Could somebody tell me if an attack is being waged against Isass.exe. Port Explorer is detecting a remote 255.255.255.255 and the data that is being sent is my machine name and MSFT 5.07. The only reference that I can find is microsoft stocks after doing a search on MSFT 5.07. Microsoft has hijacked my browser several times and destroyed one connection.(why would they do that). Im not trying to say that microsoft actually did that but something along the way caused the problem. I know MS wouldnt do such things as hijacking or creating trojans or worms or spyware or adware or malware. It seems kind of funny that the data being sent out has a microsoft imprint in the sand.
Are you sure it is Isass and not Lsass? isass - isass.exe - Process Information Process File: isass or isass.exe Process Name: Optix.Pro virus Description: isass.exe is registered as the Optix.Pro virus which carries in it's payload, the ability to disable firewalls and local security protections, and a backdoor capability. Author: n/a Part Of: Optix.Pro virus System Process: No Background Process: No Uses Network: No Hardware Related: No Common Errors: N/A Memory Usage: N/A ( Free Up Memory ) Security Risk (0-5): 4 Spyware: No ( Remove ) Adware: No ( Remove ) Virus: No ( Remove ) Trojan: Yes ( Remove ) Think this explains it all and cleaning needed! With Port Explorer disable immediately the process and start cleansing.
Hey Jooske you were right it is Lsass.exe (LSA Export Version). My mistake. When you advise somebody to kill that process dont leave out the fact that the file is needed to keep the computer on. All you will do is keep them on restart because the file is a necessary system component. The file that I meant was ndisuio.sys. This is the file that keeps sending out the data. Is this normal activity. My Antivirus does not detect anything and since it is a trojan neither does TDS-3. By the way I have nortons AV2005. The data part is sniffed by PE and it is a steady 302 bytes of info. MSFT might mean Microsoft File Transfer
ndisuio - ndisuio.sys - Process Information Process File: ndisuio or ndisuio.sys Process Name: NDIS User Mode I/O (NDISUIO) NDIS protocol driver Description: ndisuio.sys is a process belonging to the NDIS User Mode I/O (NDISUIO) NDIS protocol driver which offers support for wireless devices such as Bluetooth and the like. This program is important for the stable and secure running of your computer and should not be terminated. Author: Microsoft Part Of: Microsoft Windows Operating System System Process: Yes Background Process: Yes Uses Network: No Hardware Related: No Common Errors: N/A Memory Usage: N/A ( Free Up Memory ) Security Risk (0-5): 0 Spyware: No ( Remove ) Adware: No ( Remove ) Virus: No ( Remove ) Trojan: No ( Remove ) More here with links: http://castlecops.com/t119035-ndisuio_sys_question.html
Thank you Jooske for the quick reply that you gave. I still have the same problem with the 302 bytes of data being sent out to a remote addresse 255.255.255.255. Is this normal and if it isnt how do I get it to stop. After doing some checking I found evidence of someone hacking this machine. I found an unkown account that sombody had setup and allso gave a referance to a workstation handle. I found all this with Process Explorer witch by the way is a very good product in combination with Port Explorer. With those 2 you cant go wrong.
The 255.255.255.255 is a broadcast address. Do you have any more details, protocol, ports involved? Regards, CrazyM
This is exactly what I get and if I enable stop sending data in Port Explorer in that process it all turns to zeroes. The addresses that is. Is this normal activity. I think there might be a new exploit in the .NET Framework by the csrss.exe file. There is a handle in that file that keeps acquiring an Account Unkown with unlimited permissions (WindowStation \Windows\WindowStations\WinSta0) is that handle. I have been told by a pro. that this machine is being hacked.
Code: ------------------------------------------------------------------------------------------------------------| | DATE |ACTION | PRO | Local Address:Port | Remote Address:Port | Status | Bytes | Process ------------------------------------------------------------------------------------------------------------| 04/06/2005 18:21:10pm OPEN UDP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\System32\svchost.exe:1112 04/06/2005 18:21:10pm SEND UDP 0.0.0.0:68 255.255.255.255:67 Success 302 C:\WINDOWS\System32\svchost.exe:1112 United States 04/06/2005 18:21:13pm SEND UDP 0.0.0.0:68 255.255.255.255:67 Success 302 C:\WINDOWS\System32\svchost.exe:1112 United States 04/06/2005 18:21:22pm SEND UDP 0.0.0.0:68 255.255.255.255:67 Success 302 C:\WINDOWS\System32\svchost.exe:1112 United States 04/06/2005 18:21:37pm SEND UDP 0.0.0.0:68 255.255.255.255:67 Success 302 C:\WINDOWS\System32\svchost.exe:1112 United States This is the log to ease reading it. Those portnumbers give in Port Explorer > Utilities > Lookup > Port to service port 68: BOOTPC - Bootstrap Protocol Client (RFC 951) port 67: BOOTPS - Bootstrap Protocol Server (RFC 951) port 1112: RAT: Rths So are you in a network? If that 1112 is a portnumber of course, did you rightclick and see in the whatis of that process any more information? Are you able to have the socketspy looking at the packets sent? Are you having a running process rhts.exe? kill it. http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073057 If it's there, TDS should have found it for you. Make sure you have all access for TDS to all files and try to locate the file. If TDS doesn't see it zip and submit it to the email address in my signature. Some more on it, could it be DHCP at work? Do you only see SEND, never a RECEIVED and Open and CLOSED in your logs? I saw some mentioning here http://216.239.59.104/search?q=cach...help.org/detail-562271.html "MSFT 5.07"&hl=nl and excerpts from Hacking Exposed almost at the bottom of this excerpt about the DHCP: http://searchsecurity.techtarget.com/searchSecurity/downloads/Hacking_Exposed.pdf Think the whole book is available via the DiamondCS bookshoppe.
From the log you posted this looks like normal DHCP traffic and nothing to worry about and no need to stop it sending data in PE. The 1112 is the PID (Process Identifier) for svchost.exe Regards, CrazyM
Sorry about the 1112 thing, i was fooled by the missing - in front of it and translated it into a port where it was an innocent Process ID. On win98se it has the -, on XP not. Anyway i was at least right with the DHCP part and gave you a nice read
Thanks for your help and I will not worry about it for now since it is normal traffic in my machine. I did find 2 files that I cant seem to remove with any kind of scanners at all(A Demo dont remove things). CdrPDF.PDFEngine (SexNow Dialer) And Spyware.Sa_PCSpy.b and one more that dont look right vb5stkit.dll Thanks all and Jooske I will post a new thread in PE about the hack find. It was by chance that I found it and it was your advice that put me on the right track with those links that led me to that other software.
Did i post this link for you somewhere before? https://www.wilderssecurity.com/showthread.php?t=50662 You can start with closing all scanners and have TDS (fully updated) do a complete full system scan, cleansing out all the finds, submitting suspicious alerts, killing bad processes before you'll be able to delete them, etc., reboot into safe mode and do it all again. Now to avoid still anything bad being around, do the whole cleansing program. And keep us informed please how it goes, about your finds, till we are all convinced your system is really clean.
Hi Joosky I posted a thread in port explorer that will tell you some of the things that are going on in this machine. Everything seems to be quiet for now. Still havent been able to figure out how they are getting in to change the settings in the services and re-establishing the unkown account. I used the rootkit scanners and everything clean along with all the other scans. I suspect a new generation of hackers that are smarter leaning on possibly being genius. I have been looking at the programming in some of the files and have found the letters MZ at the start of the text. The only referance that I can find is an alternate data stream named MZ.exe that is 88 bytes long. Every time I run into this trouble those stupid ADS attachments show up. It really dosent add up. Look for account unkown.
Are you clean now at the moment or not? Do you know which applications are involved in the hacking or not? Are you able to get rid of the malicious software, did you locate it, clean out with the whole cleansing procedure, closing ports extra tight with every means, create logs, hijackthis log, autostartviewer log, etc? Zip and submit the malware. Have you set TDS with the sockets to protect certain ports and thus force your possible hacker to use other ports, set your firewall to block the domains they might be using, etc etc? Have you set your system for the account unknown to allow nothing, no traffic nor any action, etc. etc? In which files do you find the ads streams? Submit them. Did you make an actual hijackthis log? Did you post that log on the CastleCops forum for instance for more cleansing advices? Did you block access in Port Explorer to/from the application when hacked? Did you install Process Guard to guard your system files (is only usefull on a clean system) and RegDefend to protect your registry from all new additions and changes without your knowledge? Did you check your HOSTS file for additions?
Hi Jooske, I am all quiet for now, I went and did all that you told me to do and found the SQL Server2000 had been installed and then uninstalled on this machine. The way I found those uninstall files that were left behind is I looked in my Program Files folder for anything that looked funny. C:\Program Files\Common Files\Microsoft Shared\Database Replication REPLREC.DLL is one of the files that I looked into. I called a tech and she told me that the server was not for the normal home user. I dont even own the SQL Server2000 install disks and I have never setup a server on this machine. Thanks for all the help ; You led me to a lot of gooood programs. THANKS
I think I need to explain that Im not trying to implicate that microsoft is in the hacking buiseness or trying to leave a way into everybodies computers. Microsoft would not do illegal things because they are in buiseness to make money and breaking the law would be counter productive.
Hi guys, I have a problem concerning isass.exe. I formated c: as usual for install the new windowsXP and after installing a popup window was opened writeing that isass problem ocured and my system will shut down in few moments, and a count down is starting. I couldn't stop that and it was happen more times not just one, useing bitdefender prof 9 I couldn't clean the troyan virus. Can you please help me?
