever encountered by far, this software that they are running is tenacious and relentless in the extreme.

This is scary stuff, because I completely formatted one of my hard drives - twice! - once fat32, and then ntfs. I made and deleted sveral partitions, then finall ran an install.

While the first screen of the XP install is showing, right after "Press any key to boot from CD", while the blank blue screen is up and says "examining your hard drive .." RIGHT THEN, already!!!, I see the screen replacement come up! It is a quick sort of refresh as the monitor picture replaces itself from the top down.

That is scary, they spoof the bios. I found one program(script?) that shows the steps where the bios info is intercepted, and their own info is passed to windows.

This explains whu I have been having so many problems over the last while, all the video driver difficulties, and the dhcp, the time (my clock was four days off recently) stamp being invalid at windows update.


Man, I am sorry , I miss getting on the BoG, and I am so frustrated.

I am going to have them wipe my factor1 website today, I have to get a dynamic IP set up here, I really have to warn anyone and everyone, that all mykeysrokes are logged, all my passwords are public knowledge, as well as ftp access.

I even was trying to block the IP in the control panel on factor1s server, but I could not see where to do it anymore!

I did it once, but they must have just gone in then and changed it, then changed the options availability in the CP, PLUS - I didn't have anywhere to change my password!
They eescalated permission there and blocked me .... I yi yi yi...

I am sorry for the outburst ronnie, it is not your fault, just because we couldn't communicate clearly the other day because of my bad internet hookup, and I was frustrated.
I saw the post up there where you said what had last happenned, and when I tried to resond, the server and lagtime etc., my connection was lost. Like a good little *beep* that I am, I was (uncounsiouselly?) taking my anger out on you, and I am really feeling bad.

You have been really helpful and super supportive of me, and I have indeed noticed that, my man!
It is such a pain, and I cannot seem to get anywhere.

I am glad to get this oppertunity though. thanks everybody for being concerned, you have no idea how much it means to me.

Something sounds familular about this, but I cannot place my finger on it. If there is anyone out there that has a clue...please let me know.

Thanx.

[mushroom]

Your asking the wrong questions!

Was I hacked because of poor security practises?

Was I hacked because of poor software?

Then upgrade one or both.

[ronniethedodger]

Quote:

Originally Posted by mushroom

Your asking the wrong questions!

Was I hacked because of poor security practises?

Was I hacked because of poor software?

Then upgrade one or both.

Explain please, so that I can understand it. He is unable (very limited) outside contact and I need to know what you are talking about so I can relay it to him.

[mushroom]

Did not see the post preceeding my first post on this subject.
Now understand he is running Win XP.
1. Buy a good Firewall.
2. Buy good viruses protiction.
3. Buy a new Hard drive.
4. Start over.

Or move to Linux and keep all windows machines off the net.

[Mary T]

Just read this article:

http://news.com.com/2100-7349-520223...t=dtx&tag=ntop

Agobot, linked bots, "The latest versions of the software created by the security underground let attackers control compromised computers through chat servers and peer-to-peer networks, command the software to attack other computers and steal information from infected systems."

Maybe?

[ronniethedodger]

Thank you Mary, I am going to pass this on to Mik. I did not see a way of irradicating this bot in that article, but I will run over to Symantec and take a look see.

This sounds pretty close to what he is describing. He is having the problem on his website too, why I don't know. But he is on the phone with them already about it.

The only part that does not fit is the "stealth" part and the user being oblivious to it. For he sure as hell can see it working right in front of him...and it is not making any attempt to hide itself.

[MarcThai]

Quote:

Originally Posted by mushroom

Did not see the post preceeding my first post on this subject.
Now understand he is running Win XP.
1. Buy a good Firewall.
2. Buy good viruses protiction.
3. Buy a new Hard drive.
4. Start over.

Or move to Linux and keep all windows machines off the net.

In a case like this, the last piece of advice seems to be the best. Mik won't have these problems if he moves over to Linux. The first thing to do is to reformat the whole hard disk as you install Linux. Mandrake Linux will do this automatically for you. It will completely format and delete whatever is hidden in the boot sector, which is where I think the nasty piece of code is hidden which allows these problems to continue.

Have you, Mik, tried to scan back to the originating source? I'm not much of a hacker, but if you can be hacked, it is possible to trace it back and then attack them. This is what I did recently when someone from Brazil tried to hack me. It's amazing how scared these creeps get when they realize they have been attacked back.

XP security is still very much open and hackers love it. Move over to Linux and you will not have these problems. In the more than 2 years I've been using it I've never had a problem. In fact, I laugh whenever I seen virus code arriving in my email. It is shown as plain text and I just delete it. Begone, damn spot!

Good luck.

[ronniethedodger]

Thanks for the tips Marc. Mik is online very spotty at best and is checking into one place. I will pass your post on to him. He is not even using email at this juncture.

As of yet, we have not heard from him since I posted a while back with his words.

I agree that he will have to completely reformat the drive, but I don't think in his present situation that this bugger will allow him to do it. I was thinking about throwing a new one in and go from there.

I highly doubt that he will move over to Linux, in fact I can almost assure you of that.

[mikmik]

I think Mary is right, it looks like an Agobot.

I keep very tight security on my computer, I am behind a NAT router, and even have lately attemted to close off all UDP traffic and NETBIOS over TCP.

I think it may be from my roomates computer, he and his kids are avid yahoo chatroom users and who knows what else.

I stopped using anything like that long ago, and always delete MSM Messenger first thing when I do a fresh install, as well as shut down all the services running that I don't need, including the Messenger service, all the UDP, Remote access stuff, etc. I end up with 14 processes running - not much - that show in Taskmanager.

I install Norton 2003, THEN I hook up to the internet and update windows as the first actions I take .

I was already thinking that I would have to get Linux, there are a couple of free downloads that run from an optical drive if necessary.

I have to do a low level format for sure. I booted to command prompt and was going to run 'FIXMBR'. It said that the MBR was corrupted and I could destroy the HD, so I stopped.It allways says that, just not the corruted part.

There are too many things to list here that are going on, but suffice to say that even the new hard drive I bought and installed fresh Windows on was infected by the time I finished, and I was not on the internet or intranet here.

Thanks for all the help, I am going to get that other computer off this home network here and try the Linux thing with Mandrake - I think that is the one.

Thanks again.

[sovidiu]

Mandrake is a good solution to your problems, even though one might say Slackware with XWindow would be better. Anyway, I'll pass the post to some friends and see what they have to say about this.

[G[dot]com]

Mike, I know this won´t help regarding your computer but I hope it helps you coping with all this big sh... (there´s no other name for this)

A TON OF KISSES TO YOU, MY TRUE FRIEND, MIKE!!!!
Yeah, I could have writen a private but I wanted to do it in public ;o)

When you come back there´s an invitation to open your own Gmail waiting for you.

We miss you.

Your "anything"-pal Gi

[pete61uk]

Well, as far as resolving this is concerned I'm about as usefull as a spare "p***K" at a wedding, or a third wheel on a motorbike.

I know how I felt when I only 'thought' I'd been hacked, so I can appreciate at least part of what mikmik must be going through.

Of interest, when this is resolved on mimmik's pc, would be a post detailing how: it got on his system; he first noticed it; he identified it as a virus/Agobot, and what he had to do to get rid of it?

If the originator of Agobot gets caught. I wonder what the chances are that he/she'd survive long enough to get a trial, or would the CIA just give him/her a job and we'd hear nothing about it?

[Gymsmoke]

I wanted to add my observation to this, just because I have seen this one a while back with a friend of mine. I never did quite get to the bottom of it, but, the resolution was this:
disconnect from comm port completely.
disable comm hardware.
use old school dos boot, fdisk drive(s)
(don't bother with a backup at this point, I tried, and the backup produced empty results)
install OS of choice on new hard drive (get another one and hook it in... the problem with mine was that windoze wouldn't even let the disk manager format)...
use dos level programming to check for any errors and optionally fix...
start the re-installation...
definitely do firewall and norton (if Win system).

Once this massive undertaking is done, have your ISP re-issue your address, and make sure that they also issue the ip you initially had trouble with to a 'derailed' box somewhere which is isolated (this gives the IT security folks some ammo to catch this A*HOLE).

I know it seems drastic, but the damage is done, and you'll definitely need drastic measures to stop it.

An alternative would be - since this hack is recording all your keystrokes, why not talk to him/her and see if they respond directly to you???

[Mary T]

Here's another possibility of what may have happened.

As of May 1, 2004 4:15 AM (PST), TrendLabs has declared a Yellow alert to control the spread of this malware. Infection reports have been received from Europe, Asia and the US.

This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:

MS04-011_MICROSOFT_WINDOWS
Microsoft Security Bulletin MS04-011

For more information: http://www.trendmicro.com/vinfo/viru...=WORM_SASSER.A
To propagate, it scans the network for vulnerable systems. When it finds a vulnerable system, this malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.

It creates the script file CMD.FTP, which contains instructions for the vulnerable system to download and execute a copy of this malware from a remote infected system using FTP on TCP port 5554.

Since this malware produces a buffer overflow in LSASS.EXE, it causes the said program to crash and will consequently require Windows to reboot.

Important: Trend Micro advises users to apply the critical patch related to the Windows LSASS vulnerability, which is available at the following Microsoft page:

Microsoft Security Bulletin MS04-011

[xmx]

Useful mandrake and suse linux feature:

you can install the new linux suite with a 2nd partition on your hard disk and keep all the data of your windows OS, then from the linux OS you can also access your old data on the windows partition and save them on the new linux partition.

[ellar]

Hi

I totally agree with the others that Linux may be the way to go. One of my customers is an alarming monitoring station and everything was hooked up through a windows system. Unfortunately they started getting some nasty stuff through the internet and it was mainly attacking the monitoring software.

They have since put in a linux box as their main server and had absolutely no problems. What amazed them was that the nasties were coming through one of the networked machines but they weren't causing any problems on this machine. The problems were all occuring on the machine running the alarm monitoring software, which as you can imagine was a major problem.

So yes although I wouldn't have agreed 6 months ago I would now recommend going over to Linux.

And keep thinking positive. The only way from here is up and we'll all be waiting to hear from you when you get back up and running.

Cheers

[ronniethedodger]

All very good advice. It seems that Mik is able to get out and about a little easier now, albeit using something he does not want to.

Gymsmoke - Your ideas about disconnecting from the comm ports, etc. sound really good. I am not sure if he has considered that. He also has a copy GIPO@fileutilities he is going to use for he reported that there are new directories being installed with illegal directory names. Hopefully the Delete on Boot will be able to erradicate this.

Is there anything out there that would infect BIOS or cache in this way though?

I will be passing all of these comments onto Mik, as usual, in case he can't return. Even yours Gisela. ;0) But you should know that any public displays of affection will get you nowhere...but they will go a long way with me...hehehehe.

[pete61uk]

Ronnie, you smooth talker you. LOL.

If able to contact Mike, not much consolation (I know), but there must be some seriously bad vibes going the way of the "Ass-H##E" who perpetrated this.

I hope he's up and running soon.

[ronniethedodger]

Thanks a lot Pete. I like your optimism, but I feel that we may never know how or who did this. Although the hard drive he has may hold the clue if given to the right people. He is now installing a new one (from last I heard) and we will see what comes of that.

As for my smooooooth talking, Mik asked me to send Gi a big kiss for him. So come over her girl! It is okay, Mik and I are pretty close buddies and we like to keep it in the family. ;0)

(actually I made all of that up, Mik didn't tell me that...hehehe)

[wclew]

Good luck Mik! Hurry back my crazy Canadien friend!

[southplatte]

Best of luck to you Mik! You're one of the first ones I notice on here with a good voice and one that posts often to many of the different forums.

I have heard of viri/worms in the past, like 486/early pentium days being able to infect a BIOS or cache and stay resident. I would suspect that on newer systems, this may be even more prevalent due to the fact that many new ATX boards keep some power to the various cache/lan/chipsets even when powered down (unless Power supply is turned off or unplugged) and this may keep the cache refreshed at times (not sure but a theory non-the-less).

The problem that you have happen, is even installing a new hard drive will not get rid of this thing, unless maybe, you remove all the components of the system save the new HD, video & floppy and boot from a dos floppy and fdisk/format the new hd, then add the cd-rom and boot to install Windows. At this point, if the install seems okay, then add the sound, then the nic (unless it is onboard -- disable any onboard items, such as a nic/sound/modem etc in the bios, and check to make sure the bios is functioning normal at this point).

If the bios seems okay, and the install at this point goes okay, then try to add each component or re-enable it in the bios one at a time. Then, after getting a new IP from the ISP (new user/pass, possibly even a new ISP) try again I guess.

One thought, Mik noted he was using a router with NAT installed on it, is it possible for the hack to be resident in portions of the router, or to have the IPs of the hacker machines/servers/whoever/whatever is doing this in the routing table for continued access no matter what? They could theoretically base something off of the MAC address of the router, or even of the machine itself since the base underlying for TCP and UDP is to translate and send from one MAC address to another.

I hope all goes well, and he gets back soon! I have only had a small hack done to me once, but it was scary, and frustrating.

I wonder if there is a way for Mik to track the IP through the router?? He may be able to find out the IP of the attacker/hacker that way and get some resolution in the end? Not familiar with most routers, and what info they each keep or don't keep, or are capable of. Another way is to install a linux/unix machine on the network and run a network sniffer to get the remote IP that the malware is connecting to.

Some thought, and definitely words of support and encouragement!! Hang in there!

[flashfast]

I just got this from ziff davis (zdnet.com) and it sounds what u r going through?

Sasser and its variations are network-aware worms that do not require e-mail or user interaction to spread. Sasser takes advantage of a buffer-overrun flaw in the Local Security Authority Subsystem (LSASS), which allows an attacker to gain control of infected systems. Microsoft patched the flow with MS04-011on April 13. The worms use a bootstrap effect to infect new machines first then download the full code from a previously infected machine later. Sasser (w32.sasser.a) and Sasser.b (w32.sasser.b) are both 15,872 bytes in length and randomly scans local networks and the Internet to look for additional systems to infect. This scanning could slow normal traffic on the Internet. More...

http://reviews.cnet.com/4520-6600_7-5133023.html

As an aside, I was a victim of a well planned attack - I don't know much about code, but I had a firewall and even then someone got through. I had spent, along with colleagues in Britain, US and Australia, 2 years developing an educational project. Short story, I had 2 years worth of work (hundreds of animated clips, video, interactive software, music etc) created, all specific to a few folders. Everyone's work would end up on my system for production tweaks, final video editing and scripting (for software). These folders were deep in the system. One morning several business suits had arranged for a preliminary viewing and progress report and arrived at the door 9am. As preparation the day before, I created a whole new series of folders, deleted all the trash project files (literally 6 gigs of working files), and placed all the current files into the new folders. I was so pleased to get organized, and rid of so much clutter. The next day at the meeting i went to play the various clips and...no folders, no files. Nada. Deleted (or rather, stolen and then deleted). The theft was very specific - and malicious as they could have copied them and left me the originals.

BUT THERE ARE ANGELS - I had a real weird feeling the day before that someone or something had taken over (due to odd and intermittent slow downs - ran full scans all, and nothing detected), so I made a copy of all 4 folders as soon as I had finished them.

The meeting went ahead on schedule, but I now have a new IP and a Macintosh.

[Niko Holopainen]

According to the latest what I've read, may well be Sasser.D

to shutdown, type (at the run program) "shutdown -a", to prevent the automatic reboots.

Hope this helps, I don't usually read the Breakroom but that's my 2 cents =)

Yours truly, as allways,

: Niko

[Brittany]

Wow, you guys are awesome, jumping to Mik's rescue like this :)

And to Mik - we miss you man! Best wishes for a speedy computer recovery!

Brittany

[ronniethedodger]

Thank you everyone. I have not heard from Mik in almost two days now -- so he is probably disconnected from the Internet and working his way through this mess.

I have posted all of your comments and good wishes in a place where he will be sure to see as soon as his machine is back up on it's feet.

[mikmik]

Brittany wrote

Quote:

And to Mik - we miss you man! Best wishes for a speedy computer recovery!

Brittany

I MISS YOU BRITTANY.
I MISS EVERYBODY !

I posted back at the bog this am, but now there is nobody there (???)

So, I will report on myself.

First, Thanks to TRS Iyengar and my 'kiss kiss' friend. You people are the best, Gisela, I want you!!! to give me a gmail, I tried to reply to that several days ago.

I have installed ZoneAlarm pro, and I am able to squelch most of the broadcasts the worm is making.
I am sure there is more than one or two infections here, the other computer at home was swamped with malware, but it is off the internet, off my home netork, and off my christmas card list :o)

I have taken all the advise that people have been posting, most of it I have already tried on my own account. I was indeed off the 'net for almost two days, and I had the sysclean utility from TrendMicro, and all the updates.

The worm, or virus, or highjack program that is running, installs everything to virtual directories and streams 8 channels of material using MSN Messenger and MSN Gaming. It sets up its owm server (not using Apache or IIS from my machine) and router, and 8 moniter drivers, as well as dialers and all the networking crap for gambling and porn distribution.

Even when I go into DOS with a boot floppy and reformat the whole hard drive, and that includes deleteing all partitions in fdisk to start out, it is in the Master Boot record, and is impossible to irradicate that way, or any way.

I have the Hard drive utility from Western Digital, and I am going to rewrite all zeroes to whole drive. The only problem with that is I have to be slaved to my original Hard drive, the first 'scene' of this invasion (it still has all my data).

So, I have Redhat, which I will probably have to insatll and format the Western Digital HD with.
================
All the virus scans, and attempts to do anything myself get access denied errors. This infection is way to scary to think about, but I mentioned earlier somewhere that this network here had unauthorized sleazeballs on it (long story ...sigh) about 6 weeks ago, and this may be the source.
It is extremely, extremely sophisticated, installs NTFS capability to Fat32 partitions, and writes it's own SAM ini file - this is The Security Accounts Manager (and the LSASS buffer overflow area in the news).
Three weeks ago I was suspicious of my SAM logs, and it has been all emotional (;-]) ever since.

There are two endpoints for the virtual directories in the Windows root folder in the 'TEMP' folder there, they are named '.' and '..' and if you have these in your folder, start to get prepared.

Here is from the 'SECURITY' folder in the root 'Windows' folder (WindowsXP), and this document I am going to quote here is the 'scesetup.log'.

This is the first part - I have never looked at a windows setup log before, so I was not sure about this, but it looks to me like an escalation of priviledges.

Quote:

----Configure User Rights...
Configure S-1-5-32-546.
remove SeInteractiveLogonRight.
Configure S-1-5-19.
add SeAuditPrivilege.
add SeIncreaseQuotaPrivilege.
add SeAssignPrimaryTokenPrivilege.
Configure S-1-5-20.
add SeAuditPrivilege.
add SeIncreaseQuotaPrivilege.
add SeAssignPrimaryTokenPrivilege.
Configure S-1-5-32-544.
add SeChangeNotifyPrivilege.
add SeUndockPrivilege.
add SeManageVolumePrivilege.
add SeRemoteInteractiveLogonRight.
Configure S-1-5-32-551.
add SeNetworkLogonRight.
add SeChangeNotifyPrivilege.
Configure S-1-5-32-547.
add SeChangeNotifyPrivilege.
add SeUndockPrivilege.
remove SeRemoteShutdownPrivilege.
remove SeIncreaseBasePriorityPrivilege.
remove SeRemoteInteractiveLogonRight.
Configure S-1-5-32-545.
add SeNetworkLogonRight.
add SeChangeNotifyPrivilege.
add SeUndockPrivilege.
Configure S-1-1-0.
remove SeInteractiveLogonRight.
remove SeShutdownPrivilege.
remove SeRemoteInteractiveLogonRight.
Configure S-1-5-21-1645522239-261903793-839522115-501.
add SeInteractiveLogonRight.
add SeDenyNetworkLogonRight.
add SeDenyInteractiveLogonRight.
Configure S-1-5-32-555.
add SeRemoteInteractiveLogonRight.

User Rights configuration was completed successfully.


----Configure Group Membership...
Configure Users.
add INTERACTIVE.
add Authenticated Users.

Group Membership configuration was completed successfully.


----Configure Registry Keys...
Configure users\.default.
Configure users\.default\AppEvents.
Configure users\.default\Console.
Configure users\.default\Control Panel.
Configure users\.default\Environment.
Configure users\.default\Keyboard Layout.
Configure users\.default\UNICODE Program Groups.
Configure users\.default\software.
Configure users\.default\software\Policies.
Configure users\.default\software\microsoft.
Configure users\.default\software\microsoft\Clock.
Configure users\.default\software\microsoft\Command Processor.
Configure users\.default\software\microsoft\CTF.
Configure users\.default\software\microsoft\File Manager.
Configure users\.default\software\microsoft\Internet Explorer.

I remind you all that this is all way over my head, I make assumptions based on just common sense and what I think 'should be right'. It is extremely technical, and I have 100,000's of lines of code that is easy to read like this log file, and also difficult to read because much of it is in machine code and binary.

Hewre is from the 'setupsecurity.inf' file. It semms to show the creation of many levels of user, but they all have network access rights in the final install - when windows is running.
They are hidden and impossible to get rid of.

Quote:

[Privilege Rights]
seassignprimarytokenprivilege = *S-1-5-20,*S-1-5-19
seauditprivilege = *S-1-5-20,*S-1-5-19
sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
sebatchlogonright =
sechangenotifyprivilege = *S-1-1-0,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
secreatepagefileprivilege = *S-1-5-32-544
secreatepermanentprivilege =
secreatetokenprivilege =
sedebugprivilege = *S-1-5-32-544
sedenybatchlogonright =
sedenyinteractivelogonright = *S-1-5-21-1645522239-261903793-839522115-501
sedenynetworklogonright = *S-1-5-21-1645522239-261903793-839522115-501
sedenyremoteinteractivelogonright =
sedenyservicelogonright =
seenabledelegationprivilege =
seincreasebasepriorityprivilege = *S-1-5-32-544
seincreasequotaprivilege = *S-1-5-20,*S-1-5-19,*S-1-5-32-544
seinteractivelogonright = *S-1-5-21-1645522239-261903793-839522115-501,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
seloaddriverprivilege = *S-1-5-32-544
selockmemoryprivilege =
semachineaccountprivilege =
semanagevolumeprivilege = *S-1-5-32-544
senetworklogonright = *S-1-1-0,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
seprofilesingleprocessprivilege = *S-1-5-32-547,*S-1-5-32-544
seremoteinteractivelogonright = *S-1-5-32-555,*S-1-5-32-544
seremoteshutdownprivilege = *S-1-5-32-544
serestoreprivilege = *S-1-5-32-551,*S-1-5-32-544
sesecurityprivilege = *S-1-5-32-544
seservicelogonright =
seshutdownprivilege = *S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
sesyncagentprivilege =
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-547,*S-1-5-32-544
setakeownershipprivilege = *S-1-5-32-544
setcbprivilege =
seundockprivilege = *S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-544
[Registry Keys]

It seems to show (immediately above) the creation of four or five user accounts, and indeed, all the security and networking processes have four permission groups assigned to them, including the "Everybody" group, "Guest", "Anonymous Logon", and "Remote Logon Account". They all have unlimited 'special priveleges' assigned.

This thing is so robust and protected/backed up, that I have even gone as far as deleting the whole WINDOWS folder, and then hitting the power button on my computer.
No matter if I let it save settings (Windows, that is) on shutdown, or *Surprise*!! it with the hard off, it all comes back up.

I have to go , but it is soooooooooooooooo nice to be up and running again, albeit in an uncommonly configured mode - having all these broadcasts blocked while this piece of malignant scumware tries to run in the background.

Good shall overcome!!!!!!!!!!

And so shall mikmik!!!!!!!!!!!!!!

[mikmik]

flashfast=

Quote:

BUT THERE ARE ANGELS - I had a real weird feeling the day before that someone or something had taken over (due to odd and intermittent slow downs - ran full scans all, and nothing detected), so I made a copy of all 4 folders as soon as I had finished them.

Same here, I noticed lots of dropped connections and also wierd screen refreshes.
I knew that 'something wasn't right'.
Thanks very much.

[southplatte]

Hey good to see you can somewhat be back on!

Just looking at the log files quickly, (not taking too long to compare line by line) Most all of what I seen in them are identical to what my machine here has.

the user *S-1-5-32-544 I believe would be the administrator account (not sure so if I am wrong someone correct me) and is created by default, there are also several groups that will be created, and each user (administrator, guest, regular created user (if you made one on install) and one or two users for remote access from Microsoft) are all created.

The user :S-1-5-21-1645522239-261903793-839522115-501 is one of these system users for remote access by microsoft, and the long number I believe is your Product Identification Key created from the combination of HW/SW/Keycode.

Now, if we look at the code below, we see that network logon is denied as os Interactive Logon:

add SeInteractiveLogonRight.
add SeDenyNetworkLogonRight.
add SeDenyInteractiveLogonRight.

In the .inf file you quote, we can see that this is the file that instructs Windows how to setup these users:

[Privilege Rights]
seassignprimarytokenprivilege = *S-1-5-20,*S-1-5-19
seauditprivilege = *S-1-5-20,*S-1-5-19
sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
sebatchlogonright =
sechangenotifyprivilege = *S-1-1-0,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
secreatepagefileprivilege = *S-1-5-32-544
secreatepermanentprivilege =
secreatetokenprivilege =
sedebugprivilege = *S-1-5-32-544
sedenybatchlogonright =
sedenyinteractivelogonright = *S-1-5-21-1645522239-261903793-839522115-501
sedenynetworklogonright = *S-1-5-21-1645522239-261903793-839522115-501

So does this mean you don't have user accounts that you shouldn't? No, but it does point that some of the things here are normal as far as I can tell.

Definitely run the WD dianostics and low-level the drive by writing 0s to it. This will get rid of the crap, with one exception, if the virus/worm is smart enough to copy onto the floppy since you boot with it, and infect it before it runs. I don't think it could install to the floppy though, if you have it write protected.

Also, do not forget that with the dos fdisk command, you can run fdisk /mbr to rebuild/recreate the master boot record on the HD, and sometimes this will get rid of virus code there.

Also, unhook from the network/internet when you do all of this, and then, there is not a way they can mess with you during the low-level/format/install/configuration period until you have everything setup, firewalled, routed, and concealed.

Best of luck to you! Hang in there!

[ronniethedodger]

Quote:

So does this mean you don't have user accounts that you shouldn't? No, but it does point that some of the things here are normal as far as I can tell.

Yea, that looks normal to me too. There are some others that get created also for Tech Support too. I have a Dell, and there are two of those.

[mikmik]

Thanks guys, i wasn't sure because I didn't know if anything here was clean to compare it to.

All the 'virtual' directories are gone and maybe it is getting fixed up.

This last install here is fine.
Big time thanks,southplatte

Quote:

Definitely run the WD dianostics and low-level the drive by writing 0s to it. This will get rid of the crap, with one exception, if the virus/worm is smart enough to copy onto the floppy since you boot with it, and infect it before it runs. I don't think it could install to the floppy though, if you have it write protected.

Also, do not forget that with the dos fdisk command, you can run fdisk /mbr to rebuild/recreate the master boot record on the HD, and sometimes this will get rid of virus code there.

Also, unhook from the network/internet when you do all of this, and then, there is not a way they can mess with you during the low-level/format/install/configuration period until you have everything setup, firewalled, routed, and concealed.

I didn't know about 'fdisk /mbr' command.

And now that dodger has said these are normal twice, plus you southplatte, I will settle down (yea, right mikmik LOL). It has been to freaky around here, but I must have been overreacting somewhat, although, no I still have screenshots and some encrypted stashes to look through.
I am loving it, however :o)

Everyone is spectacular, i cannot thank you enough, it kept me going knowing that you all were helping.

Yowsa!

[trsiyengar]

Hi Mike,

I feel odd to see your posting on your return. When there are scores of persons who suggested you to make a change here n there to come out of your sys. n dll. error problems, I did nothing but pray! It is really Ronniethedodger, who should get your attention first for all his mediating job. I thank him for all his help and assistance rendered to you during your stay at the woods! And you thank me "first". For G and her message might have given you the needed strength! Wowvaar, welcome back home!

[mikmik]

TRS Iyengar wrote

Quote:

I feel odd to see your posting on your return. When there are scores of persons who suggested you to make a change here n there to come out of your sys. n dll. error problems, I did nothing but pray! It is really Ronniethedodger, who should get your attention first for all his mediating job. I thank him for all his help and assistance rendered to you during your stay at the woods!

I gave great and humble thanks to a few people where I was keeping in touch - where ronniethedodger was relaying our messages to and from. I gave him the top honours, but I always try to let people that are special to me know about it other times and places also, and he knows how highly I value him.

There are lots of ways to support each other, and your kind of support is just as important, if not the most important, to me.

I am blessed beyond mere words to have friends, and it can only be understood by experience.
Thank you for giving me the experiences I so cherish.

[mikmik]

Ya ya, can you tell I'm happy?

Being creates the soil, connecting brings the garden to life.

[G[dot]com]

Mikkkk, my pal, u r back :o)

I am so happy, ya know.

I spent my last days with problems me too, Ronnie surely have told you about it. Here is a quote for each of us (all of us) to put things in a relative perspective again. It is easy to get drawn in these situations and feel hopeless and helpless, but nothing can make us loose our sense of hapiness. And I am saying this to myself first, cos my mood gets caught in these little disasters so easily...

But when, having gone
to the Buddha, Dhamma,
& Sangha for refuge,
you see with right discernment
the four noble truths--
stress,
the cause of stress,
the transcending of stress,
& the noble eightfold path,
the way to the stilling of stress:
that's the secure refuge,
that, the supreme refuge,
having gone to which,
you gain release
from all suffering & stress.

-Dhammapada, 13, translated by Thanissaro Bhikkhu

Good night, my friends,

G

[mikmik]

I can hardly believe it...just look at PM I sent just before I read this post, Gisela.

I have nothing, I expect nothing, therefore I am free.

Here is a prayer for us all:

"By this virtue, may I quickly attain the state of vajradhara,

The whole essence of all Buddhas :O))) !

And may all beings attain it also :O))) !!!

May I practice all deeds for the sake of enlightenment,
the deeds taught by both the perfect Buddhas and by
Bodhichittavarja!"

Tibetian communal prayer....

Ask this of yourself always, how can I make this a better place today.

Good morning Hahahaaaaaaa

[ronniethedodger]

Quote:

Originally Posted by mikmik

I have nothing, I expect nothing, therefore I am free.

Can I quote you on that?

...uh nevermind...I just did.

[mikmik]

And I have ronniethedodger.........

therefore, I am mikmik?

;o>

[trsiyengar]

mikmik's attaining the Saga of Sages:

"May I practice all deeds for the sake of enlightenment,
the deeds taught by both the perfect Buddhas and by
Bodhichittavarja!"

It is part of Sinhalaese prayer too for the Buddhists and of course over universally! Buddham Charanam Ghachhami, Sangam Saranam Ghachhami !

And a step further, being Buddha an avtar of Sri Mahavishnu, the quote from Bhagavat Gita is not out of place here, thus:
Whatever happened, happened in its perfection;
Whatever happening, is in its perfection;
Whatever it is going to happen, that too will take
shape in its own perfection;
What you brought with you, for you to lose?
What you are going to carry with you, when you go?
Whatever you posses with you, it was taken from here
(from the Earth); Whatever you gave it to others,
that too was taken from here.
Today, whatever it belong to you, it will be someone
else's tomorrow. And some other day, it might be
other one's property; this goes on, endless. This what the essense of life and my (Krishna') creations secret.

Mike, enough with my sermon; now I follow Ronnie :)

[Kista]

I'm not crazy, mik, and neither are you!!!

Listen, I don't know who created this monster, but it's downright scary! I started noticing weird things too, new files popping up, odd file extensions, LOSS OF MY ADMIN RIGHTS!! arg! It got to the point where I couldn't even copy/paste. They changed all my paths to their own, from afar, as they say. I have 3 monitors installed now. The text you posted was what gave it away.
Worse of all, every time I tried to talk about it, ppl thought I was nuts.
Don't let your guard down. I reinstalled winxp pro, but only a regular clean install...I didna format first. And there are still areas that I cannot access and do not have jurisdiction over.
Thing is, it seems to be in remission, but I get glimpses every now and then.
This...thing...got in my machine and spawned a very complex and extremely thorough sequence of events that would eventually take over my machine.
Even my registration number has been compromised.
Once someone secures admin priveledges on your machine, you are helpless. I am locked out of certain areas and files.

More than anything, I am worried about the potential this has on a wide scale. I'm sure many have been invaded but don't know it. Many of my filenames were changed to "lookalike" filenames. I actually felt like maybe I was losing my mind and paranoia had set in indeed.

I never figured out exactly what they were doing, I'm thinking it was something i got in irc, and there is file swapping involved. Some people are paying "whomever" for this "service".

I'd like to talk more. Give me a buzz.
satire101@hotmail.com

[mikmik]

Krista wrote

Quote:

This...thing...got in my machine and spawned a very complex and extremely thorough sequence of events that would eventually take over my machine.

Wow, one who understands :o)

I will certainly give you a buzz!

And even in regards to my statements here - http://www.webproworld.com/viewtopic...19042&start=50 , I still am not sure, sometimes that mouse, and keybaourd action still seems kind of 'mushy', and the refreshing of the screen still seems bizarre as well.

With reports of windows updates having these types of effects, it is nerve wracking, this wondering, hey?

This was a most interesting read : Windows Forensics: A Case Study, Part One

$even making this link above, my cut and paste is not acting right...$

[mikmik]

I have been searching, searching, search...tearing my hair out, and i have found out much about some friends.
This IS NASTY.
It has all the components of Bubbel, Backdoor Setup, Sockets De Troie, Blazer5, these are all trojans that have exploited windows 95, and 98, many of them Y2K exploits from 98, and 99 - 5 and 6 years ago.
That is just the one port I have had used port5000-1, okay, two, but 5001 always.

These things are using UDP protocol, they route through local host, and I have not been able to set up a cerver.
As ronniethedodger erroneousely reported, I was not having Apache, or any other server software taking over, the oposite.

If you are broadcasting unaccounted for bandwidth from your home connection, and cannot get your IIS or Apache on Windows to run, get some network stuff set up, go to the command prompt(Win2k/XP/03) and type >, not including the'>', but right after - >netstat -a with a space between the stat and the 'a'.
If all the IP addresses are listed as 0,0,0,0, or just a process nam, and you have many UDP protocols running to destination *.* , then you are in trouble.
It is a good idea for people to try this, so they will know what to spot if something should happen.
Go to 'start/run, and then type 'cmd.exe', without the quotes, and click 'ok', or hit your enter key.
Then you type the above into a blck background window that appears, hitting 'enter' to see your network activity. (Note: although it looks ominous, there is really very little that can happen with a typo, it will just say 'invalid command')
Here is the first description I have come across, from my newsletter subscriptions:

Quote:

An Israeli programmer who hangs out in SpywareInfo's chat room has been tearing apart a new parasite recently. I don't know very many details about it but this is a very nasty little bugger.

There are two files loaded into memory and a third element involved which I don't want to discuss publicly. It is nearly impossible to force these files out of memory. If you remove any one or two elements, one of the other two will reload them into memory. While you can see these files running with a process manager, somehow they hide their files and parent directory from the operating system, making it difficult to find them on the hard drive.

If the infected computer is using the FAT32 file system, you can use a DOS window to enter the directory and find the files. Unfortunately, you cannot remove the parent directory (c:windowssystem32f0r0r) and the files are reinstalled as soon as the computer reboots.

The parasite might be capable of installing a backdoor server that could enable a remote attacker to use it to launch a SYN attack or to send spam. It also might operate as an IRC proxy, allowing someone to use it to hide their IP address while connecting to an IRC server. It also might include an RPC scanner to sniff for insecure and unpatched Windows machines.

This is a very clever piece of programming that someone spent a significant amount of time working on. It is nearly impossible to detect and nearly impossible to remove. How it installs is a mystery, for the moment. Possibly it infects unpatched Windows machines through one of the RPC flaws discovered recently in Microsoft Windows.

You can tell if your machine is infected if you can change to c:windowssystem32f0r0r in a DOS or CMD window with this command: cd c:windowssystem32f0r0r (that's a zero, not an "o"). If your hard drive is FAT32, you can boot into MS-DOS and delete the directory from outside of Windows and that should remove the infection (no guarantees here). To my knowledge, no antivirus or antispyware products detects this parasite.

If anything new is discovered, I'll let you know.

For the couple of "friends" that implied I was cuckoo..
to my real friends, I love you...

It is a truly lonely experience to not be able to get people to understad that "just go to online scan, and get your updates.


Hahahahaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

[trsiyengar]

mikmik wrote:

The parasite might be capable of installing a backdoor server that could enable a remote attacker to use it to launch a SYN attack or to send spam. It also might operate as an IRC proxy, allowing someone to use it to hide their IP address while connecting to an IRC server. It also might include an RPC scanner to sniff for insecure and unpatched Windows machines.

We donno how it came; we donno yet how it sits in; sure, none of the AV programmes could locate this. A very cleverly written n managed programme. But this affects all the computers alike... no Y2K problems.. all the computers attacked alike...

The safest way...change the H/D; Never copy your H/D writings to another H/D, but you can use the re-writable Disc, where it is openly displays what is hidden in the H/D partitions. Still having problem? Throw this stupid machine to the corner. Get a new one; otherwise, you will be caught sending millions of spam mails from your computer, when actually you don't!

Not everyone can search and research n glorify the magnititude of these sort of parasite phsychos. You cannot hang them at once. They are all a collective bunch of few, perverted genius, saddistic pleasure seeking b******s; They threaten the entire web world. Just like keepig an automic bomb in their hand.

[trsiyengar]

After an eerie long silence, now I learn that Gisela too facing the similar computer problems. Hope she too comes out of the problems (These virus-browser hijack,trojan horse, netsky worm etc all a make of some madmad, frustrated, mentally sick individuals). And now the parasite programme which enters your computer....sits firm, but not to be seen? Hang those perverted genius, who programs this..

[mikmik]

TRS, I just bought a new hard drive. You4r advice is sound.

But it got corrupted within seconds, so I have to find out all the ways it can travel.

This is comething new, and now, finally, but not good - believe me, others understand.

I use many many recautions, and I have some advanced firewall software, it must ask me every time a signal tries to get onto the network, LAN or WAN.

I am also behind NAT router, and I have shut off all the ports in XP except the abosolute, like TCP 80, and 25.

But it still persists, here somewhere, and I cannot afford to buy any more parts, I couldn't afford the 136 CDN for this 80 gig that might just get chucked.

Ay, Carumba!

But please, TRS Iyenger, You have good ideas and suggestions, and you are offering them, [please keep it up.
A fresh perspective is important, and it means very much to me that you are following, all the attention is welcome.
Love, to my brother, and WPW family,
MikeL

Here is a post I just made at my other home , but it is in admin only area, I move it public right away and then it will be available.

Quote:

I want to get in touch with that Isrealy guy, I have a LOT of info for him, like the file name of the hidden directory, it is the " u u " but with the ^ above them, that is just the first 'incarnation'. I might as well use words like that, it is just to bizarre.
But apparently I am one of the first people to become aware of this, as far as I can see, there are hundreds of forums I have looked through, and meny, many similar sounding symptoms disscissed, but the 'spywareinfo' guy is the first direct mention of this situation I am in.

It has many hallmarks of the 98 and '99 Y2K IRC boot sector, and BIOS boot block viruses, especially the fat 12, and fat16 file system that is hides from XP and NTFS with.

But it is much more, with the capabilities of a ninja, that's all I can say, it seems to move about, and hide with impunity, and strike with deadly accuracy.
Ya, ya, I sound dramatic, but the other two people that mention this (there is the (@)(@) one, But 'satire? and Waiki..ki? whacky?) are sounding exactly like I did, Fuc*king scary.

I HAD a multi decompiler for hex, binary, VB and lots other, pretty sure C, and C+ etc, but that is long gone

I wrote Zeroes to the drive all night and today, that is a process, and then, wouldn't you know it, unfuc****&KING real man, I vcannot 8888^%$# believe it.

I am not kidding. I go to install XP on the all zeroes, and It starts to have trouble copying all the files from the disk, "can't copy file kernal32.dll" and netdt.dll", it's a minor thing.
So I used windex, and it can't read the disk, still, so I got Win2k EE.
I still have, I was not on the net, I check netstat, and it is all routed local.

I cannot even get an endpoint outside of my FUC*KING computer, after all that. It is hidden.

All the remote addresses in netstat show as "computername", same with the 'local address', and the local UDP.

The remote UDP addresses show as " *.* ' FFS.

And I DO get local port numbers, they are all or most for well known trojans and broadcasting, likme netshow.

I looked at my fresh install, and it has a licence for netshow to transmit to 4 hundred thousand units, or some strange thing, I will double check. But you know, it is thisw kind of thing I am now at the point of researching, like licenses etc. It is just info, even if it is spoofed, it is something to look at.

I've tried ******* with the ini files etc, but when I go to save then, most the time it says "Windows could not save this filr, Folder or directory does not exist.

Windows/system/ does not exist.

It is all spoofed.

I wiped thet drive clean, as far as I know, the bios has been flashed, the disk I use for install, were burned last august.

I am even starting to wonder about the chipset etc (BIOS) on my video cards.


Un ******* believeable, I tell you.

I am going to copy this to (@)(@).

Okay, I am not moving it public over there, it is somewhaqt classified...:o)

Marketting strategy and stuff, we all like to cross thread over there. A very laid back, casual, but brilliant people there.
It is all good.

[southplatte]

This thing sound similar to something a friend of mine started experiencing about 2-3 weeks ago, and nothing he has done yet has worked. I just found out about it today.

Checked my system with netstat -a and found about 15-20 UDP ports to *:* strange....but my system so far is acting normally.

I did boot up my unix box running Solaris and ran a network sniffer/snooper and monitored the network traffic at my location here, and nothing out of the ordinary, and my connections are not showing any traffic. So either this thing hides itself even as traffic on the hardware, or I just happened to have a bunch of UDP ports going.

Either way, you guys with this crap hang in there. Has anyone contacted like Symantec or MS about this issue yet and seen if there is some resolution they are working on?