Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Identity Theft


  • Please log in to reply
1 reply to this topic

#1 AtlanticShores

AtlanticShores

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 28 November 2007 - 07:43 PM

I have tried to mark in bold the identifying characteristics of a computer botnet that has taken over this system. If you are not familiar with the term, Google it. "Zombie net" is another term.

First clue: Second line of your log, "WinNT 5.01.2600". That is a NETWORK/b] Operating system system -- not XP and this computer is a workstation of an identity theft perp. The system is hidden, but it can be unhidden under the "view files" features in Windows.

"lsasse.exe" is a backdoor worm which allows the network operator complete control of your system, mines for passwords, identity information, deletes and replaces files -- a very critical one to find in a system. Google it as well as all other processes on start up.

This particular operator exploits IRC channels, incorporating MSN messenger and other chat systems to run in the background. He mines the desktop as well and attaches spyware tools as browser helpers to IE. He collects credit card numbers, bank account numbers, etc. So you can figure out what the purpose is of this network.

Because when this botnet is installed the remote "Administrator" keeps full control over the system, you cannot delete system files without their coming back. Any reinstall of your operating system will be subordinate to the master Network. If you try to remove any of the critical worms and trojans like "lsasse.exe", your system will crash and you will have to reboot. Your memory should also be filling up. .

I recognize this program because two of my computers were hit. I have found other victims among those who were on my email list and now, all over the Net. I got hit July 20 and have spent a lot of time analyzing the system and its processes. I found the DNS-1 log which shows the attempted reinstall/restore of my operating system -- and that Network system overriding each and every process.

If you also run WinUtilities, it will clearly disclose your machine is in a network and a workstation now.
It will report autoexec.bat and config.sys files as = "0" bytes. The program configuring your system is now "Config.NT".

I have tried to bold some of the tell tale signs of this network on your HJT log. These are not all the features, the processes he installs, but some highlights. Check out the address of the server you are routed through "166.102.165.11" to see if that is the ISP you signed up. I have located the primary one this network runs through, a host in the MidAtantic. IT appears this particular program is being used by several botherders, all across the globe.

Despite my uniding the system files of this network, one of the diagnostic programs I ran reported 452 "super hidden" files, suggesting that in addition to Network, this perp also installed a rootkit. files,

What to do? Well, there is no way you can remove this network operating system by just attempting to delete files or reinstalling your OS. You will need to wipe your drive. My suggestion would be to save your data -- copy your folders to another media, then have your drive wiped -- with a magnet.

Sorry to be the bearer of bad news, but better you know and how to cure.








I get messages that tell me IE cannot display a page; the server cannot be found; I am denied access to a site (most likely because the site requires users to register. I check and no registration is required); you are not online, when I am, IE has experienced an internal problem and will close; or IE cannot open the internet site and operation is aborted-- even though I am at the site at the time.

The most recent boondoggle occurs when I save pictures to a documents file and am asked to chose which file I want to use to open it. I choose IE and it opens.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:45 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exeC:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Customer\My Documents\My Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: QuickLink Mobile.lnk = C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A2262AF-F361-45E2-A13D-57E8F5079DEC}: NameServer = [b]166.102.165.11 166.102.165.13

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 5047 bytes

Thanks for the help.



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:18 AM

Posted 29 November 2007 - 01:55 PM

[quote]First clue: Second line of your log, "WinNT 5.01.2600". That is a NETWORK/b] Operating system system -- not XP and this computer is a workstation of an identity theft perp. The system is hidden, but it can be unhidden under the "view files" features in Windows.[/quote]

Totally false. That is the version number of your updated windows. It should be that number!


[quote]"lsasse.exe" is a backdoor worm which allows the network operator complete control of your system, mines for passwords, identity information, deletes and replaces files -- a very critical one to find in a system. Google it as well as all other processes on start up.[/quote]

Lsasse.exe could very well be a backdoor worm. There is, though, a perfectly legitimate C:\WIndows\System32\lsass.exe file. Make sure you are comparing the spellings correctly.


[quote]If you also run WinUtilities, it will clearly disclose your machine is in a network and a workstation now.
It will report autoexec.bat and config.sys files as = "0" bytes. The program configuring your system is now "Config.NT".[/quote]

Almost all installations of XP and Vista have zeroed out autoexec.bat and config.sys files. They are just not used anymore. I have em and all my vmware test boxes have em.

As for Config.nt, this is the standard practice now. Nothing suspicious here.


[quote]I have tried to bold some of the tell tale signs of this network on your HJT log. These are not all the features, the processes he installs, but some highlights. Check out the address of the server you are routed through "166.102.165.11" to see if that is the ISP you signed up. I have located the primary one this network runs through, a host in the MidAtantic. IT appears this particular program is being used by several botherders, all across the globe.[/quote]

These are DNS servers, not gateways your traffic is going through. Though DNS servers can return wrong information used by Malware infections, this one looks pretty legit.


[quote]Despite my uniding the system files of this network, one of the diagnostic programs I ran reported 452 "super hidden" files, suggesting that in addition to Network, this perp also installed a rootkit. files,[/quote]

Not necessarily. Could be folder.htt or desktop.ini files that are supposedly "super hidden"


As for the bolded log items:


[quote]C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe[/quote]

These are all legitimate Windows files.


[quote]C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe[/quote]

Perfectly valid windows live messenger files.


[quote]O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll[/quote]

Windows Live sign in tool. Perfectly legit.


[quote]O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background[/quote]

The actual Windows Live Messenger executable. Perfectly legit.

[quote]C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')[/quote]

Normal. HijackThis is reading from other profiles.

[quote]O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe[/quote]

IE menu options for Sun JAVA JRE, IE Connection Diagnostics, and Windows Live Messenger. All legit.

[quote]O17 - HKLM\System\CCS\Services\Tcpip\..\{2A2262AF-F361-45E2-A13D-57E8F5079DEC}: NameServer = 166.102.165.11 166.102.165.13[/quote]

TCP/IP is configured with static DNS. The ip addresses are not known malware ones.

I have to say that I find all your evidence to be false. Everything you are pointing out is actually legitimate files and entries found on a computer and I sorely suggest that noone act upon the information given in this topic. I would tell whoever provided this info to you, that they need to do more research before making these outrageous statements.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users