-
February 20th, 2006, 05:14 AM
#1
Member
Could I have a stealthy torjan infecting my system
Before I begin I must say I am running Win XP Pro SP1
I suspect that I may be infected with a stealthy malware of some kind and need some expert opinions. Recently I had cleaned my system of some malware that hijacked my dns and browser. I was unable to idenify the virus but assumed the infection was gone since hijackthis log apeared clean.
Firstly I downloaded and ran RootkitRevealer from SysInternals with following results:
HKLM\S-1-5-21-73586283-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\fcbfrf\Zl Qbphzragf\Qbjaybnqf\(cp tnzr) Lrgvfcbeg Cneg 1-6 B 2/19/2006 10:41 PM 16 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 12/14/2005 4:52 PM 58 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 12/14/2005 4:59 PM 58 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s0 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s1 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s2 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\g0 12/14/2005 5:28 PM 32 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\h0 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 2/11/2006 1:03 AM 0 bytes Hidden from Windows API.
Secondly Inside Documents and settings I notice a hidden folder NetworkService
In the previous few days after discovering a malware infection I made several key changes to my system:
I started using fireFox rather then Avant Browser (Internet Explorer)
I uninstalled MS Java and replaced it with the real Sun Java
I downloaded BufferZone for firefox (Some sort of sandbox protection)
I used a free tool BugOff from the creator of HijackThis and with it, disabled several InternetExplorer weaknesses
I updated SpywareBlaster, SpywareGuard and did both an adaware and spybot scan.
I scaned my system with ewido security suite.
I did an antivirus scan.
I have provided HijackThis logs attached. Please could anyone tell me weather there is potential rootkit or malware infection.
-
February 20th, 2006, 05:58 AM
#2
Given what I see in the RootkitRevealer report I highly suspect you got a rootkit there...but dont know for sure.
Regarding the NetworkService folder in docs and settings dir - you should be OK. According to a FAQ on Microsoft's site this the profile for that built-in user account. See here: http://www.microsoft.com/windowsserv...anage_faq.mspx
Did you look up the behavior of that malware infection you mentioned to see if it typically includes a rootkit? If not I would suggest checking the AV vendor sites for more info.
...or you can save yourself time and wipe and re-install because fully cleaning up after malware these days can be very hard to do! And make sure you put SP2 + all applicable hotfixes so you are totally up-to-date.
-
February 20th, 2006, 01:01 PM
#3
Hmmm,
Did you do all your scans in safe mode ? if not, please update your scanners, reboot into safe mode and run them again.
Also get A-squared:
http://www.emsisoft.com/en/software/free/
And get the "NoScript" plug in for Firefox.
-
February 20th, 2006, 01:12 PM
#4
From your Hijackthis log I found these dubious:
C:\DOCUME~1\sposes\LOCALS~1\Temp\DGQSL.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD10805D-7681-4CD3-85A6-A4891DCD7322}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEEB5C98-3661-4188-B9E2-232D4F01E9DB}: NameServer = 4.2.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F09A0128-2094-49A5-8D6B-306D1C585F56}: NameServer = 127.0.0.1
O23 - Service: DGQSL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\sposes\LOCALS~1\Temp\DGQSL.exe
You might want to remove these too:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
The hidden folder named "NetworkService" in "Documents and Settings" is normal..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 20th, 2006, 01:36 PM
#5
HKLM\S-1-5-21-73586283-1935655697-839522115- 1003\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\fcbfrf\Zl Qbphzragf\Qbjaybnqf\(cp tnzr) Lrgvfcbeg Cneg 1-6 B 2/19/2006 10:41 PM 16 bytes Hidden from Windows API.
http://www.utdallas.edu/~jbs024000/a...lorer_spy.html
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE
1126B64A90E8365B85CFCF6\ProductName 12/14/2005 4:52 PM 58 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni
nstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 12/14/2005 4:59 PM 58 bytes Data mismatch between Windows API and raw hive data.
Did you recently uninstall Alcohol ? This site may help in completely removing this registry key..http://club.cdfreaks.com/showthread.php?t=76501
You can read this article by Mark Russinovich, on Digital Rights and Rootkits....http://www.sysinternals.com/blog/200...t-digital.html
Just a note to end, I would IMHO download service pack 2 for WinXp, this service pack and the latest security patches, may protect you from this sort of thing......
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
February 21st, 2006, 02:24 AM
#6
Member
I did a few things today, I downloaded a squared as sugested and scan. Very interestingly
it identifyed the following
C:\GameXP\GameXP.exe\[UPX] -> Win32yfucDldr-AC [Trj]
and traces of kazza
Game XP I have been using for a long time from www.theorica.net but I never ever downloaded Kazza. I do a google on DyfucDldr-AC and find nothing, so I remove AC and find not much and finaly Dyfuc comes up blank. What is this thing?
Thanks SirDice a few of those i was able to acount for, such as PcPitstop, a site I use for
checking my system status. But others I could not so I just removed, thanks.
When I had the malware infection few days ago, I suspected it was Win32:Small-FB since the file in startup dmefq.exe scaned with http://virusscan.jotti.org showed up as Small-FB, I was never able to find a remover so I preformed manual cleaning. The problem with DNS redirecting me to search sites vanished.
When I atempted a safemode, A message was displayed to press esc to cancle loading of
SPTD.sys then Welcome screen apears, I apempt to type my password and computer reboots. Cannot get into safe mode. I'll have more work to do.
So I go to Norton's online virus scan, and it comes up empty, no viruses found, and the security check came up with no problems. For RootKitRevealer , dalek kindly identifyed 3
of the enterys, indeed I had Alcohol, but I only drink cola... So the other enterys were:
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s0 12/14/2005 5:28 PM 4 bytes Hidden from Windows API.
And there I see it, SPTD the same name that cropt up in safe mode. It apears to be SCSI
Pass Through Detect, that the darn Daemon tools left behind. So I find an uninstaller for
SPTD and remove it.
Much beter, my latest scan on RootKitRevealer:
HKLM\S-1-5-21-73586283-1935655697-839522115-1003\Software\BufferZone\Virtual\Untrusted\Softw
are\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEAC
F9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\fcbfrf\Zl Qbphzragf\Qb 2/20/2006 12:32 PM
16 bytes Hidden from Windows API.
HKLM\S-1-5-21-73586283-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\E
xplorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf
naq Frggvatf\fcbfrf\Zl Qbphzragf\Qbjaybnqf\(cp tnzr) Lrgvfcbeg Cneg 1-6 B 2/20/2006
7:18 PM 16 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2/20/2006 7:18 PM 80 bytes Data
mismatch between Windows API and raw hive data.
So the first two are my new security program BufferZone (sandbox) and the last one:
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Suspicious, is it a Random Number Generator seed value of some sort?
everything else apears clean now.
One more question, I was hesitant on installing SP2 because of the rep[orted problems with programs, games and port blocking. Are there known work arounds for these problems or have they already been solved.
MyBox:
Asus P5VDC-MX
Celeron 2.8GHz
512MB DDR 400
WD 250GB SATA
DVD-ROM, CD-RW
Thermaltake 430W PSU
Netgear WGT624 Router
-
February 21st, 2006, 04:19 AM
#7
Member
Also is it possible a root kit has disabled my ability to start in safe mode?
MyBox:
Asus P5VDC-MX
Celeron 2.8GHz
512MB DDR 400
WD 250GB SATA
DVD-ROM, CD-RW
Thermaltake 430W PSU
Netgear WGT624 Router
-
February 23rd, 2006, 10:35 PM
#8
Member
I have gone ahead, did a reformate, and upgraded to SP2, I have also done more research on RootKits and rediscovered and old friend, Barts PE boot disk. I have created a new boot Disk with new tools and am now learning about hooks and how rootKits hide. I thank everyine who helped me with this problem.
MyBox:
Asus P5VDC-MX
Celeron 2.8GHz
512MB DDR 400
WD 250GB SATA
DVD-ROM, CD-RW
Thermaltake 430W PSU
Netgear WGT624 Router
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|