Isass.exe ?

Discussion in 'Port Explorer' started by Tracccker178, May 17, 2005.

Thread Status:
Not open for further replies.
  1. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    Could somebody tell me if an attack is being waged against Isass.exe.
    Port Explorer is detecting a remote 255.255.255.255 and the data
    that is being sent is my machine name and MSFT 5.07. The only reference
    that I can find is microsoft stocks after doing a search on MSFT 5.07.
    Microsoft has hijacked my browser several times and destroyed one
    connection.(why would they do that). Im not trying to say that microsoft
    actually did that but something along the way caused the problem. I
    know MS wouldnt do such things as hijacking or creating trojans or worms
    or spyware or adware or malware. It seems kind of funny that the data
    being sent out has a microsoft imprint in the sand.
     
    Last edited: May 17, 2005
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you sure it is Isass and not Lsass?

    isass - isass.exe - Process Information
    Process File: isass or isass.exe
    Process Name: Optix.Pro virus

    Description:
    isass.exe is registered as the Optix.Pro virus which carries in it's payload, the ability to disable firewalls and local security protections, and a backdoor capability.

    Author: n/a
    Part Of: Optix.Pro virus

    System Process: No
    Background Process: No
    Uses Network: No
    Hardware Related: No
    Common Errors: N/A
    Memory Usage: N/A ( Free Up Memory )

    Security Risk (0-5): 4
    Spyware: No ( Remove )
    Adware: No ( Remove )
    Virus: No ( Remove )
    Trojan: Yes ( Remove )


    Think this explains it all and cleaning needed!
    With Port Explorer disable immediately the process and start cleansing.
     
  3. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    Hey Jooske you were right it is Lsass.exe (LSA Export Version). My mistake.
    When you advise somebody to kill that process dont leave out the fact
    that the file is needed to keep the computer on. All you will do is keep
    them on restart because the file is a necessary system component. The file
    that I meant was ndisuio.sys. This is the file that keeps sending out the
    data. Is this normal activity. My Antivirus does not detect anything and
    since it is a trojan neither does TDS-3. By the way I have nortons AV2005.
    The data part is sniffed by PE and it is a steady 302 bytes of info.
    MSFT might mean Microsoft File Transfer
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    ndisuio - ndisuio.sys - Process Information
    Process File: ndisuio or ndisuio.sys
    Process Name: NDIS User Mode I/O (NDISUIO) NDIS protocol driver

    Description:
    ndisuio.sys is a process belonging to the NDIS User Mode I/O (NDISUIO) NDIS protocol driver which offers support for wireless devices such as Bluetooth and the like. This program is important for the stable and secure running of your computer and should not be terminated.

    Author: Microsoft
    Part Of: Microsoft Windows Operating System

    System Process: Yes
    Background Process: Yes
    Uses Network: No
    Hardware Related: No
    Common Errors: N/A
    Memory Usage: N/A ( Free Up Memory )

    Security Risk (0-5): 0
    Spyware: No ( Remove )
    Adware: No ( Remove )
    Virus: No ( Remove )
    Trojan: No ( Remove )

    More here with links:
    http://castlecops.com/t119035-ndisuio_sys_question.html
     
  5. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    Thank you Jooske for the quick reply that you gave. I still have the same
    problem with the 302 bytes of data being sent out to a remote addresse
    255.255.255.255. Is this normal and if it isnt how do I get it to stop.
    After doing some checking I found evidence of someone hacking this machine.
    I found an unkown account that sombody had setup and allso gave a
    referance to a workstation handle. I found all this with Process Explorer
    witch by the way is a very good product in combination with Port Explorer.
    With those 2 you cant go wrong. ;)
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The 255.255.255.255 is a broadcast address. Do you have any more details, protocol, ports involved?

    Regards,

    CrazyM
     
  7. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    This is exactly what I get and if I enable stop sending data in Port Explorer
    in that process it all turns to zeroes. The addresses that is. Is this normal
    activity. I think there might be a new exploit in the .NET Framework by
    the csrss.exe file. There is a handle in that file that keeps acquiring an
    Account Unkown with unlimited permissions
    (WindowStation \Windows\WindowStations\WinSta0) is that handle. I have
    been told by a pro. that this machine is being hacked.
     

    Attached Files:

  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Code:
    ------------------------------------------------------------------------------------------------------------|
    |         DATE        |ACTION | PRO |   Local Address:Port | Remote Address:Port  | Status | Bytes | Process
    ------------------------------------------------------------------------------------------------------------|
    04/06/2005 18:21:10pm   OPEN    UDP        0.0.0.0:0              0.0.0.0:0        Success     0    C:\WINDOWS\System32\svchost.exe:1112
    04/06/2005 18:21:10pm   SEND    UDP       0.0.0.0:68         255.255.255.255:67    Success    302   C:\WINDOWS\System32\svchost.exe:1112 United States
    04/06/2005 18:21:13pm   SEND    UDP       0.0.0.0:68         255.255.255.255:67    Success    302   C:\WINDOWS\System32\svchost.exe:1112 United States
    04/06/2005 18:21:22pm   SEND    UDP       0.0.0.0:68         255.255.255.255:67    Success    302   C:\WINDOWS\System32\svchost.exe:1112 United States
    04/06/2005 18:21:37pm   SEND    UDP       0.0.0.0:68         255.255.255.255:67    Success    302   C:\WINDOWS\System32\svchost.exe:1112 United States
    
    This is the log to ease reading it.
    Those portnumbers give in Port Explorer > Utilities > Lookup > Port to service
    port 68: BOOTPC - Bootstrap Protocol Client (RFC 951)
    port 67: BOOTPS - Bootstrap Protocol Server (RFC 951)
    port 1112: RAT: Rths
    So are you in a network?
    If that 1112 is a portnumber of course, did you rightclick and see in the whatis of that process any more information?
    Are you able to have the socketspy looking at the packets sent?
    Are you having a running process rhts.exe? kill it.
    http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073057
    If it's there, TDS should have found it for you. Make sure you have all access for TDS to all files and try to locate the file. If TDS doesn't see it zip and submit it to the email address in my signature.

    Some more on it, could it be DHCP at work?
    Do you only see SEND, never a RECEIVED and Open and CLOSED in your logs?

    I saw some mentioning here http://216.239.59.104/search?q=cach...help.org/detail-562271.html "MSFT 5.07"&hl=nl
    and excerpts from Hacking Exposed almost at the bottom of this excerpt about the DHCP:
    http://searchsecurity.techtarget.com/searchSecurity/downloads/Hacking_Exposed.pdf
    Think the whole book is available via the DiamondCS bookshoppe.
     
    Last edited: Jun 5, 2005
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    From the log you posted this looks like normal DHCP traffic and nothing to worry about and no need to stop it sending data in PE. The 1112 is the PID (Process Identifier) for svchost.exe

    Regards,

    CrazyM
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sorry about the 1112 thing, i was fooled by the missing - in front of it and translated it into a port where it was an innocent Process ID.
    On win98se it has the -, on XP not.

    Anyway i was at least right with the DHCP part and gave you a nice read :ninja:
     
  11. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    Thanks for your help and I will not worry about it for now since it is normal
    traffic in my machine. I did find 2 files that I cant seem to remove with
    any kind of scanners at all(A Demo dont remove things).
    CdrPDF.PDFEngine (SexNow Dialer) And
    Spyware.Sa_PCSpy.b and one more that dont look right
    vb5stkit.dll
    Thanks all and Jooske I will post a new thread in PE about the hack find. It
    was by chance that I found it and it was your advice that put me on the right
    track with those links that led me to that other software. :D :D :D :D :D
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did i post this link for you somewhere before?
    https://www.wilderssecurity.com/showthread.php?t=50662
    You can start with closing all scanners and have TDS (fully updated) do a complete full system scan,
    cleansing out all the finds, submitting suspicious alerts, killing bad processes before you'll be able to delete them, etc.,
    reboot into safe mode and do it all again.
    Now to avoid still anything bad being around, do the whole cleansing program.
    And keep us informed please how it goes, about your finds, till we are all convinced your system is really clean.
     
  13. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    Hi Joosky

    I posted a thread in port explorer that will tell you some
    of the things that are going on in this machine. Everything seems to be quiet
    for now. Still havent been able to figure out how they are getting in to change the settings in the services and re-establishing the unkown account.
    I used the rootkit scanners and everything clean along with all the other
    scans. I suspect a new generation of hackers that are smarter leaning
    on possibly being genius. I have been looking at the programming in some
    of the files and have found the letters MZ at the start of the text. The only
    referance that I can find is an alternate data stream named MZ.exe that
    is 88 bytes long. Every time I run into this trouble those stupid ADS attachments show up. It really dosent add up. Look for account unkown.
    :-*
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you clean now at the moment or not?
    Do you know which applications are involved in the hacking or not?
    Are you able to get rid of the malicious software, did you locate it, clean out with the whole cleansing procedure, closing ports extra tight with every means, create logs, hijackthis log, autostartviewer log, etc?
    Zip and submit the malware.
    Have you set TDS with the sockets to protect certain ports and thus force your possible hacker to use other ports, set your firewall to block the domains they might be using, etc etc?
    Have you set your system for the account unknown to allow nothing, no traffic nor any action, etc. etc?
    In which files do you find the ads streams? Submit them.
    Did you make an actual hijackthis log? Did you post that log on the CastleCops forum for instance for more cleansing advices?
    Did you block access in Port Explorer to/from the application when hacked?
    Did you install Process Guard to guard your system files (is only usefull on a clean system) and RegDefend to protect your registry from all new additions and changes without your knowledge?
    Did you check your HOSTS file for additions?
     
  15. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    Hi Jooske,

    I am all quiet for now, I went and did all that you told me
    to do and found the SQL Server2000 had been installed and then uninstalled
    on this machine. The way I found those uninstall files that were left behind
    is I looked in my Program Files folder for anything that looked funny.
    C:\Program Files\Common Files\Microsoft Shared\Database Replication
    REPLREC.DLL is one of the files that I looked into. I called a tech and she
    told me that the server was not for the normal home user. I dont even
    own the SQL Server2000 install disks and I have never setup a server on
    this machine. Thanks for all the help ; You led me to a lot of gooood programs. THANKS :D :D :D :cool:
     
  16. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    I think I need to explain that Im not trying to implicate that microsoft is
    in the hacking buiseness or trying to leave a way into everybodies computers.
    Microsoft would not do illegal things because they are in buiseness to make
    money and breaking the law would be counter productive. ;) ;) ;)
     
  17. antonio1

    antonio1 Guest

    Hi guys,

    I have a problem concerning isass.exe. I formated c: as usual for install the new windowsXP and after installing a popup window was opened writeing that isass problem ocured and my system will shut down in few moments, and a count down is starting. I couldn't stop that and it was happen more times not just one, useing bitdefender prof 9 I couldn't clean the troyan virus.

    Can you please help me?
     
  18. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    antonio1 start your own thread and use my thread as a referance so that
    DCS can better assist you.
     
Thread Status:
Not open for further replies.