Bruno Kerouanton

I have an unpleasant feeling that my PC is infected with a rootkit. It may be nothing, or just an illusion, but I have some strange feelings since last week when I had to fight against all the malware installed on my friend’s PC last week.

First of all, I have several services that appears on my PC, with random names and which executables were located on a temporary directory. Those services doesn’t appear when using the “sc.exe query”, but appears when querying them with their specific name :

C:\WINDOWS\system32\dllcache>sc query JF SERVICE_NAME: JF

       TYPE               : 110  WIN32_OWN_PROCESS (interactive)        STATE              : 1  STOPPED                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)        WIN32_EXIT_CODE    : 1077       (0x435)        SERVICE_EXIT_CODE  : 0  (0x0)        CHECKPOINT         : 0x0        WAIT_HINT          : 0x0

I have found two other services like this one : LMOJ and VHEWBJQU. Fortunately their executables were in a temp folder that was cleaned long time ago, and the services didn’t start, so i deleted their entries in the registry :

C:\WINDOWS\system32\dllcache>sc delete JF SC DeleteService SUCCESS C:\WINDOWS\system32\dllcache>sc delete LMOJ SC DeleteService SUCCESS C:\WINDOWS\system32\dllcache>sc delete VHEWBJQU SC DeleteService SUCCESS

But I am still a bit puzzled about what was installed on my system…

SysInternals Rooktit Revealer doesn’t see anything wrong, my Antivirus doesn’t say anyhting. However I managed to install an integrity checker (that uses CRC and dynamically checks the running executables) that frequently tells me that some binaries have a modified CRC. Very strange, and I don’t like that.

If anybody has got clues, I would appreciate since I’m a bit stuck with this one

RESUME : Un petit souci de rooktit peut-être installé sur mon PC, et que je n’arrive pas à détecter. Si une âme charitable souhaitait me proposer quelques idées, je suis preneur