Could I have a stealthy trojan infecting my system

[mirado.kelly]

Before I begin I must say I am running Win XP Pro SP1

I suspect that I may be infected with a stealthy malware of some kind and need some expert opinions. Recently I had cleaned my system of some malware that hijacked my dns and browser. I was unable to idenify the virus but assumed the infection was gone since hijackthis log apeared clean.

Firstly I downloaded and ran RootkitRevealer from SysInternals with following results:

HKLM\S-1-5-21-73586283-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\fcbfrf\Zl Qbphzragf\Qbjaybnqf\(cp tnzr) Lrgvfcbeg Cneg 1-6 B 2/19/2006 10:41 PM 16 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 12/14/2005 4:52 PM 58 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 12/14/2005 4:59 PM 58 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s0 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s1 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s2 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\g0 12/14/2005 5:28 PM 32 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\h0 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 2/11/2006 1:03 AM 0 bytes Hidden from Windows API.

Secondly Inside Documents and settings I notice a hidden folder NetworkService

In the previous few days after discovering a malware infection I made several key changes to my system:

I started using fireFox rather then Avant Browser (Internet Explorer)
I uninstalled MS Java and replaced it with the real Sun Java
I downloaded BufferZone for firefox (Some sort of sandbox protection)
I used a free tool BugOff from the creator of HijackThis and with it, disabled several InternetExplorer weaknesses
I updated SpywareBlaster, SpywareGuard and did both an adaware and spybot scan.
I scaned my system with ewido security suite.
I did an antivirus scan.

I have provided HijackThis logs attached. Please could anyone tell me weather there is potential rootkit or malware infection.

[ric-o]

Given what I see in the RootkitRevealer report I highly suspect you got a rootkit there...but dont know for sure.

Regarding the NetworkService folder in docs and settings dir - you should be OK. According to a FAQ on Microsoft's site this the profile for that built-in user account. See here: http://www.microsoft.com/windowsserv...anage_faq.mspx

Did you look up the behavior of that malware infection you mentioned to see if it typically includes a rootkit? If not I would suggest checking the AV vendor sites for more info.

...or you can save yourself time and wipe and re-install because fully cleaning up after malware these days can be very hard to do! And make sure you put SP2 + all applicable hotfixes so you are totally up-to-date.

[nihil]

Hmmm,

Did you do all your scans in safe mode ? if not, please update your scanners, reboot into safe mode and run them again.

Also get A-squared:

http://www.emsisoft.com/en/software/free/

And get the "NoScript" plug in for Firefox.

[SirDice]

From your Hijackthis log I found these dubious:

C:\DOCUME~1\sposes\LOCALS~1\Temp\DGQSL.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD10805D-7681-4CD3-85A6-A4891DCD7322}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEEB5C98-3661-4188-B9E2-232D4F01E9DB}: NameServer = 4.2.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F09A0128-2094-49A5-8D6B-306D1C585F56}: NameServer = 127.0.0.1
O23 - Service: DGQSL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\sposes\LOCALS~1\Temp\DGQSL.exe

You might want to remove these too:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe


The hidden folder named "NetworkService" in "Documents and Settings" is normal..

[dalek]

HKLM\S-1-5-21-73586283-1935655697-839522115- 1003\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\fcbfrf\Zl Qbphzragf\Qbjaybnqf\(cp tnzr) Lrgvfcbeg Cneg 1-6 B 2/19/2006 10:41 PM 16 bytes Hidden from Windows API.

http://www.utdallas.edu/~jbs024000/a...lorer_spy.html

HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE
1126B64A90E8365B85CFCF6\ProductName 12/14/2005 4:52 PM 58 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni
nstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 12/14/2005 4:59 PM 58 bytes Data mismatch between Windows API and raw hive data.

Did you recently uninstall Alcohol ? This site may help in completely removing this registry key..http://club.cdfreaks.com/showthread.php?t=76501


You can read this article by Mark Russinovich, on Digital Rights and Rootkits....http://www.sysinternals.com/blog/200...t-digital.html


Just a note to end, I would IMHO download service pack 2 for WinXp, this service pack and the latest security patches, may protect you from this sort of thing......

[mirado.kelly]

I did a few things today, I downloaded a squared as sugested and scan. Very interestingly

it identifyed the following

C:\GameXP\GameXP.exe\[UPX] -> Win32yfucDldr-AC [Trj]
and traces of kazza

Game XP I have been using for a long time from www.theorica.net but I never ever downloaded Kazza. I do a google on DyfucDldr-AC and find nothing, so I remove AC and find not much and finaly Dyfuc comes up blank. What is this thing?

Thanks SirDice a few of those i was able to acount for, such as PcPitstop, a site I use for
checking my system status. But others I could not so I just removed, thanks.

When I had the malware infection few days ago, I suspected it was Win32:Small-FB since the file in startup dmefq.exe scaned with http://virusscan.jotti.org showed up as Small-FB, I was never able to find a remover so I preformed manual cleaning. The problem with DNS redirecting me to search sites vanished.

When I atempted a safemode, A message was displayed to press esc to cancle loading of
SPTD.sys then Welcome screen apears, I apempt to type my password and computer reboots. Cannot get into safe mode. I'll have more work to do.

So I go to Norton's online virus scan, and it comes up empty, no viruses found, and the security check came up with no problems. For RootKitRevealer , dalek kindly identifyed 3
of the enterys, indeed I had Alcohol, but I only drink cola... So the other enterys were:

HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s0 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.

And there I see it, SPTD the same name that cropt up in safe mode. It apears to be SCSI
Pass Through Detect, that the darn Daemon tools left behind. So I find an uninstaller for
SPTD and remove it.

Much beter, my latest scan on RootKitRevealer:

HKLM\S-1-5-21-73586283-1935655697-839522115-1003\Software\BufferZone\Virtual\Untrusted\Softw

are\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEAC

F9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\fcbfrf\Zl Qbphzragf\Qb 2/20/2006 12:32 PM

16 bytes Hidden from Windows API.
HKLM\S-1-5-21-73586283-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\E

xplorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf

naq Frggvatf\fcbfrf\Zl Qbphzragf\Qbjaybnqf\(cp tnzr) Lrgvfcbeg Cneg 1-6 B 2/20/2006

7:18 PM 16 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2/20/2006 7:18 PM 80 bytes Data

mismatch between Windows API and raw hive data.

So the first two are my new security program BufferZone (sandbox) and the last one:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Suspicious, is it a Random Number Generator seed value of some sort?

everything else apears clean now.

One more question, I was hesitant on installing SP2 because of the rep[orted problems with programs, games and port blocking. Are there known work arounds for these problems or have they already been solved.

[mirado.kelly]

Also is it possible a root kit has disabled my ability to start in safe mode?

[mirado.kelly]

I have gone ahead, did a reformate, and upgraded to SP2, I have also done more research on RootKits and rediscovered and old friend, Barts PE boot disk. I have created a new boot Disk with new tools and am now learning about hooks and how rootKits hide. I thank everyine who helped me with this problem.