re: lsass.exe Tuesday, December 30, 2003 at 10:39 pm Windows XP Annoyances Discussion Forum Posted by toad (1 messages posted) I would be more interested in how this stuff landed in the first place. I noticed some program running on port 6667 on my pc. I didn't have mirc open so I did some snooping. It turned out to be: c:\WINNT\microsoftdrivers\etc\smss.exe As it turns out everything in "microsoftdrivers\etc" was a part of the trojan/virus. There were alot of files in there, some of which I recognize. FireDaemon for one. This is a legit app that will allow you to run applications as services. I did not install it though. I also saw servu-ftp in the folder as well as a handful of .bat files and ini files for starting and controlling the scripts and programs. Maybe you guys have something else, but the one I had was intended to use my pc as an xdcc server on irc. The trojan would setup and ftp on my pc (using servu) so the controller could dump warez on my harddrive. It would also connect to irc, join a warez channel, then offer files to other people in the channel. Plain and simple...warez distribution without consent. Here's the funny thing. There was a file in the c:\WINNT\microsoftdrivers\etc folder called remove.bat. It actually has removal command lines for the trojan. Now...your guess is as good as mine as to if it removes everything but after I ran the .bat file on my pc all strange activity stopped. To be on the safe side, a harddrive format is still in order though. Here are the command lines the .bat file runs: net stop Network net stop indexing net stop wlogin del c:\winnt\microsoftdrivers\etc\*.dll del c:\winnt\microsoftdrivers\etc\*.txt del c:\winnt\microsoftdrivers\etc\*.xml del c:\winnt\microsoftdrivers\etc\*.key del c:\winnt\microsoftdriver\etc\*.reg del c:\winnt\microsoftdrivers\etc\*.dtd del c:\winnt\microsoftdrivers\etc\*.ini del c:\winnt\microsoftdrivers\etc\*.bak del c:\winnt\microsoftdrivers\etc\*.crt del c:\winnt\microsoftdrivers\etc\*deld del c:\winnt\microsoftdrivers\etc\start.bat del c:\winnt\microsoftdrivers\etc\wget.exe del c:\winnt\microsoftdrivers\etc\smss.exe del c:\winnt\microsoftdrivers\etc\HIDEAPP.EXE del c:\winnt\microsoftdrivers\etc\lsass.exe del c:\winnt\microsoftdrivers\etc\rar.exe del c:\winnt\microsoftdrivers\etc\fire.reg del c:\winnt\microsoftdrivers\etc\my*.* del c:\winnt\microsoftdrivers\etc\*.exe del c:\winnt\microsoftdrivers\etc\up\goodbye.bat del c:\winnt\microsoftdrivers\etc\*.bat I hope this helps somebody understand some part of this thing...like I said though...I would rather know how I got it in the first place. =[ On Monday, December 8, 2003 at 9:01 pm, Travis Cox wrote: >Oops, sorry. I think I need some sleep; didn't notice the replies to Mark's message. > I'll follow these links and hope to figure it out, although the virus they suggest >doesn't seem to be quite the same. Written in response to: re: lsass.exe (Travis Cox: Monday, December 8, 2003 at 9:01 pm) Responses to this message: re: lsass.exe (Thorn: Sunday, January 11, 2004 at 6:50 pm) All messages in this thread [show all] lsass.exe (Mark: Sun, Nov 23, 2003, 1:42 am) re: lsass.exe (bat: Sun, Nov 23, 2003, 2:39 am) re: lsass.exe (Ms. Eagle: Sun, Nov 23, 2003, 2:55 am) re: lsass.exe (Mark: Mon, Nov 24, 2003, 5:17 pm) re: lsass.exe (Ms. Eagle: Mon, Nov 24, 2003, 5:42 pm) re: lsass.exe (Travis Cox: Mon, Dec 8, 2003, 8:48 pm) re: lsass.exe (Travis Cox: Mon, Dec 8, 2003, 9:01 pm) re: lsass.exe (toad: Tue, Dec 30, 2003, 10:39 pm) re: lsass.exe (Thorn: Sun, Jan 11, 2004, 6:50 pm) re: lsass.exe (Jill: Tue, Jan 13, 2004, 5:43 pm) re: lsass.exe (MamaKat: Sat, Jan 17, 2004, 8:45 pm) lsass.exe + smss.exe (Si: Tue, Jan 20, 2004, 1:30 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum