PDA

View Full Version : A hacker or am I just hallucinating...



seboyd2000
05-09-2004, 02:07 PM
I have a problem on my computer with “User Preferences”. I set them the way I want them, but they keep changing. No one else uses my computer. I size my windows for my drives and other folders to open in a certain place and size on my computer screen, then click re***** and close them and immediately reopen them to check that they are like I put them. I’ve set the file detail views as I like them, then when I open the same windows, like drive C or Drive D window, say few hours later, and have never shut down my computer, they have changed size, location, or file detail view. I also see certain programs change things in them to, which windows has no control over. It really acts like a HACKER has come on my computer and made these little changes while I’m online or has put a Trojan is on my computer to gain access, even though I’ve scanned many times using: Spybot, PestPatrol, SpywareBlaster, SpywareGuard, MRU-Blaster, Anti-Trojan, Trojan Hunter, Bazooka, The Cleaner, and have run several virus scans. Everything comes up clean. I run Peerguardian, Protowall, VirusScan, PestPatrol, Port Monitoring, and a sound firewall while online. My firewall will not let anything happen as far as program actions, or online accesses, unless I approve them (Tiny Personal Firewall 5.5). I consider myself to be an advanced user. I’ve visually searched Windows… System and System*2 folders for Trojan files. I run port scanning software to view my port actions and all programs running, while I’m online. I’ve been to “Shields Up” to check open ports, and checked my firewall here: http://www.pcstadt.com/pc-security.html (right column good port & firewall checks), everything is Stealthed and good. Ports **5, *025, 5000, and all the rest are closed and stealthed. I ran Microsoft Security Analyzer, and it said I had * shares, but when I went into the computer to change it wouldn’t let me change the settings, by Right Clicking. My computer is an Xp2700 running the WinXp pro, with the latest updates. At computer start up I always run Privacy Eraser Pro, which totally cleans my cache, trash can, and many other folders of excess crapola. Is it because of all the programs above that maybe they are stripping my set preferences somehow, because I clean my computer so well, but that doesn’t make sense because it happens while I’m using my computer to work or browse the internet. Is WinXp just an Unstable OS?
When I monitor programs running while online using port scanning software I see: svchost.exe*564, svchost.exe*720, lsass.exe**88, System:4, alg.exe*60, (using either TCP & UDP protocols) but these online processes are LISTENING… Also I do not use MsMessenger, but sometimes I will see it has been activated and is running, but the icon is not in the system tray, nor does the WINDOWS TASK MANAGER show it’s running. I can only see this using my port monitoring program, either TCPview or DiamondCS Port Explorer. These port programs will let me kill that process immediately. I also think I’ll uninstall the MsMessenger, because I never use it and it’s not set to auto open at start-up, and should never be running, but it can’t be uninstalled by the Control Panel… So I used this: http://grc.com/stm/shootthemessenger.htm but the Msmsgs.exe will still be running sometimes, I think this is an open door to hackers… I also have filtered every program at start with my Tiny Firewall. I’ve heard of Trojans that allow people to get on your computer and make these little changes, but have never experienced it, until now, maybe. Any ideas….. thanks

seboyd2000
05-09-2004, 03:22 PM
If you have service pack one installed you can do it this way. *.Open Control Panel from the Start menu. 2.Choose Add or Remove Programs. *.Select Add/Remove Windows Components. 4.Click to remove the checkmark next to "Windows Messenger". 5.Click the Next button. 6.Click the Finish button. 7.Restart your computer. Then go to Program files folder and delete the Messenger Folder.

Unregistered
05-10-2004, 06:33 PM
Well, as you probably may know, you have the famous "Sasser" virus.

Because you said:
>When I monitor programs running while online using port scanning >software I see: svchost.exe*564, svchost.exe*720, lsass.exe**88,

Look at the "lsass.exe" part!

More info can be found at http://securityresponse.symantec.com/avcenter/venc/data/w*2.sasser.e.worm.html

Sorry any mistakes but english is not my native language!
Greetings from Lisbon (Portugal)
Paulo

_____________________
You can mail me at:
hotmail[remove.this.part.including.brackets]@tugamail.com

Unregistered
05-11-2004, 06:05 PM
You don't need XP.

Use Win*8SE.

Unregistered
05-12-2004, 07:53 AM
notice how lsass is actually a system process anyway..

lasasss is the sasser process name, try reading first.

Unregistered
05-12-2004, 05:31 PM
You seem savy enough to understand the TCP/IP protocol connection to underlying applications so consider using a host based IDS (Intrusion Detection System) and enable the auto blocking and application monitoring functions. also periodically change your IP address of you can help it. also disable NetBios over TCP/IP in network settings

seboyd2000
05-12-2004, 07:02 PM
Maybe you read the programs that I listed above above, wrong.
I don't have the sasser worm> I listed LSASS.EXE not LSAS.EXE. I dont want people to get confused by your responce to my post, because You need the LSASS.EXE system file.

Don"t confuse LSAS.EXE (worm/backdoor) with LSASS.EXE (systemfile)!

ARTICLE
----------------------------------
LOCAL SECURITY AUTHORITY (Netlogon Service) used during logons to your box basically is what my understanding of it is, & pretty central to the WHOLE security show there, Kerberos & all now in there, notwithstanding:

"Local Security Authentication Server (LSASS.EXE). This is the LSA server. During user authentication, the WINLOGIN process will interact with the LSASS process. LSASS implements the user space part of the authentication procedure for accessing objects, interacting with the Executive Security Reference Monitor mechanism."

* This is another reason why I s***est ONLY allowing user access granted to the Administrator on folders, especially SYSTEM*2 in the security guide for NT based Os' that is the last line of my signature... to BOTH filesystem & the registry! Setting yourself up to only allow * max logons failures also, for instance, in your auditing & security can halt this as well against Dictionary/Brute force hacks. You can't disable this Netlogon service, but you can set it to manual too if you like.

more.....

http://www.ntcompatible.com/thread*8252-*.html

===================

A Description of Svchost.exe in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;EN-US;**4056

Jen
05-26-2004, 05:49 PM
Originally posted by Unregistered
Well, as you probably may know, you have the famous "Sasser" virus.

Because you said:
>When I monitor programs running while online using port scanning >software I see: svchost.exe*564, svchost.exe*720, lsass.exe**88,

Look at the "lsass.exe" part!



hehe well no you may not, lsass.exe is Local Security Authority Service, is responsible for authenticating users for the Winlogon service. ;)

Unregistered
05-30-2004, 04:49 PM
I have 2 e-mail addresses. on * I hav been recieving virus infected files form the other *. also on the e-mail address which sent my other one a virus, there is a report of a failed delivery of a virus to an e-mail address I do not regocnise. Has someone hacked into my e-mail address?

Guest
06-23-2004, 05:23 PM
Well, no one says WIN_XP is too stable but it works. You say, you are a an advanced user? It may just be the case especially if we consider advancing BACKWARDS.

BTW, you don't need THAT many firewall/antivitus/intrusion_detection/etc programs. Kill most of them and you will feel better.

DELiRiOS
06-28-2004, 06:45 PM
Oh come now... You seem extremely security conscious et all, and in that respect an advanced computer user, but your philosophy is somewhat akin to the carpenter who has only a hammer, and thus only sees (or can use) nails...

No one is hacking your machine and making tiny changes, and though it's somewhat exciting to rule that in, ruling it in as the MAIN possibility, and doing all that you're doing is a little over-kill.

I'm sure that somewhere it's just re-loading a setting from somewhere else... Read a registry book, or check on jsiinc , they've got a pretty expansive collection of hacks & weird little solutions...

- BTW - Guy #2, you're not getting hacked either...

BTW 2 - lsas & lsasss are the bad files... You need lsass... dig?