Dixus Posted August 28, 2009 Posted August 28, 2009 During the last days my internet connection was dead for some minutes - randomly. Some minutes later it was back. First I thought my internet provider has issues again. So i waited a few days. After a while i recognized that my outgoing traffic was like at the maximum bandwidth limit. At this time the connection wasnt really dead - i was sending tons of crap! It was so much traffic that either ping didnt work because the packages had no chance to return. I hadnt any programs running that could have caused this weird traffic. I used microsoft network analyzer to sniff what the hell was going on there: 99% of the traffic was caused by lsass.exe. Usally this is the "Local Security Authority Process" of vista. But this one was sending thousands of 81 byte packets to an other IP. It looked like a DOS attack from my computer. Whois said it was near New York. In some packages i found the string "Your Getting Pooned By HostBooter!". Really smart. So now i knew my computer was infiltrated by a trojan. So where was the lsass process located? I opened my tastmanager. There was an lsass.exe and it wasnt the "Local Security Authority Process". You see that weird icon... Also its called "Driver Removing for Windows"... located in C:WindowsCursors directory! I opened that path. Nothing there. But a took a deeper look - it was hidden system file. I deleted it and went to the registry to find out how this process was started. This was easy. I just searched for the string windows/cursors and found it in the start section: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun I removed it and was fine. So what was the reason? I suppose disabling UAC for some days was a huge mistake. I have no clue which website or tool installed this crap. Fact is that it used my computer for DOS attacks. I found a website hostbooter.com. Probably this guy is guilty. I still wonder why antivir didnt found it. File Size: 320 KB (327.733 Bytes) Binary content told me it was written in Visual Basic 6. I havent had any trojan or virus since like 5-6 years. UAC is a pain. But better leave it enabled ;P dix Quote
-=Medic=- Posted August 28, 2009 Posted August 28, 2009 I removed it and was fine. So what was the reason? I suppose disabling UAC for some days was a huge mistake. I have no clue which website or tool installed this crap. May be you should use another anti virus but enabling UAC...!!! try to get trojan again with UAC enabled to be sure if this will really prevent that from happening, but I'm not sure enabling UAC will help. Quote
Dixus Posted August 28, 2009 Author Posted August 28, 2009 I removed it and was fine. So what was the reason? I suppose disabling UAC for some days was a huge mistake. I have no clue which website or tool installed this crap. May be you should use another anti virus but enabling UAC...!!! try to get trojan again with UAC enabled to be sure if this will really prevent that from happening, but I'm not sure enabling UAC will help. Well I am not sure. But 99 percent One main reason that UAC is designed for is to protect windows and system folders. A process cant write into this folders. Also if you are admin you cant - you will need to confirm this step twice. I used sometimes IE... Internet explorer without UAC is like an invitation for viruses and trojans.. I ll try to live with UAC... Quote
-=Medic=- Posted August 28, 2009 Posted August 28, 2009 Well I am not sure. But 99 percent One main reason that UAC is designed for is to protect windows and system folders. A process cant write into this folders. Also if you are admin you cant - you will need to confirm this step twice. I used sometimes IE... Internet explorer without UAC is like an invitation for viruses and trojans.. I ll try to live with UAC... Just be sure DEP is fully enabled I mean increase your protection by having DEP monitor all programs NOT by default "monitors essential Windows programs and services" this will help i think more without need to enable UAC. http://en.wikipedia.org/wiki/Security_a ... Prevention I'm also not sure but this what I did cos I disabled UAC and it's not gonna be enable soon For IE. well to be honest I dunno cos since few years now I'm using only Firefox so I cant have an objective opinion about it :roll: LOL at work my Boss loved IE but since he asked to handle all no one use it and also friends who ask me how to have clean surf without adds and popup well all using my advise Firefox + Adblock and other addons to help them for secure surf ... and they love it Quote
Dixus Posted August 28, 2009 Author Posted August 28, 2009 Sure DEP is enabled. It doesnt depend on UAC. I usually use chrome, but as asp.net developer i also need to IE... This post was just a warning. If somebody lags badly this can probably help rofl Quote
-=Medic=- Posted August 28, 2009 Posted August 28, 2009 This post was just a warning. If somebody lags badly this can probably help rofl i know but it was just to say an opinion about uac. I can advise never disable it if some ask me if he can disable it ... cos a lot don't even know what are they installing... they just hit "OK" or "NEXT" without knowing what are they doing :shock: but thanks this will help for sure if someone had the same problem Quote
F257 Posted September 20, 2009 Posted September 20, 2009 what is UAC user acsees control. Its somethimg Vista implemtns to basically give you more control over whats imnstalled and therfore meant to be more safer. In reality it means you end having to asking an awful lot of permisions to do stuff you consider is automatic in XP - e.g having to ask permsiion to delte shortcuts , editing folder permissions so you can edit song info in Itunes etc. Its recommend to leave it on but it can sure be tiring Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.