A hacker or am I just hallucinating...
I have a problem on my computer with “User Preferences”. I set them the way I want them, but they keep changing. No one else uses my computer. I size my windows for my drives and other folders to open in a certain place and size on my computer screen, then click re***** and close them and immediately reopen them to check that they are like I put them. I’ve set the file detail views as I like them, then when I open the same windows, like drive C or Drive D window, say few hours later, and have never shut down my computer, they have changed size, location, or file detail view. I also see certain programs change things in them to, which windows has no control over. It really acts like a HACKER has come on my computer and made these little changes while I’m online or has put a Trojan is on my computer to gain access, even though I’ve scanned many times using: Spybot, PestPatrol, SpywareBlaster, SpywareGuard, MRU-Blaster, Anti-Trojan, Trojan Hunter, Bazooka, The Cleaner, and have run several virus scans. Everything comes up clean. I run Peerguardian, Protowall, VirusScan, PestPatrol, Port Monitoring, and a sound firewall while online. My firewall will not let anything happen as far as program actions, or online accesses, unless I approve them (Tiny Personal Firewall 5.5). I consider myself to be an advanced user. I’ve visually searched Windows… System and System*2 folders for Trojan files. I run port scanning software to view my port actions and all programs running, while I’m online. I’ve been to “Shields Up” to check open ports, and checked my firewall here: [url]http://www.pcstadt.com/pc-security.html[/url] (right column good port & firewall checks), everything is Stealthed and good. Ports **5, *025, 5000, and all the rest are closed and stealthed. I ran Microsoft Security Analyzer, and it said I had * shares, but when I went into the computer to change it wouldn’t let me change the settings, by Right Clicking. My computer is an Xp2700 running the WinXp pro, with the latest updates. At computer start up I always run Privacy Eraser Pro, which totally cleans my cache, trash can, and many other folders of excess crapola. Is it because of all the programs above that maybe they are stripping my set preferences somehow, because I clean my computer so well, but that doesn’t make sense because it happens while I’m using my computer to work or browse the internet. Is WinXp just an Unstable OS?
When I monitor programs running while online using port scanning software I see: svchost.exe*564, svchost.exe*720, lsass.exe**88, System:4, alg.exe*60, (using either TCP & UDP protocols) but these online processes are LISTENING… Also I do not use MsMessenger, but sometimes I will see it has been activated and is running, but the icon is not in the system tray, nor does the WINDOWS TASK MANAGER show it’s running. I can only see this using my port monitoring program, either TCPview or DiamondCS Port Explorer. These port programs will let me kill that process immediately. I also think I’ll uninstall the MsMessenger, because I never use it and it’s not set to auto open at start-up, and should never be running, but it can’t be uninstalled by the Control Panel… So I used this: [url]http://grc.com/stm/shootthemessenger.htm[/url] but the Msmsgs.exe will still be running sometimes, I think this is an open door to hackers… I also have filtered every program at start with my Tiny Firewall. I’ve heard of Trojans that allow people to get on your computer and make these little changes, but have never experienced it, until now, maybe. Any ideas….. thanks
Found this for MsMessenger unistall
If you have service pack one installed you can do it this way. *.Open Control Panel from the Start menu. 2.Choose Add or Remove Programs. *.Select Add/Remove Windows Components. 4.Click to remove the checkmark next to "Windows Messenger". 5.Click the Next button. 6.Click the Finish button. 7.Restart your computer. Then go to Program files folder and delete the Messenger Folder.
You have the "Sasser" virus!
Well, as you probably may know, you have the famous "Sasser" virus.
Because you said:
>When I monitor programs running while online using port scanning >software I see: svchost.exe*564, svchost.exe*720, lsass.exe**88,
Look at the "lsass.exe" part!
More info can be found at [url]http://securityresponse.symantec.com/avcenter/venc/data/w*2.sasser.e.worm.html[/url]
Sorry any mistakes but english is not my native language!
Greetings from Lisbon (Portugal)
Paulo
_____________________
You can mail me at:
hotmail[remove.this.part.including.brackets]@tugamail.com
Reply to Unregistered Guest
Maybe you read the programs that I listed above above, wrong.
I don't have the sasser worm> I listed LSASS.EXE not LSAS.EXE. I dont want people to get confused by your responce to my post, because You need the LSASS.EXE system file.
Don"t confuse LSAS.EXE (worm/backdoor) with LSASS.EXE (systemfile)!
ARTICLE
----------------------------------
LOCAL SECURITY AUTHORITY (Netlogon Service) used during logons to your box basically is what my understanding of it is, & pretty central to the WHOLE security show there, Kerberos & all now in there, notwithstanding:
"Local Security Authentication Server (LSASS.EXE). This is the LSA server. During user authentication, the WINLOGIN process will interact with the LSASS process. LSASS implements the user space part of the authentication procedure for accessing objects, interacting with the Executive Security Reference Monitor mechanism."
* This is another reason why I s***est ONLY allowing user access granted to the Administrator on folders, especially SYSTEM*2 in the security guide for NT based Os' that is the last line of my signature... to BOTH filesystem & the registry! Setting yourself up to only allow * max logons failures also, for instance, in your auditing & security can halt this as well against Dictionary/Brute force hacks. You can't disable this Netlogon service, but you can set it to manual too if you like.
more.....
[url]http://www.ntcompatible.com/thread*8252-*.html[/url]
===================
A Description of Svchost.exe in Windows XP
[url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;**4056[/url]
Re: You have the "Sasser" virus!
[QUOTE][i]Originally posted by Unregistered [/i]
[B]Well, as you probably may know, you have the famous "Sasser" virus.
Because you said:
>When I monitor programs running while online using port scanning >software I see: svchost.exe*564, svchost.exe*720, lsass.exe**88,
Look at the "lsass.exe" part!
[/B][/QUOTE]
hehe well no you may not, lsass.exe is Local Security Authority Service, is responsible for authenticating users for the Winlogon service. ;)
