/I been HACKED! I asked about a suspicion I had a week ago,now, ha ha, I havs an SQL Db for free -and man, does it pump out the broacasts!

I have been suspecting for over a week and a half, but when my connection started jamming up every time I tried to get on the net, and I had to renew the DHCP manually. I KNEW there was something going, slow downs, unheard of dropped connections - you think I could grab a packet? Uh- uh, not when I was looking! and the task manager, ONCE, for about two seconds I thought is had two explorer.EXEs going, but I was almost 100% convinced when I saw two 'mikmik.fooyoo' running.
Don't get many of that one ha ahhA!

i mean get this



??2@YAPAXI@Z .wcscpy 1wcslen ãmemmove swscanf swprintf 
_ftol Å
_purecall msvcrt.dll ï _except_handler3 WINMM.dll InitializeCriticalSection w DeleteCriticalSection Œ EnterCriticalSection 6LeaveCriticalSection õSetEvent `
GetLastError H CreateEventW , CloseHandle nWaitForMultipleObjectsEx pWaitForSingleObjectEx f CreateThread N CreateFileW §ReleaseSemaphore InterlockedExchange c CreateSemaphoreW
InterlockedDecrement € DeviceIoControl InterlockedIncrement ²ResetEvent ‚
GetOverlappedResult Y CreateMutexW ¦ReleaseMutex ]
GetHandleInformation Ï
GetVersionExW ? DisableThreadLibraryCalls ê FreeLibrary :LoadLibraryW ©lstrlenW ZMultiByteToWideChar ¨lstrlenA k
GetModuleFileNameA ¦lstrcpynW mWaitForMultipleObjects oWaitForSingleObject ®
GetSystemInfo bVirtualFree _VirtualAlloc Ž
GetProcAddress "SetThreadPriority KERNEL32.dll È
RegCloseKey ì
RegQueryValueExW ×
RegEnumKeyW â
RegOpenKeyExW Ð
RegDeleteKeyW Ö
RegEnumKeyExW ù
RegSetValueExW ú
RegSetValueW Î
RegCreateKeyW ADVAPI32.dll ÚwsprintfW USER32.dll d CoTaskMemFree c CoTaskMemAlloc  CoCreateInstance × IIDFromString F
StringFromGUID2 h CoUninitialize  CoFreeUnusedLibraries : CoInitialize ole32.dll OLEAUT32.dll 
SetupDiDestroyDeviceInfoList B
SetupDiGetDeviceInterfaceAlias h
SetupDiOpenDeviceInterfaceRegKey i
SetupDiOpenDeviceInterfaceW 
SetupDiCreateDeviceInfoListExW D
SetupDiGetDeviceInterfaceDetailW 
SetupDiEnumDeviceInterfaces 0
SetupDiGetClassDevsW SETUPAPI.dll  KsCreateTopologyNode
KsCreateClock KsCreateAllocator  KsCreatePin ksuser.dll A _CIpow òRtlNtStatusToDosError ntdll.dll InterlockedCompareExchange µResumeThread ®Æí= ¹



¸¸
à¸
¹

Q
bQ
(3 03 c
èÖ FÔ ìÏ Ï ¸Ð '¹
7¹
I¹
[¹
o¹
~¹
’¹
¯¹
ù
ß¹

       ksproxy.ax DllCanUnloadNow DllGetClassObject DllRegisterServer DllUnregisterServer KsGetMediaType KsGetMediaTypeCount KsGetMultiplePinFactoryItems KsOpenDefaultDevice KsResolveRequiredAttributes KsSynchronousDeviceControl Xð`Hð`Õ}ð` $ð`ð`?‰ñ` àð`Ðð`Ï?ñ` ¨ð`˜ð`¡”ñ` lð`\ð`[šñ` <ð`,ð`´§ñ` ð`ôð`g§ñ

Lot's of these
program cannot be run in DOS mode.$

I was wondering whewr all the default user accounts were coming from ha '
QueryPerformanceCounter Ä
GetTickCount 7
GetCurrentThreadId 5
GetCurrentProcessId ²
GetSystemTimeAsFileTime ? DisableThreadLibraryCalls Ž
GetProcAddress m
GetModuleHandleA ;TerminateProcess 4
GetCurrentProcess KERNEL32.dll  ??3@YAXPAX@Z  ??2@YAPAXI@Z Å
_purecall msvcrt.dll WINMM.dll È
RegCloseKey ì
RegQueryValueExW â
RegOpenKeyExW Ð
RegDeleteKeyW Ö
RegEnumKeyExW ù
RegSetValueExW ú
RegSetValueW Î
RegCreateKeyW ADVAPI32.dll ÚwsprintfW USER32.dll  CoCreateInstance h CoUninitialize  CoFreeUnusedLibraries : CoInitialize c CoTaskMemAlloc d CoTaskMemFree F
StringFromGUID2 ole32.dll OLEAUT32.dll Ï
GetVersionExW ¦lstrcpynW ©lstrlenW ?lstrcmpW ê FreeLibrary :LoadLibraryW ZMultiByteToWideChar ¨lstrlenA `
GetLastError k
GThe latest craze: 'escalating permissions
;[connect name] will modify the connection if ADC.connect="name"
;[connect default] will modify the connection if name is not found
;[sql name] will modify the Sql if ADC.sql="name(args)"
;[sql default] will modify the Sql if name is not found
;Override strings: Connect, UserId, Password, Sql.
;Only the Sql strings support parameters using "?"
;The override strings must not equal "" or they are ignored
;A Sql entry must exist in each sql section or the section is ignored
;An Access entry must exist in each connect section or the section is ignored
;Access=NoAccess
;Access=ReadOnly
;Access=ReadWrite
;[userlist name] allows specific users to have special access
;The Access is computed as follows:
; (1) First take the access of the connect section.
; (2) If a user entry is found, it will override.

[connect default]
;If we want to disable unknown connect values, we set Access to NoAccess
Access=NoAccess

[sql default]
;If we want to disable unknown sql values, we set Sql to an invalid query.
Sql=" "
Man, I was tired on Sunday when this started to get going good!

Goodight ;o) G

Mike,

To invite everyone's attention, you have already posted this topic in Wen's own world of "Yesterday, today and tomorrow thread! Now, opening a new topic with same post for the few, who never visit the break room?

Arise and awake, from your deep sleep. After a week's tried and tired period, you must now feel happy, as you found Hacker, the Mikmik!

Mike,
To invite everyone's attention, you have already posted this topic in Wen's own world of "Yesterday, today and tomorrow thread! Now, opening a new topic with same post for the few, who never visit the break room?

Arise and awake, from your deep sleep. After a week's tried and tired period, you must now feel happy, as you found Hacker, the Mikmik!
Actually that was me trsiyengar, I've just split Mik's post from the "Is Today Today, or is Tomorrow Yesterday" thread. I felt it needed to be highlighted, and was in danger of becoming over-looked in the 'other' thread.

If anyone can identify the root of Mik's problem here, or can offer suggestions (helpful ones please!) then I'm sure he'd be most grateful!! By the way Mik, what exactly were you trying to do with these beauties? Kernel Streaming Proxy Exported Functions (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/stream/hh/stream/ksproxy_1vas.asp)

Good luck Mik, let us know how you get on!

Paul

paulhils good wishes:

Actually that was me trsiyengar, I've just split Mik's post from the "Is Today Today, or is Tomorrow Yesterday" thread. I felt it needed to be highlighted, and was in danger of becoming over-looked in the 'other' thread.

Good luck Mik, let us know how you get on!

But Paul, MSDN is Mike's home! You're giving the wrong address to the right person. Anyway, there NO WRONG TIME FOR DOING THE RIGHT THINGS. Let's see if Mike overcomes from hacking his own site!

I'm confused... I need to lie down for a while! :o)

we'll wait for Mik to post back... if we don't hear anything in 24 hours we'll send out a scouting party!

I have been in touch with Mik and he is in serios trouble. It appears that something has got ahold of his computer and is set up to do Remote Access and is running a 'server of sorts' from his location.

Everytime he tries to shut down Apache (I think he said he is running this) the operating system reboots on him and of course it will restart the Apache Service.

There seems to be a Porn Dialer involved, although not sure if it is connected. Virtual drives are being configured also, of which he is not allowed access to.

The following is a cut and paste from communications that I have had with him (from the another forum, but I felt it important enough to bring over here for anyone who knows or recognizes what is happening to him).

It picks up after we were discussing one of Miks email accounts bouncing mail (thus the mention of it here and it has nothing to do with his computer system)


Everybody, I have a serious problem with my computer here, and I have been trying to get onto the internet, but my connection is swamped with hijacked bandwidth being used as virtual servers for who knows what.

There are 8 monitors (virtual) installed on my computer, remote access authorization that I cannot shut down, all sorts of heavy duty hacking processes running on a virtual drive that is placed in hidden directories.

I am trying to get this under control, I will go to my ISP today.

Thanks, please pass the message.


Thanks, I have tried all of that. This is a serious mofo, and I am not kidding.

I got another hard drive and did a remote scan, and nada.

All the two or three weeks I have tried online scans etc, etc, but like I was always complaining about wierdness, and of course that makes one suspicious, I never found a thing.

Just from the scan I did with Norton to the slaved drive, the one with norton on it got attacked and overrun!

This is serious scary, and another reason I'm not around to much the last while.

So I will not be sending to many emails anymore.

It hides in virtual directoried, and uses the restore service as a source for feeding the desktop. If you look in the recycler , threre aremultiple hidden accounts in there,

Look for ' user32.dll 'that is the main account they create.

And you know what?

File etensions '.au' !! at the core.

****.

Thanks dodger, I have tried to shut down services, etc.

I EVEN DELETED the whole windows directory and shut off the computer, and it still did not do anything!! It is a virtual desktop, and I have tried attacking all the video services they have ruuning. I did get to a blank white screen, so was close, but it is quick.

That is when I try moging files around, filling my clipboard with cut'n'pasts, and generally wreaking havoc so that it might slow down enough to give me a shot at wiping the kernal.

No way, it is dangerous, this one.


I can barely get on the ******* internet for ******* sakes!!!!!!!!!!!!!!!!

I have remote access routers all over the nplace, I tolds you to delete my emails if they are a ******* problem, dodger, i don't know what you are talking about, because I have never used my email here.
I never get any natifications of any ******* emails.

My dcomputer is seriousely hacked and taken over, it is all blocked from me. I am being shown a virtual deaktop here, I don't even know what I'm seeing for sure half the time

I showed you the screen shot before when we were joking around aabout being paranoid, that WAS A HAQCK!!!!!!!!!!!!!!

There is no escalation of priveledge during an install likre that, it ids a spoofed logfife



I havbebeen working my ass off trying to get some sort of an internet connection going here, every time I try to shut down the servers and virtual pucky , my computer shuts down.

I have all sorts of evidence and loge files, I try to transfer stuuf to another hard drive.

The porn auto dialer account that have hijacked this computer are blocked from my permissions, like I showed you last week.

I have hundreds of files and sreen shots, but I can't do anything, because I am unable to get to my emails most the time.

I tried mto get here, and I tried to send email to centaur when I found out whaT was ggoing on.

I manages to get some stuff to floppy, but it is almost impossible because all the proccesses running on here are on a virtual partition, and encrypted, and I don't have permission, they are all access denied


Dodger, I apologize again, I am hard to understand at the best of times, let alone when I am losing my connection all the time .Mostly it is really slow but the bandwidth use has been moderated.
I was going all over my computer and finding the inf files and router, dialers, etc, and I found several account profiles, so I started moving them around and breaking the threads and handles of the running processes at the same time.
Then I would suddenly hit thepower off before (hopefully) they could copy them, thus causing problems for them and 'enticing' them to goaway.

This situation is unlike anything I have ever encountered by far, this software that they are running is tenacious and relentless in the extreme.

This is scary stuff, because I completely formatted one of my hard drives - twice! - once fat32, and then ntfs. I made and deleted sveral partitions, then finall ran an install.

While the first screen of the XP install is showing, right after "Press any key to boot from CD", while the blank blue screen is up and says "examining your hard drive .." RIGHT THEN, already!!!, I see the screen replacement come up! It is a quick sort of refresh as the monitor picture replaces itself from the top down.

That is scary, they spoof the bios. I found one program(script?) that shows the steps where the bios info is intercepted, and their own info is passed to windows.

This explains whu I have been having so many problems over the last while, all the video driver difficulties, and the dhcp, the time (my clock was four days off recently) stamp being invalid at windows update.


Man, I am sorry , I miss getting on the BoG, and I am so frustrated.

I am going to have them wipe my factor1 website today, I have to get a dynamic IP set up here, I really have to warn anyone and everyone, that all mykeysrokes are logged, all my passwords are public knowledge, as well as ftp access.

I even was trying to block the IP in the control panel on factor1s server, but I could not see where to do it anymore!

I did it once, but they must have just gone in then and changed it, then changed the options availability in the CP, PLUS - I didn't have anywhere to change my password!
They eescalated permission there and blocked me .... I yi yi yi...

I am sorry for the outburst ronnie, it is not your fault, just because we couldn't communicate clearly the other day because of my bad internet hookup, and I was frustrated.
I saw the post up there where you said what had last happenned, and when I tried to resond, the server and lagtime etc., my connection was lost. Like a good little *beep* that I am, I was (uncounsiouselly?) taking my anger out on you, and I am really feeling bad.

You have been really helpful and super supportive of me, and I have indeed noticed that, my man!
It is such a pain, and I cannot seem to get anywhere.

I am glad to get this oppertunity though. thanks everybody for being concerned, you have no idea how much it means to me.

Something sounds familular about this, but I cannot place my finger on it. If there is anyone out there that has a clue...please let me know.

Thanx.

Your asking the wrong questions!

Was I hacked because of poor security practises?

Was I hacked because of poor software?

Then upgrade one or both.

Your asking the wrong questions!

Was I hacked because of poor security practises?

Was I hacked because of poor software?

Then upgrade one or both.

Explain please, so that I can understand it. He is unable (very limited) outside contact and I need to know what you are talking about so I can relay it to him.

Did not see the post preceeding my first post on this subject.
Now understand he is running Win XP.
1. Buy a good Firewall.
2. Buy good viruses protiction.
3. Buy a new Hard drive.
4. Start over.

Or move to Linux and keep all windows machines off the net.

Just read this article:

http://news.com.com/2100-7349-5202236.html?part=dtx&tag=ntop

Agobot, linked bots, "The latest versions of the software created by the security underground let attackers control compromised computers through chat servers and peer-to-peer networks, command the software to attack other computers and steal information from infected systems."

Maybe?

Thank you Mary, I am going to pass this on to Mik. I did not see a way of irradicating this bot in that article, but I will run over to Symantec and take a look see.

This sounds pretty close to what he is describing. He is having the problem on his website too, why I don't know. But he is on the phone with them already about it.

The only part that does not fit is the "stealth" part and the user being oblivious to it. For he sure as hell can see it working right in front of him...and it is not making any attempt to hide itself.

Did not see the post preceeding my first post on this subject.
Now understand he is running Win XP.
1. Buy a good Firewall.
2. Buy good viruses protiction.
3. Buy a new Hard drive.
4. Start over.

Or move to Linux and keep all windows machines off the net.

In a case like this, the last piece of advice seems to be the best. Mik won't have these problems if he moves over to Linux. The first thing to do is to reformat the whole hard disk as you install Linux. Mandrake Linux will do this automatically for you. It will completely format and delete whatever is hidden in the boot sector, which is where I think the nasty piece of code is hidden which allows these problems to continue.

Have you, Mik, tried to scan back to the originating source? I'm not much of a hacker, but if you can be hacked, it is possible to trace it back and then attack them. This is what I did recently when someone from Brazil tried to hack me. It's amazing how scared these creeps get when they realize they have been attacked back.

XP security is still very much open and hackers love it. Move over to Linux and you will not have these problems. In the more than 2 years I've been using it I've never had a problem. In fact, I laugh whenever I seen virus code arriving in my email. It is shown as plain text and I just delete it. Begone, damn spot!

Good luck.

Thanks for the tips Marc. Mik is online very spotty at best and is checking into one place. I will pass your post on to him. He is not even using email at this juncture.

As of yet, we have not heard from him since I posted a while back with his words.

I agree that he will have to completely reformat the drive, but I don't think in his present situation that this bugger will allow him to do it. I was thinking about throwing a new one in and go from there.

I highly doubt that he will move over to Linux, in fact I can almost assure you of that.

I think Mary is right, it looks like an Agobot.

I keep very tight security on my computer, I am behind a NAT router, and even have lately attemted to close off all UDP traffic and NETBIOS over TCP.

I think it may be from my roomates computer, he and his kids are avid yahoo chatroom users and who knows what else.

I stopped using anything like that long ago, and always delete MSM Messenger first thing when I do a fresh install, as well as shut down all the services running that I don't need, including the Messenger service, all the UDP, Remote access stuff, etc. I end up with 14 processes running - not much - that show in Taskmanager.

I install Norton 2003, THEN I hook up to the internet and update windows as the first actions I take .

I was already thinking that I would have to get Linux, there are a couple of free downloads that run from an optical drive if necessary.

I have to do a low level format for sure. I booted to command prompt and was going to run 'FIXMBR'. It said that the MBR was corrupted and I could destroy the HD, so I stopped.It allways says that, just not the corruted part.

There are too many things to list here that are going on, but suffice to say that even the new hard drive I bought and installed fresh Windows on was infected by the time I finished, and I was not on the internet or intranet here.

Thanks for all the help, I am going to get that other computer off this home network here and try the Linux thing with Mandrake - I think that is the one.

Thanks again.

Mandrake is a good solution to your problems, even though one might say Slackware with XWindow would be better. Anyway, I'll pass the post to some friends and see what they have to say about this.

Mike, I know this won´t help regarding your computer but I hope it helps you coping with all this big sh... (there´s no other name for this)

A TON OF KISSES TO YOU, MY TRUE FRIEND, MIKE!!!!
Yeah, I could have writen a private but I wanted to do it in public ;o)

When you come back there´s an invitation to open your own Gmail waiting for you.

We miss you.

Your "anything"-pal Gi

Well, as far as resolving this is concerned I'm about as usefull as a spare "p***K" at a wedding, or a third wheel on a motorbike.

I know how I felt when I only 'thought' I'd been hacked, so I can appreciate at least part of what mikmik must be going through.

Of interest, when this is resolved on mimmik's pc, would be a post detailing how: it got on his system; he first noticed it; he identified it as a virus/Agobot, and what he had to do to get rid of it?

If the originator of Agobot gets caught. I wonder what the chances are that he/she'd survive long enough to get a trial, or would the CIA just give him/her a job and we'd hear nothing about it?

I wanted to add my observation to this, just because I have seen this one a while back with a friend of mine. I never did quite get to the bottom of it, but, the resolution was this:
disconnect from comm port completely.
disable comm hardware.
use old school dos boot, fdisk drive(s)
(don't bother with a backup at this point, I tried, and the backup produced empty results)
install OS of choice on new hard drive (get another one and hook it in... the problem with mine was that windoze wouldn't even let the disk manager format)...
use dos level programming to check for any errors and optionally fix...
start the re-installation...
definitely do firewall and norton (if Win system).

Once this massive undertaking is done, have your ISP re-issue your address, and make sure that they also issue the ip you initially had trouble with to a 'derailed' box somewhere which is isolated (this gives the IT security folks some ammo to catch this A*HOLE).

I know it seems drastic, but the damage is done, and you'll definitely need drastic measures to stop it.

An alternative would be - since this hack is recording all your keystrokes, why not talk to him/her and see if they respond directly to you???

Here's another possibility of what may have happened.

As of May 1, 2004 4:15 AM (PST), TrendLabs has declared a Yellow alert to control the spread of this malware. Infection reports have been received from Europe, Asia and the US.

This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:

MS04-011_MICROSOFT_WINDOWS
Microsoft Security Bulletin MS04-011

For more information: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
To propagate, it scans the network for vulnerable systems. When it finds a vulnerable system, this malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.

It creates the script file CMD.FTP, which contains instructions for the vulnerable system to download and execute a copy of this malware from a remote infected system using FTP on TCP port 5554.

Since this malware produces a buffer overflow in LSASS.EXE, it causes the said program to crash and will consequently require Windows to reboot.

Important: Trend Micro advises users to apply the critical patch related to the Windows LSASS vulnerability, which is available at the following Microsoft page:

Microsoft Security Bulletin MS04-011

Useful mandrake and suse linux feature:

you can install the new linux suite with a 2nd partition on your hard disk and keep all the data of your windows OS, then from the linux OS you can also access your old data on the windows partition and save them on the new linux partition.

Hi

I totally agree with the others that Linux may be the way to go. One of my customers is an alarming monitoring station and everything was hooked up through a windows system. Unfortunately they started getting some nasty stuff through the internet and it was mainly attacking the monitoring software.

They have since put in a linux box as their main server and had absolutely no problems. What amazed them was that the nasties were coming through one of the networked machines but they weren't causing any problems on this machine. The problems were all occuring on the machine running the alarm monitoring software, which as you can imagine was a major problem.

So yes although I wouldn't have agreed 6 months ago I would now recommend going over to Linux.

And keep thinking positive. The only way from here is up and we'll all be waiting to hear from you when you get back up and running.

Cheers

All very good advice. It seems that Mik is able to get out and about a little easier now, albeit using something he does not want to.

Gymsmoke - Your ideas about disconnecting from the comm ports, etc. sound really good. I am not sure if he has considered that. He also has a copy GIPO@fileutilities he is going to use for he reported that there are new directories being installed with illegal directory names. Hopefully the Delete on Boot will be able to erradicate this.

Is there anything out there that would infect BIOS or cache in this way though?

I will be passing all of these comments onto Mik, as usual, in case he can't return. Even yours Gisela. ;0) But you should know that any public displays of affection will get you nowhere...but they will go a long way with me...hehehehe.

Ronnie, you smooth talker you. LOL.

If able to contact Mike, not much consolation (I know), but there must be some seriously bad vibes going the way of the "Ass-H##E" who perpetrated this.

I hope he's up and running soon.

Thanks a lot Pete. I like your optimism, but I feel that we may never know how or who did this. Although the hard drive he has may hold the clue if given to the right people. He is now installing a new one (from last I heard) and we will see what comes of that.

As for my smooooooth talking, Mik asked me to send Gi a big kiss for him. So come over her girl! It is okay, Mik and I are pretty close buddies and we like to keep it in the family. ;0)

(actually I made all of that up, Mik didn't tell me that...hehehe)

Good luck Mik! Hurry back my crazy Canadien friend!

Best of luck to you Mik! You're one of the first ones I notice on here with a good voice and one that posts often to many of the different forums.

I have heard of viri/worms in the past, like 486/early pentium days being able to infect a BIOS or cache and stay resident. I would suspect that on newer systems, this may be even more prevalent due to the fact that many new ATX boards keep some power to the various cache/lan/chipsets even when powered down (unless Power supply is turned off or unplugged) and this may keep the cache refreshed at times (not sure but a theory non-the-less).

The problem that you have happen, is even installing a new hard drive will not get rid of this thing, unless maybe, you remove all the components of the system save the new HD, video & floppy and boot from a dos floppy and fdisk/format the new hd, then add the cd-rom and boot to install Windows. At this point, if the install seems okay, then add the sound, then the nic (unless it is onboard -- disable any onboard items, such as a nic/sound/modem etc in the bios, and check to make sure the bios is functioning normal at this point).

If the bios seems okay, and the install at this point goes okay, then try to add each component or re-enable it in the bios one at a time. Then, after getting a new IP from the ISP (new user/pass, possibly even a new ISP) try again I guess.

One thought, Mik noted he was using a router with NAT installed on it, is it possible for the hack to be resident in portions of the router, or to have the IPs of the hacker machines/servers/whoever/whatever is doing this in the routing table for continued access no matter what? They could theoretically base something off of the MAC address of the router, or even of the machine itself since the base underlying for TCP and UDP is to translate and send from one MAC address to another.

I hope all goes well, and he gets back soon! I have only had a small hack done to me once, but it was scary, and frustrating.

I wonder if there is a way for Mik to track the IP through the router?? He may be able to find out the IP of the attacker/hacker that way and get some resolution in the end? Not familiar with most routers, and what info they each keep or don't keep, or are capable of. Another way is to install a linux/unix machine on the network and run a network sniffer to get the remote IP that the malware is connecting to.

Some thought, and definitely words of support and encouragement!! Hang in there!

I just got this from ziff davis (zdnet.com) and it sounds what u r going through?

Sasser and its variations are network-aware worms that do not require e-mail or user interaction to spread. Sasser takes advantage of a buffer-overrun flaw in the Local Security Authority Subsystem (LSASS), which allows an attacker to gain control of infected systems. Microsoft patched the flow with MS04-011on April 13. The worms use a bootstrap effect to infect new machines first then download the full code from a previously infected machine later. Sasser (w32.sasser.a) and Sasser.b (w32.sasser.b) are both 15,872 bytes in length and randomly scans local networks and the Internet to look for additional systems to infect. This scanning could slow normal traffic on the Internet. More...

http://reviews.cnet.com/4520-6600_7-5133023.html

As an aside, I was a victim of a well planned attack - I don't know much about code, but I had a firewall and even then someone got through. I had spent, along with colleagues in Britain, US and Australia, 2 years developing an educational project. Short story, I had 2 years worth of work (hundreds of animated clips, video, interactive software, music etc) created, all specific to a few folders. Everyone's work would end up on my system for production tweaks, final video editing and scripting (for software). These folders were deep in the system. One morning several business suits had arranged for a preliminary viewing and progress report and arrived at the door 9am. As preparation the day before, I created a whole new series of folders, deleted all the trash project files (literally 6 gigs of working files), and placed all the current files into the new folders. I was so pleased to get organized, and rid of so much clutter. The next day at the meeting i went to play the various clips and...no folders, no files. Nada. Deleted (or rather, stolen and then deleted). The theft was very specific - and malicious as they could have copied them and left me the originals.

BUT THERE ARE ANGELS - I had a real weird feeling the day before that someone or something had taken over (due to odd and intermittent slow downs - ran full scans all, and nothing detected), so I made a copy of all 4 folders as soon as I had finished them.

The meeting went ahead on schedule, but I now have a new IP and a Macintosh.

According to the latest what I've read, may well be Sasser.D

to shutdown, type (at the run program) "shutdown -a", to prevent the automatic reboots.

Hope this helps, I don't usually read the Breakroom but that's my 2 cents =)

Yours truly, as allways,

: Niko

Wow, you guys are awesome, jumping to Mik's rescue like this :)

And to Mik - we miss you man! Best wishes for a speedy computer recovery!

Brittany

Thank you everyone. I have not heard from Mik in almost two days now -- so he is probably disconnected from the Internet and working his way through this mess.

I have posted all of your comments and good wishes in a place where he will be sure to see as soon as his machine is back up on it's feet.

Brittany wrote
And to Mik - we miss you man! Best wishes for a speedy computer recovery!

Brittany

I MISS YOU BRITTANY.
I MISS EVERYBODY !

I posted back at the bog this am, but now there is nobody there (???)

So, I will report on myself.

First, Thanks to TRS Iyengar and my 'kiss kiss' friend. You people are the best, Gisela, I want you!!! to give me a gmail, I tried to reply to that several days ago.

I have installed ZoneAlarm pro, and I am able to squelch most of the broadcasts the worm is making.
I am sure there is more than one or two infections here, the other computer at home was swamped with malware, but it is off the internet, off my home netork, and off my christmas card list :o)

I have taken all the advise that people have been posting, most of it I have already tried on my own account. I was indeed off the 'net for almost two days, and I had the sysclean utility from TrendMicro, and all the updates.

The worm, or virus, or highjack program that is running, installs everything to virtual directories and streams 8 channels of material using MSN Messenger and MSN Gaming. It sets up its owm server (not using Apache or IIS from my machine) and router, and 8 moniter drivers, as well as dialers and all the networking crap for gambling and porn distribution.

Even when I go into DOS with a boot floppy and reformat the whole hard drive, and that includes deleteing all partitions in fdisk to start out, it is in the Master Boot record, and is impossible to irradicate that way, or any way.

I have the Hard drive utility from Western Digital, and I am going to rewrite all zeroes to whole drive. The only problem with that is I have to be slaved to my original Hard drive, the first 'scene' of this invasion (it still has all my data).

So, I have Redhat, which I will probably have to insatll and format the Western Digital HD with.
================
All the virus scans, and attempts to do anything myself get access denied errors. This infection is way to scary to think about, but I mentioned earlier somewhere that this network here had unauthorized sleazeballs on it (long story ...sigh) about 6 weeks ago, and this may be the source.
It is extremely, extremely sophisticated, installs NTFS capability to Fat32 partitions, and writes it's own SAM ini file - this is The Security Accounts Manager (and the LSASS buffer overflow area in the news).
Three weeks ago I was suspicious of my SAM logs, and it has been all emotional (;-]) ever since.

There are two endpoints for the virtual directories in the Windows root folder in the 'TEMP' folder there, they are named '.' and '..' and if you have these in your folder, start to get prepared.

Here is from the 'SECURITY' folder in the root 'Windows' folder (WindowsXP), and this document I am going to quote here is the 'scesetup.log'.

This is the first part - I have never looked at a windows setup log before, so I was not sure about this, but it looks to me like an escalation of priviledges.
----Configure User Rights...
Configure S-1-5-32-546.
remove SeInteractiveLogonRight.
Configure S-1-5-19.
add SeAuditPrivilege.
add SeIncreaseQuotaPrivilege.
add SeAssignPrimaryTokenPrivilege.
Configure S-1-5-20.
add SeAuditPrivilege.
add SeIncreaseQuotaPrivilege.
add SeAssignPrimaryTokenPrivilege.
Configure S-1-5-32-544.
add SeChangeNotifyPrivilege.
add SeUndockPrivilege.
add SeManageVolumePrivilege.
add SeRemoteInteractiveLogonRight.
Configure S-1-5-32-551.
add SeNetworkLogonRight.
add SeChangeNotifyPrivilege.
Configure S-1-5-32-547.
add SeChangeNotifyPrivilege.
add SeUndockPrivilege.
remove SeRemoteShutdownPrivilege.
remove SeIncreaseBasePriorityPrivilege.
remove SeRemoteInteractiveLogonRight.
Configure S-1-5-32-545.
add SeNetworkLogonRight.
add SeChangeNotifyPrivilege.
add SeUndockPrivilege.
Configure S-1-1-0.
remove SeInteractiveLogonRight.
remove SeShutdownPrivilege.
remove SeRemoteInteractiveLogonRight.
Configure S-1-5-21-1645522239-261903793-839522115-501.
add SeInteractiveLogonRight.
add SeDenyNetworkLogonRight.
add SeDenyInteractiveLogonRight.
Configure S-1-5-32-555.
add SeRemoteInteractiveLogonRight.

User Rights configuration was completed successfully.


----Configure Group Membership...
Configure Users.
add INTERACTIVE.
add Authenticated Users.

Group Membership configuration was completed successfully.


----Configure Registry Keys...
Configure users\.default.
Configure users\.default\AppEvents.
Configure users\.default\Console.
Configure users\.default\Control Panel.
Configure users\.default\Environment.
Configure users\.default\Keyboard Layout.
Configure users\.default\UNICODE Program Groups.
Configure users\.default\software.
Configure users\.default\software\Policies.
Configure users\.default\software\microsoft.
Configure users\.default\software\microsoft\Clock.
Configure users\.default\software\microsoft\Command Processor.
Configure users\.default\software\microsoft\CTF.
Configure users\.default\software\microsoft\File Manager.
Configure users\.default\software\microsoft\Internet Explorer.


I remind you all that this is all way over my head, I make assumptions based on just common sense and what I think 'should be right'. It is extremely technical, and I have 100,000's of lines of code that is easy to read like this log file, and also difficult to read because much of it is in machine code and binary.

Hewre is from the 'setupsecurity.inf' file. It semms to show the creation of many levels of user, but they all have network access rights in the final install - when windows is running.
They are hidden and impossible to get rid of.

[Privilege Rights]
seassignprimarytokenprivilege = *S-1-5-20,*S-1-5-19
seauditprivilege = *S-1-5-20,*S-1-5-19
sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
sebatchlogonright =
sechangenotifyprivilege = *S-1-1-0,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
secreatepagefileprivilege = *S-1-5-32-544
secreatepermanentprivilege =
secreatetokenprivilege =
sedebugprivilege = *S-1-5-32-544
sedenybatchlogonright =
sedenyinteractivelogonright = *S-1-5-21-1645522239-261903793-839522115-501
sedenynetworklogonright = *S-1-5-21-1645522239-261903793-839522115-501
sedenyremoteinteractivelogonright =
sedenyservicelogonright =
seenabledelegationprivilege =
seincreasebasepriorityprivilege = *S-1-5-32-544
seincreasequotaprivilege = *S-1-5-20,*S-1-5-19,*S-1-5-32-544
seinteractivelogonright = *S-1-5-21-1645522239-261903793-839522115-501,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
seloaddriverprivilege = *S-1-5-32-544
selockmemoryprivilege =
semachineaccountprivilege =
semanagevolumeprivilege = *S-1-5-32-544
senetworklogonright = *S-1-1-0,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
seprofilesingleprocessprivilege = *S-1-5-32-547,*S-1-5-32-544
seremoteinteractivelogonright = *S-1-5-32-555,*S-1-5-32-544
seremoteshutdownprivilege = *S-1-5-32-544
serestoreprivilege = *S-1-5-32-551,*S-1-5-32-544
sesecurityprivilege = *S-1-5-32-544
seservicelogonright =
seshutdownprivilege = *S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
sesyncagentprivilege =
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-547,*S-1-5-32-544
setakeownershipprivilege = *S-1-5-32-544
setcbprivilege =
seundockprivilege = *S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-544
[Registry Keys]


It seems to show (immediately above) the creation of four or five user accounts, and indeed, all the security and networking processes have four permission groups assigned to them, including the "Everybody" group, "Guest", "Anonymous Logon", and "Remote Logon Account". They all have unlimited 'special priveleges' assigned.

This thing is so robust and protected/backed up, that I have even gone as far as deleting the whole WINDOWS folder, and then hitting the power button on my computer.
No matter if I let it save settings (Windows, that is) on shutdown, or *Surprise*!! it with the hard off, it all comes back up.

I have to go , but it is soooooooooooooooo nice to be up and running again, albeit in an uncommonly configured mode - having all these broadcasts blocked while this piece of malignant scumware tries to run in the background.

Good shall overcome!!!!!!!!!!

And so shall mikmik!!!!!!!!!!!!!!

flashfast=
BUT THERE ARE ANGELS - I had a real weird feeling the day before that someone or something had taken over (due to odd and intermittent slow downs - ran full scans all, and nothing detected), so I made a copy of all 4 folders as soon as I had finished them.

Same here, I noticed lots of dropped connections and also wierd screen refreshes.
I knew that 'something wasn't right'.
Thanks very much.

Hey good to see you can somewhat be back on!

Just looking at the log files quickly, (not taking too long to compare line by line) Most all of what I seen in them are identical to what my machine here has.

the user *S-1-5-32-544 I believe would be the administrator account (not sure so if I am wrong someone correct me) and is created by default, there are also several groups that will be created, and each user (administrator, guest, regular created user (if you made one on install) and one or two users for remote access from Microsoft) are all created.

The user :S-1-5-21-1645522239-261903793-839522115-501 is one of these system users for remote access by microsoft, and the long number I believe is your Product Identification Key created from the combination of HW/SW/Keycode.

Now, if we look at the code below, we see that network logon is denied as os Interactive Logon:

add SeInteractiveLogonRight.
add SeDenyNetworkLogonRight.
add SeDenyInteractiveLogonRight.

In the .inf file you quote, we can see that this is the file that instructs Windows how to setup these users:

[Privilege Rights]
seassignprimarytokenprivilege = *S-1-5-20,*S-1-5-19
seauditprivilege = *S-1-5-20,*S-1-5-19
sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
sebatchlogonright =
sechangenotifyprivilege = *S-1-1-0,*S-1-5-32-545,*S-1-5-32-547,*S-1-5-32-551,*S-1-5-32-544
secreatepagefileprivilege = *S-1-5-32-544
secreatepermanentprivilege =
secreatetokenprivilege =
sedebugprivilege = *S-1-5-32-544
sedenybatchlogonright =
sedenyinteractivelogonright = *S-1-5-21-1645522239-261903793-839522115-501
sedenynetworklogonright = *S-1-5-21-1645522239-261903793-839522115-501

So does this mean you don't have user accounts that you shouldn't? No, but it does point that some of the things here are normal as far as I can tell.

Definitely run the WD dianostics and low-level the drive by writing 0s to it. This will get rid of the crap, with one exception, if the virus/worm is smart enough to copy onto the floppy since you boot with it, and infect it before it runs. I don't think it could install to the floppy though, if you have it write protected.

Also, do not forget that with the dos fdisk command, you can run fdisk /mbr to rebuild/recreate the master boot record on the HD, and sometimes this will get rid of virus code there.

Also, unhook from the network/internet when you do all of this, and then, there is not a way they can mess with you during the low-level/format/install/configuration period until you have everything setup, firewalled, routed, and concealed.

Best of luck to you! Hang in there!

So does this mean you don't have user accounts that you shouldn't? No, but it does point that some of the things here are normal as far as I can tell.


Yea, that looks normal to me too. There are some others that get created also for Tech Support too. I have a Dell, and there are two of those.

Thanks guys, i wasn't sure because I didn't know if anything here was clean to compare it to.

All the 'virtual' directories are gone and maybe it is getting fixed up.

This last install here is fine.
Big time thanks,southplatte
Definitely run the WD dianostics and low-level the drive by writing 0s to it. This will get rid of the crap, with one exception, if the virus/worm is smart enough to copy onto the floppy since you boot with it, and infect it before it runs. I don't think it could install to the floppy though, if you have it write protected.

Also, do not forget that with the dos fdisk command, you can run fdisk /mbr to rebuild/recreate the master boot record on the HD, and sometimes this will get rid of virus code there.

Also, unhook from the network/internet when you do all of this, and then, there is not a way they can mess with you during the low-level/format/install/configuration period until you have everything setup, firewalled, routed, and concealed.

I didn't know about 'fdisk /mbr' command.

And now that dodger has said these are normal twice, plus you southplatte, I will settle down (yea, right mikmik LOL). It has been to freaky around here, but I must have been overreacting somewhat, although, no I still have screenshots and some encrypted stashes to look through.
I am loving it, however :o)

Everyone is spectacular, i cannot thank you enough, it kept me going knowing that you all were helping.

Yowsa!

Hi Mike,

I feel odd to see your posting on your return. When there are scores of persons who suggested you to make a change here n there to come out of your sys. n dll. error problems, I did nothing but pray! It is really Ronniethedodger, who should get your attention first for all his mediating job. I thank him for all his help and assistance rendered to you during your stay at the woods! And you thank me "first". For G and her message might have given you the needed strength! Wowvaar, welcome back home!

TRS Iyengar wrote
I feel odd to see your posting on your return. When there are scores of persons who suggested you to make a change here n there to come out of your sys. n dll. error problems, I did nothing but pray! It is really Ronniethedodger, who should get your attention first for all his mediating job. I thank him for all his help and assistance rendered to you during your stay at the woods!

I gave great and humble thanks to a few people where I was keeping in touch - where ronniethedodger was relaying our messages to and from. I gave him the top honours, but I always try to let people that are special to me know about it other times and places also, and he knows how highly I value him.

There are lots of ways to support each other, and your kind of support is just as important, if not the most important, to me.

I am blessed beyond mere words to have friends, and it can only be understood by experience.
Thank you for giving me the experiences I so cherish.

Ya ya, can you tell I'm happy?

Being creates the soil, connecting brings the garden to life.

Mikkkk, my pal, u r back :o)

I am so happy, ya know.

I spent my last days with problems me too, Ronnie surely have told you about it. Here is a quote for each of us (all of us) to put things in a relative perspective again. It is easy to get drawn in these situations and feel hopeless and helpless, but nothing can make us loose our sense of hapiness. And I am saying this to myself first, cos my mood gets caught in these little disasters so easily...

But when, having gone
to the Buddha, Dhamma,
& Sangha for refuge,
you see with right discernment
the four noble truths--
stress,
the cause of stress,
the transcending of stress,
& the noble eightfold path,
the way to the stilling of stress:
that's the secure refuge,
that, the supreme refuge,
having gone to which,
you gain release
from all suffering & stress.

-Dhammapada, 13, translated by Thanissaro Bhikkhu

Good night, my friends,

G

I can hardly believe it...just look at PM I sent just before I read this post, Gisela.

I have nothing, I expect nothing, therefore I am free.

Here is a prayer for us all:

"By this virtue, may I quickly attain the state of vajradhara,

The whole essence of all Buddhas :O))) !

And may all beings attain it also :O))) !!!

May I practice all deeds for the sake of enlightenment,
the deeds taught by both the perfect Buddhas and by
Bodhichittavarja!"

Tibetian communal prayer....

Ask this of yourself always, how can I make this a better place today.

Good morning Hahahaaaaaaa

I have nothing, I expect nothing, therefore I am free.

Can I quote you on that?

...uh nevermind...I just did.

And I have ronniethedodger.........

therefore, I am mikmik?

;o>

mikmik's attaining the Saga of Sages:

"May I practice all deeds for the sake of enlightenment,
the deeds taught by both the perfect Buddhas and by
Bodhichittavarja!"

It is part of Sinhalaese prayer too for the Buddhists and of course over universally! Buddham Charanam Ghachhami, Sangam Saranam Ghachhami !

And a step further, being Buddha an avtar of Sri Mahavishnu, the quote from Bhagavat Gita is not out of place here, thus:
Whatever happened, happened in its perfection;
Whatever happening, is in its perfection;
Whatever it is going to happen, that too will take
shape in its own perfection;
What you brought with you, for you to lose?
What you are going to carry with you, when you go?
Whatever you posses with you, it was taken from here
(from the Earth); Whatever you gave it to others,
that too was taken from here.
Today, whatever it belong to you, it will be someone
else's tomorrow. And some other day, it might be
other one's property; this goes on, endless. This what the essense of life and my (Krishna') creations secret.

Mike, enough with my sermon; now I follow Ronnie :)

I'm not crazy, mik, and neither are you!!!

Listen, I don't know who created this monster, but it's downright scary! I started noticing weird things too, new files popping up, odd file extensions, LOSS OF MY ADMIN RIGHTS!! arg! It got to the point where I couldn't even copy/paste. They changed all my paths to their own, from afar, as they say. I have 3 monitors installed now. The text you posted was what gave it away.
Worse of all, every time I tried to talk about it, ppl thought I was nuts.
Don't let your guard down. I reinstalled winxp pro, but only a regular clean install...I didna format first. And there are still areas that I cannot access and do not have jurisdiction over.
Thing is, it seems to be in remission, but I get glimpses every now and then.
This...thing...got in my machine and spawned a very complex and extremely thorough sequence of events that would eventually take over my machine.
Even my registration number has been compromised.
Once someone secures admin priveledges on your machine, you are helpless. I am locked out of certain areas and files.

More than anything, I am worried about the potential this has on a wide scale. I'm sure many have been invaded but don't know it. Many of my filenames were changed to "lookalike" filenames. I actually felt like maybe I was losing my mind and paranoia had set in indeed.

I never figured out exactly what they were doing, I'm thinking it was something i got in irc, and there is file swapping involved. Some people are paying "whomever" for this "service".

I'd like to talk more. Give me a buzz.
satire101@hotmail.com

Krista wrote
This...thing...got in my machine and spawned a very complex and extremely thorough sequence of events that would eventually take over my machine.

Wow, one who understands :o)

I will certainly give you a buzz!

And even in regards to my statements here - http://www.webproworld.com/viewtopic.php?t=19042&start=50 , I still am not sure, sometimes that mouse, and keybaourd action still seems kind of 'mushy', and the refreshing of the screen still seems bizarre as well.

With reports of windows updates having these types of effects, it is nerve wracking, this wondering, hey?

This was a most interesting read : Windows Forensics: A Case Study, Part One (http://www.securityfocus.com/infocus/1653)

$even making this link above, my cut and paste is not acting right...$

I have been searching, searching, search...tearing my hair out, and i have found out much about some friends.
This IS NASTY.
It has all the components of Bubbel, Backdoor Setup, Sockets De Troie, Blazer5, these are all trojans that have exploited windows 95, and 98, many of them Y2K exploits from 98, and 99 - 5 and 6 years ago.
That is just the one port I have had used port5000-1, okay, two, but 5001 always.

These things are using UDP protocol, they route through local host, and I have not been able to set up a cerver.
As ronniethedodger erroneousely reported, I was not having Apache, or any other server software taking over, the oposite.

If you are broadcasting unaccounted for bandwidth from your home connection, and cannot get your IIS or Apache on Windows to run, get some network stuff set up, go to the command prompt(Win2k/XP/03) and type >, not including the'>', but right after - >netstat -a with a space between the stat and the 'a'.
If all the IP addresses are listed as 0,0,0,0, or just a process nam, and you have many UDP protocols running to destination *.* , then you are in trouble.
It is a good idea for people to try this, so they will know what to spot if something should happen.
Go to 'start/run, and then type 'cmd.exe', without the quotes, and click 'ok', or hit your enter key.
Then you type the above into a blck background window that appears, hitting 'enter' to see your network activity. (Note: although it looks ominous, there is really very little that can happen with a typo, it will just say 'invalid command')
Here is the first description I have come across, from my newsletter subscriptions:

An Israeli programmer who hangs out in SpywareInfo's chat room (http://chat.spywareinfo.com/) has been tearing apart a new parasite recently. I don't know very many details about it but this is a very nasty little bugger.

There are two files loaded into memory and a third element involved which I don't want to discuss publicly. It is nearly impossible to force these files out of memory. If you remove any one or two elements, one of the other two will reload them into memory. While you can see these files running with a process manager, somehow they hide their files and parent directory from the operating system, making it difficult to find them on the hard drive.

If the infected computer is using the FAT32 file system, you can use a DOS window to enter the directory and find the files. Unfortunately, you cannot remove the parent directory (c:windowssystem32f0r0r) and the files are reinstalled as soon as the computer reboots.

The parasite might be capable of installing a backdoor server that could enable a remote attacker to use it to launch a SYN attack or to send spam. It also might operate as an IRC proxy, allowing someone to use it to hide their IP address while connecting to an IRC server. It also might include an RPC scanner to sniff for insecure and unpatched Windows machines.

This is a very clever piece of programming that someone spent a significant amount of time working on. It is nearly impossible to detect and nearly impossible to remove. How it installs is a mystery, for the moment. Possibly it infects unpatched Windows machines through one of the RPC flaws discovered recently in Microsoft Windows.

You can tell if your machine is infected if you can change to c:windowssystem32f0r0r in a DOS or CMD window with this command: cd c:windowssystem32f0r0r (that's a zero, not an "o"). If your hard drive is FAT32, you can boot into MS-DOS and delete the directory from outside of Windows and that should remove the infection (no guarantees here). To my knowledge, no antivirus or antispyware products detects this parasite.

If anything new is discovered, I'll let you know.

For the couple of "friends" that implied I was cuckoo..
to my real friends, I love you...

It is a truly lonely experience to not be able to get people to understad that "just go to online scan, and get your updates.


Hahahahaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

mikmik wrote:

The parasite might be capable of installing a backdoor server that could enable a remote attacker to use it to launch a SYN attack or to send spam. It also might operate as an IRC proxy, allowing someone to use it to hide their IP address while connecting to an IRC server. It also might include an RPC scanner to sniff for insecure and unpatched Windows machines.

We donno how it came; we donno yet how it sits in; sure, none of the AV programmes could locate this. A very cleverly written n managed programme. But this affects all the computers alike... no Y2K problems.. all the computers attacked alike...

The safest way...change the H/D; Never copy your H/D writings to another H/D, but you can use the re-writable Disc, where it is openly displays what is hidden in the H/D partitions. Still having problem? Throw this stupid machine to the corner. Get a new one; otherwise, you will be caught sending millions of spam mails from your computer, when actually you don't!

Not everyone can search and research n glorify the magnititude of these sort of parasite phsychos. You cannot hang them at once. They are all a collective bunch of few, perverted genius, saddistic pleasure seeking b******s; They threaten the entire web world. Just like keepig an automic bomb in their hand.

After an eerie long silence, now I learn that Gisela too facing the similar computer problems. Hope she too comes out of the problems (These virus-browser hijack,trojan horse, netsky worm etc all a make of some madmad, frustrated, mentally sick individuals). And now the parasite programme which enters your computer....sits firm, but not to be seen? Hang those perverted genius, who programs this..

TRS, I just bought a new hard drive. You4r advice is sound.

But it got corrupted within seconds, so I have to find out all the ways it can travel.

This is comething new, and now, finally, but not good - believe me, others understand.

I use many many recautions, and I have some advanced firewall software, it must ask me every time a signal tries to get onto the network, LAN or WAN.

I am also behind NAT router, and I have shut off all the ports in XP except the abosolute, like TCP 80, and 25.

But it still persists, here somewhere, and I cannot afford to buy any more parts, I couldn't afford the 136 CDN for this 80 gig that might just get chucked.

Ay, Carumba!

But please, TRS Iyenger, You have good ideas and suggestions, and you are offering them, [please keep it up.
A fresh perspective is important, and it means very much to me that you are following, all the attention is welcome.
Love, to my brother, and WPW family,
MikeL

Here is a post I just made at my other home , but it is in admin only area, I move it public right away and then it will be available.


I want to get in touch with that Isrealy guy, I have a LOT of info for him, like the file name of the hidden directory, it is the " u u " but with the ^ above them, that is just the first 'incarnation'. I might as well use words like that, it is just to bizarre.
But apparently I am one of the first people to become aware of this, as far as I can see, there are hundreds of forums I have looked through, and meny, many similar sounding symptoms disscissed, but the 'spywareinfo' guy is the first direct mention of this situation I am in.

It has many hallmarks of the 98 and '99 Y2K IRC boot sector, and BIOS boot block viruses, especially the fat 12, and fat16 file system that is hides from XP and NTFS with.

But it is much more, with the capabilities of a ninja, that's all I can say, it seems to move about, and hide with impunity, and strike with deadly accuracy.
Ya, ya, I sound dramatic, but the other two people that mention this (there is the (@)(@) one, But 'satire? and Waiki..ki? whacky?) are sounding exactly like I did, Fuc*king scary.

I HAD a multi decompiler for hex, binary, VB and lots other, pretty sure C, and C+ etc, but that is long gone

I wrote Zeroes to the drive all night and today, that is a process, and then, wouldn't you know it, unfuc****&KING real man, I vcannot 8888^%$# believe it.

I am not kidding. I go to install XP on the all zeroes, and It starts to have trouble copying all the files from the disk, "can't copy file kernal32.dll" and netdt.dll", it's a minor thing.
So I used windex, and it can't read the disk, still, so I got Win2k EE.
I still have, I was not on the net, I check netstat, and it is all routed local.

I cannot even get an endpoint outside of my FUC*KING computer, after all that. It is hidden.

All the remote addresses in netstat show as "computername", same with the 'local address', and the local UDP.

The remote UDP addresses show as " *.* ' FFS.

And I DO get local port numbers, they are all or most for well known trojans and broadcasting, likme netshow.

I looked at my fresh install, and it has a licence for netshow to transmit to 4 hundred thousand units, or some strange thing, I will double check. But you know, it is thisw kind of thing I am now at the point of researching, like licenses etc. It is just info, even if it is spoofed, it is something to look at.

I've tried ******* with the ini files etc, but when I go to save then, most the time it says "Windows could not save this filr, Folder or directory does not exist.

Windows/system/ does not exist.

It is all spoofed.

I wiped thet drive clean, as far as I know, the bios has been flashed, the disk I use for install, were burned last august.

I am even starting to wonder about the chipset etc (BIOS) on my video cards.


Un ******* believeable, I tell you.

I am going to copy this to (@)(@).

Okay, I am not moving it public over there, it is somewhaqt classified...:o)

Marketting strategy and stuff, we all like to cross thread over there. A very laid back, casual, but brilliant people there.
It is all good.

This thing sound similar to something a friend of mine started experiencing about 2-3 weeks ago, and nothing he has done yet has worked. I just found out about it today.

Checked my system with netstat -a and found about 15-20 UDP ports to *:* strange....but my system so far is acting normally.

I did boot up my unix box running Solaris and ran a network sniffer/snooper and monitored the network traffic at my location here, and nothing out of the ordinary, and my connections are not showing any traffic. So either this thing hides itself even as traffic on the hardware, or I just happened to have a bunch of UDP ports going.

Either way, you guys with this crap hang in there. Has anyone contacted like Symantec or MS about this issue yet and seen if there is some resolution they are working on?

Checked my system with netstat -a and found about 15-20 UDP ports to *:* strange....but my system so far is acting normally.


Yes, I have the same think on mine also. It is probably a normal thing.



Okay, I am not moving it public over there, it is somewhaqt classified...:o)

Marketting strategy and stuff, we all like to cross thread over there. A very laid back, casual, but brilliant people there.
It is all good.

It is in the Advisors area Mik, not the Admin. You basicly have the input from all of the combined expertise in this area anyway...moving it into the Public area will not help much. Think about it...hehehe. ;0)

It is in the Advisors area Mik, not the Admin. You basicly have the input from all of the combined expertise in this area anyway...moving it into the Public area will not help much. Think about it...hehehe. ;0)

Ya dodger, it is in the Administrators Privedged Only. And in the admin discussion, before, also.The area for the admins only, I think everyhone was able to see my point.
Think about it, what do you think I am trying to do here?

Go try and shut off your udp ports, see if you can.

I can't

I cannot shut off spools service, I cannot shut off all kinds of routing, remote access logins, all kind of stuff, and you are not getting it.

I have aall my TCP connections listed to local addressess. My computer 'name'.


I cannot set up a server, I just found the fake CMOS and BIOS files, and I now see for the first time in two months, proper remote IPs.


I see my 209.xxx.xxx.xxx in ipconfig for the first time.

I have always gotten 0.0.0.0 for DNS info.


You basicly have the input from all of the combined expertise in this area anyway...moving it into the Public area will not help much.

well, I was actually thinking about all of the good info I got there being available for everyone else, my man.

That was my reason.

But thanks very much southplatte , everything seemed normal to me also, and I have done hundreds of hours of research now.
This is new, and it is deadly. If you have similarities to my files, it is not so sure good. Same with the settings.

The main ones I am concerned about are the TCP, but I have had 15 udp right after a "fresh" install, and today, tonight, after I got the fake BIOS and RAM files out, my whole computer started to work 'properly' and I had two.

I had a defunct onboard LAN, and I thought it was just a cheap hardware flaw, etc.
It works without a hitch.

I bought this board last year im about september, or october, and the NIC was gonzo within a month - I kept getting error code 28, every single time.

Till three hours ago.

I will get some better info here for people to check, and I will go over what is wrong in some of those logs.
I am so new to this depth of windows operation, I have perhaps not chosen the best examples at times, but this is not a fun place to be, and I have heard of people mocking me to others.

Something I don't do, not to friends.

It is tough, when You have a client relying on you, and you have to try to sound have assed convincing in a bizarre situation, it is bad enough.
That is why I do not need people treating me like I have marbles loose, in this area.

I am dead serious about this stuff.

I teach many people about safe computer networking, and browsing, i am deeply protected when I go on the net, and it is my intention to help as much as possible.
I really, really appreciate all help and input.

Also, I would not be so sure, have you checked out all the ports, and the dll's that are using the UDP protocal. The local ports?
A fresh install should have two, windows time server is one I think, and it sure is not all over the map using known trojan, and bitstreaming ports. Well I shut down all unneccesary services, so don't quote me to that for your machine. I donot use IRC, IM, P2P, or anything, I am behind a NAT, and I close many ports manually, as well.

The problem is that some of thew processes 'piggy back on port 80 traffic (HTTP) and I manually check every single one of the prcesses, dlls, exe's, com's, services etc before I let it through my firewall.

There are so many shared through one dll, ic sys32 folder, svchost, it is hard to backtrack and get the exact process endpoint.
It shutrs down the RPC service if I close the wrong handle, and I am forever having to abort shutdown command with the run box.

Believe me, you do not want this on your machine, not one little bit.
If you are not very knowledgeable, and comfortable digging around the inner recesses of windows, be careful. Please.

This is not to be taken lightly.

SpywareInfo Newsletter May 18 (http://www.spywareinfo.com/newsletter/archives/0504/18.php)


Nasty new parasite discovered
Permalink | Top

An Israeli programmer who hangs out in SpywareInfo's chat room has been tearing apart a new parasite recently. I don't know very many details about it but this is a very nasty little bugger.

There are two files loaded into memory and a third element involved which I don't want to discuss publicly. It is nearly impossible to force these files out of memory. If you remove any one or two elements, one of the other two will reload them into memory. While you can see these files running with a process manager, somehow they hide their files and parent directory from the operating system, making it difficult to find them on the hard drive.

If the infected computer is using the FAT32 file system, you can use a DOS window to enter the directory and find the files. Unfortunately, you cannot remove the parent directory (c:\windows\system32\f0r0r\) and the files are reinstalled as soon as the computer reboots.

The parasite might be capable of installing a backdoor server that could enable a remote attacker to use it to launch a SYN attack or to send spam. It also might operate as an IRC proxy, allowing someone to use it to hide their IP address while connecting to an IRC server. It also might include an RPC scanner to sniff for insecure and unpatched Windows machines.

This is a very clever piece of programming that someone spent a significant amount of time working on. It is nearly impossible to detect and nearly impossible to remove. How it installs is a mystery, for the moment. Possibly it infects unpatched Windows machines through one of the RPC flaws discovered recently in Microsoft Windows.

You can tell if your machine is infected if you can change to c:\windows\system32\f0r0r in a DOS or CMD window with this command: cd c:\windows\system32\f0r0r\ (that's a zero, not an "o"). If your hard drive is FAT32, you can boot into MS-DOS and delete the directory from outside of Windows and that should remove the infection (no guarantees here). To my knowledge, no antivirus or antispyware products detects this parasite.

If anything new is discovered, I'll let you know.

I logged my bootup, and all the stuff looks like it is loaded by overflowing buffers, and then substituting, or running unauthorized procceses.
Here is just on instance, the log file, is 42 Mb in size yiyiyiyi LOL


56: System:4 QueryValue HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ACPI\PNP0C02\4\ ClassGUID BUFOVRFLOW
57: System:4 QueryValue HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ACPI\PNP0C02\4\ ClassGUID SUCCESS "{4D36E97D-E325-11CE-BFC1-08002BE10318}"

Plug'n'play, I will have to look this up, but these are writes to the registry, and If I can trace the ssource of some of this, ...perhap
Here is what happens, I THINK, when I am able to delete, or damage some of the ini files, lots of errors, and in the event logs also.

I am assuming it is due to being able to wipe the BIOS and CMOS fakes.
It happens when I have screwed with SAM - Security Accounts Mangement, there are about 20 ini files in there, and I just highlight large chunks of code and delete it, then save it.

I don't knoe, haha,
Course, sometimes Windows wont load next time, but I pretty much got some major files and reg keys not to touch...Hahahaha,
INXS - 'You're Unbelievable'

This is one audacious bit of work. :o)


134965: explorer.exe:1176 CloseKey HKCR\.lnk SUCCESS
134966: explorer.exe:1176 CloseKey HKCR\lnkfile SUCCESS
134967: explorer.exe:1176 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts\.lnk NOTFOUND
134968: explorer.exe:1176 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts\.lnk NOTFOUND
134969: explorer.exe:1176 QueryKey HKCU SUCCESS Name: \REGISTRY\USER\S-1-5-21-299502267-1454471165-839522115-1003_CLASSES
134970: explorer.exe:1176 OpenKey HKCU\.lnk NOTFOUND
134971: ccPxySvc.exe:1420 EnumerateValue HKLM\Software\Symantec\CommonClient\ j+jw5T4k9bONSGjeT+sNrUp/Ohlcl/midJ3xHg==\ yfh/u2qmzRyiil6TvlW5q95z8jjdzo3we3O8UQ==\ lyWco65ZRqJa2ZvIxJfHFofcaP9N02znEZdSGA==\ 24DcrNOOolEcEb2g0b1WwEf8qydOtOnTOkL7CHRaT9JIMvpQ\ KdmVZvZ78dgAXzD9BpnHwCrZCYvHdBLe+FfG3+Mdrj1bNovWv2 UQikbjapY= SUCCESS A0 DB 87 EA 19 86 1B 37 ...
134972: explorer.exe:1176 OpenKey HKCU\txtfile NOTFOUND
134973: explorer.exe:1176 OpenKey HKCR\txtfile SUCCESS Access: 0x2000000
134974: explorer.exe:1176 QueryKey HKCR\txtfile SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile
134975: explorer.exe:1176 OpenKey HKCU\txtfile\CurVer NOTFOUND
134976: explorer.exe:1176 OpenKey HKCR\txtfile\CurVer NOTFOUND

Tried deleteing that once, norton AV, saw 'Pxy', (proxy)...no more Symantec :o)

I will get some better info here for people to check, and I will go over what is wrong in some of those logs.
I am so new to this depth of windows operation, I have perhaps not chosen the best examples at times, but this is not a fun place to be, and I have heard of people mocking me to others.

Something I don't do, not to friends.


I think you have shared some extrememly valuable information and examples through out this whole situation you have been faced with. Plus the fact that you are trying to run a business during this time, you still keep posting on here and giving us heads up and feed back is definite grounds for a great job in progress.

As far as people mocking you, I think that is plain stupid. I hope you have not taken any thing I have said as mocking, as I am just tyring to help and keep my eyes out for my machines here and observe your feedback to have a better understanding of what this thing does and what my machine has currently to know when things are different.

I think everyone should oughta admire your stamina through this plus the fact that you have been sharing the information with us so we have a bit of a heads up. If someone mocks you, they either already have the answers to the problem and don't want to share, or they don't have a clue about what you're going through.

All the best to you.

Thanks a million, southplatte, and I have felt nothing but support, you among the most.

No intention to suggest anyone here, it is not even forum stuff, just more behind the scenes and I was really feeling hurt about something last night.

Nononono never anyone here, I love this place, okay?

Thanks tons, southplatte, I mean it large :o)

I want to put us all on the map hahaha, solve this baby...If you want to give your friend my email, or anything, ...execellent!

Ya dodger, it is in the Administrators Privedged Only. And in the admin discussion, before, also.The area for the admins only, I think everyhone was able to see my point.
Think about it, what do you think I am trying to do here?

well, I was actually thinking about all of the good info I got there being available for everyone else, my man.

That was my reason.

Mik - I apologize deeply if my comments were offensive in any way. They were not meant to be. The area that the conversation is in provided a place for you to vent more openly without being restricted by public policies of the forum it is in.

It was moved from a less restrictive Admin area to another area which allowed a couple of other technical minded people to participate in. All pertinent information to your problem was in fact duplicated by me into this thread here at WebProWorld. All information extraneous to the problem was editted out.

To everyone - Some of Mik's comments were pretty "soul bearing" at times and they were made by Mik to a very tight group of individuals who surround him. Ordinarily, a lot of these comments (I feel) would not be made in public and are intermixed with the technical side of the situation. Thus my "think about it" remark.

I apologize if the comment was misconstrewed as being demeaning to any of the people who are members of the other forum. It was not meant to be, but after reviewing my wording it does appear to come off that way.

Thanks dodger, my friend.

Like I say, I am the richest man in the world.
All is good when you have friends.

I have the best.

All else is just details...:o)

Just surfaced from finishing my last assignment for the year. Only two exams left to go, on Monday, so for now I have to concentrate on revision.

Sorry I've not had time to observe in detail what you are going through, and I'm not going to pretend I understand much of what I've read but (for what it is worth) you have my full support.

One question that has arisen which, if you have already gone into I apologise but, if you have time to either point out the relevant page, resource or, perhaps, you could answer:

I'm running Win2K Pro and, looking at the taskmanager I'm wondering, "what suspect processes should I be looking for; what are necessary, essential at start-up, which can be safely terminated, and how?

Obviously, this has ramifications for both security and pc efficiency and will depend on software loaded which has to run in the background.

Apart from the processes you are currently documenting, perhaps, a list of processes to look for could be another "sticky" subject?

pete
Apart from the processes you are currently documenting, perhaps, a list of processes to look for could be another "sticky" subject?

BINGO

This is the first one that springs to mind.
I recall another, better source/resource, but not offhand.

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Processes are created, or started, by the services, often the terms are used interchangeably, but this is not 100% correct to do this. Technically.

Threads and handles are created when processes run. Go to 'View/select columns', and check the boxes for 'threads' and 'handles'. (In taskmanager ;])






But you are right, pete61uk, many 'legit' services in my situation, are used to operate. It is 'beffer overflows' in these services listed in taskmanager that are exploited by Sasser, and all.

This software is the best I have ever seen or used.
http://sysinternals.com/

My number ONE weapon..

Process Explorer (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml)

That is the "Super Taskmanager" I refer to.

Excellent, excellent idea for a sticky, pete61uk.

I would love to take you and everyone through this.

Dodger, you have helped most of all.

I deeply appreciated your efforts, and that has kept me going.
I see your point above, finally - haha, and your offer to give even more help!

Thanks, man, I mean it.
Your brother, mikmik

Ah shucks. Back atcha brother.

Now, I find out, i was right, and it was the 'wildy flashing' lights on my NIC that alerted me, well, the 'mushy' feel to my computer got me started..
http://www.wired.com/news/print/0,1294,59608,00.html
Don't Let Your PC Become a Porn Zombie (http://www.pcmag.com/article2/0,1759,1267402,00.asp)




More than a thousand Windows PCs were hijacked recently, unbeknownst to their owners, to send spam and distribute pornography. This was done via a Trojan known as Migmaf (migrant Mafia)

Grrrrrrrrrrrr.....

geez...
Well a day late it looks like...:))
Sorry mik mik I've been gone and just got back to the forums today...
Unfortunate too... cause I prolly could have helped you..:( but there's no use crying over spilt milk right? best thing to do is get a rag n start cleaning... well in this case I'd say lets prepare you for the next time you have a feeling that something is not right...;) one program that you absolutely must get is called Advanced Administrative tools.
The reason that your pc got pinched is this... in order to do the illegal things that the migmaf was doing they needed what is called a Wingate server... this makes it almost impossible to be traced even by the C.I.A. if you have enough doors! People usually look at me like I'm crazy when I talk about this but I find it very intresting so rather than going on and on... I'll just show you where to find everything that you want to know tutorials/ *clean*downloads (I have downloaded several apps from the site myself) Anyways Sorry bout what you went through MikMik :( And if you ever have any questions just email me and I'll add you in msn or whatever client you use;)but for now go and check out this site... Icefortress (http://www.icefortress.com)
Next time anyone gets something like this... one of my partners is offering a service where we can remotely take control of your system and just fix it for you ;)
Here's to you being back online mikmik
Cheerssssssssss,
NeO~1

Ok...
This is in response to someone in this
thread that asked about what apps should
be running in the task manager. This is
the best online resource that I've found
give it a read through Black Viper (http://www.blackviper.com/WinXP/xpprofiles.htm)
Hope that helps;)
L8 M8's
NeO~1

AA from G-Lock!

I always liked that one.

You want to know what I just have discovered?

Spyboy S and D v1.3.

It is so wicked, I cannot begin to describe all the features, but it show running processes, all the winsock drivers, BHO's, an excellent startup manager. And the info is detailed, like the sysinternals ProcessExplorer.

But, I'm here to say thanks to Ne~1. You don't go on the 'SpywareInfo' chat, do you? Or your buddy? There are some heavies on there that help, but they didn't get what I had off, and I may get in touch with you after the weekend. I still have some tricks up my sleeve, but I wrote all my data off last week, so I don't have much to lose now. Oh well, I am learning windows diagnostics pretty good :O)

There is some serious shit going on, eh?
These hidden fat16 virtual partitions scare me when they show up. Not to mention UPXes all over the place in the SYS32 folders. Yikes!

Later, and thanks. Much. :O)

NeO~1,

Thank you very much for the link. For the IT professionals, it may not be much but for a lay man like me, it is definitely a great thing. Mike has helped me in many ways; Though my computer is now in good shape and working fine, still I need to take a lot of precatuions to keep going. I find it is interesting to learn more from this forum discussions. And this security watch thread supports all that I wanted to know!

Through our support service we often come across problems caused primarily by programs running in the background, programs which in most cases start at the same time as Windows. Sometimes these programs are useful and need to be there; quite often, however, they are not needed, and in too many cases they cause severe problems, and this includes some Microsoft "Services" !

The pages below are from our in-house database and provide guidance on the usefulness or not of these programs and services, and removal procedures when recommended.

answersthatwork (http://www.answersthatwork.com/Tasklist_pages/tasklist.htm)

Between Black Viper, and this place, you can learn much about what is going on with Windows. I like this alphabetized pages, each is quick to search and find out what IS THAT? in your taskmanager.

I'm glad that you found black viper helpful...did you find that atguard firewall on icefortress (http://www.icefortress.com)? I see it this way learning to protect your computer is just good buisness smarts! I came into webdesign from the other side... hacking first making lame booter programs etc... (this was 7 yrs ago!) But now I am glad that I have the knowledge that I do... when you really break it down and think about it... it's SEX ED for your buisness... when you get a virus because you didn't know how to protect yourself you not only end up, usually losing a ton of data, but also you let down clients... and look unprofessional in the process. But with the right protection LOL we can stop these kinds of things happening to us. Lets face it... it's just like A.I.D.S. it's going to happen to someone... just don't let it be you!
ok I really need to sleep!
L8 M8's
NeO~1

Hey guys (and gals)!

I heard about MikMik's plight from one of the guys in SpyWareInfo's chatroom and have been wracking my brains trying to think of something that hasn't been tried yet... and I think I came up with a couple things:

1) Download the BIOS (latest update) from the manufacturer's site and install that (disable or pull all the cards and hardware you can before doing this and disconnect from the 'net)
2) FDisk the master boot record ignoring any errors it tells you (not sure if this is possible on an NTFS disk... if it's not possible on NTFS, format again and install Win9X and in DOS-mode, type 'fdisk /mbr' at a prompt)
3) Install a *Nix system and make sure it formats the harddrive as one whole partition (set it up, dink around in *Nix for a bit, then reinstall Windows and see if it's gone)

Of course, the above would only be worth while if the problem is still there.

Something else worth considering is saving the harddrive as-is and sending it to a software engineer to tear apart and get the virus off it and analyzed.

I would be interested in taking a looksie at a HiJackThis logfile from this computer (either here or e-mailed to me or something). Sounds nasty, whatever it is!

Keep us updated on it if possible, MikMik! Wish ya luck with it.

Hi, ambrandt!

I have done all of the above, and more including using a disk editor and writing hex straight onto the harddrive - while windows was running!

I have also used the disk utlities from Western Digital and Maxtor to do complete low level formats, plus used 'Killdisk' to low level format over the first one from the HD utilities. Killdisk is also a hex reader, and I can doucle check that the boot sector is zeroed right to the beginning "0 0 0", but invariably, on reboot, it shows as "1 1 63" as the start for the MBR. This very last quote is from memory, it may be "1 0 63" or "1 1 64" for the cylinders and heads. ( I have several screenshots of my boot sectors in hex and text view.)

I have flashed the BIOS numerous times like you say to, and pulled the CMOS battery first, etc., etc.

This has all the markings of a CMOS invasion, very akin to Win2K viruses on win95/98 machines, and in fact, I have found numerous fat12 and fat16 partitions appaering on my harddrive (bootitNG and other partition readers) with volume names in binary.

I have tried the fdisk/mbr, and also booted to the command prompt and used fixboot and fixmbr.
I have even done that during a fresh install, every reboot, and the command always returns that my MBR is damaged or corrupted...this being right after the install files have loaded ONLY (the first reboot) and also before 'Run windows for the first time' stuff, without being connected to the internet of course, and even with no networking installed...supposedly.


This thing is past nasty, I have all sorts of files and logs, and there have been thousands of buffer overflows happen in front of my eyes while I monitored the registry activity, mostly to the lsass module, but svchost as well. It is tightly integrated into the windows kernel, but I can tell it is there before post is finished - long before I even get to the point of any OS loading drivers.

I have load order logs of my startups, security accounts manager logs, etc.

The scariest aspect is that when I have used sysinternals like 'Processexplorer' to kill handles that are making the interrupts and buffer overflow to SAM (lsass) and impersonating and escalating user priveledges, I have returned to use the 'Process explorer' and gotten "access denied", "not enough priveledges to run - will launch in read only permission", and even had the file made hidden on me.

This is more than auto-pilot by some stealth trojan, I assume.

I will go sign into SPI forums shortly and we can look at and do things for your specific queries (yikes, registry jargon! lol).

Meanwhile, I will do a quick Hijackthis run.

There is much, much, more to tell about Norton AV and Internet Security events, port info, esp UDP and ...lot's.

Thank you so very, very much for your interest!

Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 7:52:05 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
E:\Program Files\RunsFrom\HoverSnap_v08\HoverSnap.exe
C:\Documents and Settings\a0mikmik\Desktop\hijackthis\HijackThis.ex e

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/a0mikmik/Desktop/FFJuly26bookmarks.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: WinMySQLadmin.lnk.disabled
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38194.2582986111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

OMG.

I'm really late getting to this topic, but...

That was scary to read. Like a documentary of horror.

Reading this was like a Blair Witch Project. It scared me until I almost peed myself.

I can relate, I'm trying to get rid of a stubborn spyware. But nothing like this.

Rooting for ya, mikmik.

oops accidently posted twice...how do I remove this. moderator, help pls...

That's okay, it adds to your post total (mine are not all legitimate LOL)

Thanks for the good wishes, I bought a new motherboard and all is well, but with the better motherboard, I was able to see when my MBR was being overwritten, and the malware looks like I may have it on all my install disks. I made backup copies last August! (2003) and there were a few suspicious goings on then, however, I could not find anything on my install disks, and all scans show them clean. I even used the XP to install on another machine (to check, earlier) and it was all kocher. Go figure!

That's okay, it adds to your post total (mine are not all legitimate LOL)

You gotta love that honesty.

Since I am here, might as well contribute my HiJackThis log too.

Here goes ....

AT=0
[Carrier dropped]

Say again?

I mean, this is what you put, right?

Ooops!
Forgot this haha
AT=0
[Carrier dropped]
That's what U meant, right?

=)