Jump to content

UAC - and trojan


Dixus

Recommended Posts

During the last days my internet connection was dead for some minutes - randomly. Some minutes later it was back. First I thought my internet provider has issues again. So i waited a few days. After a while i recognized that my outgoing traffic was like at the maximum bandwidth limit. At this time the connection wasnt really dead - i was sending tons of crap! It was so much traffic that either ping didnt work because the packages had no chance to return.

I hadnt any programs running that could have caused this weird traffic. I used microsoft network analyzer to sniff what the hell was going on there:

analyzer.png

99% of the traffic was caused by lsass.exe. Usally this is the "Local Security Authority Process" of vista. But this one was sending thousands of 81 byte packets to an other IP. It looked like a DOS attack from my computer. Whois said it was near New York. In some packages i found the string "Your Getting Pooned By HostBooter!". Really smart. So now i knew my computer was infiltrated by a trojan.

So where was the lsass process located? I opened my tastmanager. There was an lsass.exe and it wasnt the "Local Security Authority Process".

lsassTroj1.png

You see that weird icon... Also its called "Driver Removing for Windows"... located in C:WindowsCursors directory! I opened that path. Nothing there. But a took a deeper look - it was hidden system file.

lsassTroj2.png

I deleted it and went to the registry to find out how this process was started. This was easy. I just searched for the string windows/cursors and found it in the start section:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

I removed it and was fine. So what was the reason? I suppose disabling UAC for some days was a huge mistake. I have no clue which website or tool installed this crap. Fact is that it used my computer for DOS attacks. I found a website hostbooter.com. Probably this guy is guilty. I still wonder why antivir didnt found it.

File Size: 320 KB (327.733 Bytes)

Binary content told me it was written in Visual Basic 6.

 

I havent had any trojan or virus since like 5-6 years. UAC is a pain. But better leave it enabled ;P

 

dix

Link to comment
Share on other sites

I removed it and was fine. So what was the reason? I suppose disabling UAC for some days was a huge mistake. I have no clue which website or tool installed this crap.

 

May be you should use another anti virus but enabling UAC...!!! try to get trojan again with UAC enabled to be sure if this will really prevent that from happening, but I'm not sure enabling UAC will help. :hmm

Link to comment
Share on other sites

I removed it and was fine. So what was the reason? I suppose disabling UAC for some days was a huge mistake. I have no clue which website or tool installed this crap.

 

May be you should use another anti virus but enabling UAC...!!! try to get trojan again with UAC enabled to be sure if this will really prevent that from happening, but I'm not sure enabling UAC will help. :hmm

 

 

Well I am not sure. But 99 percent ;)

One main reason that UAC is designed for is to protect windows and system folders. A process cant write into this folders. Also if you are admin you cant - you will need to confirm this step twice.

 

I used sometimes IE... Internet explorer without UAC is like an invitation for viruses and trojans.. I ll try to live with UAC...

Link to comment
Share on other sites

Well I am not sure. But 99 percent

One main reason that UAC is designed for is to protect windows and system folders. A process cant write into this folders. Also if you are admin you cant - you will need to confirm this step twice.

 

I used sometimes IE... Internet explorer without UAC is like an invitation for viruses and trojans.. I ll try to live with UAC...

 

 

Just be sure DEP is fully enabled I mean increase your protection by having DEP monitor all programs NOT by default "monitors essential Windows programs and services" this will help i think more without need to enable UAC.

 

http://en.wikipedia.org/wiki/Security_a ... Prevention

 

I'm also not sure but this what I did cos I disabled UAC and it's not gonna be enable soon :D

 

For IE. well to be honest I dunno cos since few years now I'm using only Firefox so I cant have an objective opinion about it :roll:

LOL at work my Boss loved IE but since he asked to handle all no one use it and also friends who ask me how to have clean surf without adds and popup well all using my advise Firefox + Adblock and other addons to help them for secure surf ... and they love it :lol:

Link to comment
Share on other sites

Sure DEP is enabled. It doesnt depend on UAC. I usually use chrome, but as asp.net developer i also need to IE...

 

This post was just a warning. If somebody lags badly this can probably help rofl

Link to comment
Share on other sites

This post was just a warning. If somebody lags badly this can probably help rofl

 

i know but it was just to say an opinion about uac. I can advise never disable it if some ask me if he can disable it ... cos a lot don't even know what are they installing... they just hit "OK" or "NEXT" without knowing what are they doing :shock:

 

but thanks this will help for sure if someone had the same problem :P

Link to comment
Share on other sites

  • 4 weeks later...

what is UAC :confused

 

user acsees control. Its somethimg Vista implemtns to basically give you more control over whats imnstalled and therfore meant to be more safer. In reality it means you end having to asking an awful lot of permisions to do stuff you consider is automatic in XP - e.g having to ask permsiion to delte shortcuts , editing folder permissions so you can edit song info in Itunes etc. Its recommend to leave it on but it can sure be tiring :rolleyes:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.