re: lsass.exe Sunday, January 11, 2004 at 6:50 pm Windows XP Annoyances Discussion Forum Posted by Thorn (1 messages posted) THANK YOU! I got this and was looking everywhere for a fix, none of the trojan killers or virus software would pick this up. The only thing that keyed me into it being there is I started getting some activity hiting my firewall on port 6667. The remove.bat took care of it! On Tuesday, December 30, 2003 at 10:39 pm, toad wrote: >I would be more interested in how this stuff landed in the first place. I noticed >some program running on port 6667 on my pc. I didn't have mirc open so I did some >snooping. It turned out to be: > >c:\WINNT\microsoftdrivers\etc\smss.exe > >As it turns out everything in "microsoftdrivers\etc" was a part of the trojan/virus. >There were alot of files in there, some of which I recognize. FireDaemon for one. >This is a legit app that will allow you to run applications as services. I did not >install it though. I also saw servu-ftp in the folder as well as a handful of .bat >files and ini files for starting and controlling the scripts and programs. > >Maybe you guys have something else, but the one I had was intended to use my pc as >an xdcc server on irc. The trojan would setup and ftp on my pc (using servu) so the >controller could dump warez on my harddrive. It would also connect to irc, join a >warez channel, then offer files to other people in the channel. Plain and simple...warez >distribution without consent. > >Here's the funny thing. There was a file in the c:\WINNT\microsoftdrivers\etc folder >called remove.bat. It actually has removal command lines for the trojan. Now...your >guess is as good as mine as to if it removes everything but after I ran the .bat >file on my pc all strange activity stopped. To be on the safe side, a harddrive format >is still in order though. Here are the command lines the .bat file runs: > >net stop Network > >net stop indexing > >net stop wlogin > > >del c:\winnt\microsoftdrivers\etc\*.dll > >del c:\winnt\microsoftdrivers\etc\*.txt > >del c:\winnt\microsoftdrivers\etc\*.xml > >del c:\winnt\microsoftdrivers\etc\*.key > >del c:\winnt\microsoftdriver\etc\*.reg > >del c:\winnt\microsoftdrivers\etc\*.dtd > >del c:\winnt\microsoftdrivers\etc\*.ini > >del c:\winnt\microsoftdrivers\etc\*.bak > >del c:\winnt\microsoftdrivers\etc\*.crt > >del c:\winnt\microsoftdrivers\etc\*deld > >del c:\winnt\microsoftdrivers\etc\start.bat > >del c:\winnt\microsoftdrivers\etc\wget.exe > >del c:\winnt\microsoftdrivers\etc\smss.exe > >del c:\winnt\microsoftdrivers\etc\HIDEAPP.EXE > >del c:\winnt\microsoftdrivers\etc\lsass.exe > >del c:\winnt\microsoftdrivers\etc\rar.exe > >del c:\winnt\microsoftdrivers\etc\fire.reg > >del c:\winnt\microsoftdrivers\etc\my*.* > >del c:\winnt\microsoftdrivers\etc\*.exe > >del c:\winnt\microsoftdrivers\etc\up\goodbye.bat > >del c:\winnt\microsoftdrivers\etc\*.bat > >I hope this helps somebody understand some part of this thing...like I said though...I >would rather know how I got it in the first place. =[ > Written in response to: re: lsass.exe (toad: Tuesday, December 30, 2003 at 10:39 pm) Responses to this message: re: lsass.exe (Jill: Tuesday, January 13, 2004 at 5:43 pm) All messages in this thread [show all] lsass.exe (Mark: Sun, Nov 23, 2003, 1:42 am) re: lsass.exe (bat: Sun, Nov 23, 2003, 2:39 am) re: lsass.exe (Ms. Eagle: Sun, Nov 23, 2003, 2:55 am) re: lsass.exe (Mark: Mon, Nov 24, 2003, 5:17 pm) re: lsass.exe (Ms. Eagle: Mon, Nov 24, 2003, 5:42 pm) re: lsass.exe (Travis Cox: Mon, Dec 8, 2003, 8:48 pm) re: lsass.exe (Travis Cox: Mon, Dec 8, 2003, 9:01 pm) re: lsass.exe (toad: Tue, Dec 30, 2003, 10:39 pm) re: lsass.exe (Thorn: Sun, Jan 11, 2004, 6:50 pm) re: lsass.exe (Jill: Tue, Jan 13, 2004, 5:43 pm) re: lsass.exe (MamaKat: Sat, Jan 17, 2004, 8:45 pm) lsass.exe + smss.exe (Si: Tue, Jan 20, 2004, 1:30 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum