WindowsXP SP2 Firewall,Shields UP Test,Recent Infection from a 'Nhatquanglan' malwar

Discussion in 'malware problems & news' started by freakish, Aug 22, 2007.

Thread Status:
Not open for further replies.
  1. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    I use Windows XP SP2 Firewall together with AVG Antispyware, Windows Defender and Avast (network shield enabled). All of these programs have their real-time scanning and automatic updates enabled.

    The problem is my system got infected with a certain 'Nhatquanglan' ( http://pleaselightmyfire.blogspot.com/2007/08/nhatquanghlan-update.html , http://www.google.com/search?q=nhat...z5&lr=lang_en&sa=X&oi=lrtip&ct=restrict&cad=7 ) malware (spreads thru removable USB drives) (this was before I activated Windows Defender and AVG Antispyware) which disables WinXP SP2 firewall among doing other things. Avast was able to detect parts of the malware from installing but not all as Windows Defender and A-squared free have been able to detect more malware from my system. I have recently cleaned my system by running full scans with recently updated definitions of A-squared, Windows Defender, Avast, AVG Antispyware, ad-aware 2007 and spybot and they found my system to be clean. I have also now enabled Windows Firewall and restored the firewall settings to default.

    I have also removed all traces of Nhatquanglan from my system by manual deletion, AutoRuns and HiJackThis (I am still attaching my HiJackThis log file for reference, in case I missed something). View attachment hijackthis.txt

    My system is now running fine and I don't see any of the previous effects of the virus, (system slow down, task manager, folder options and registry editing disabled, flash disks inserted get infected)

    However, when I check my Firewall's settings in Shields Up using the Opera browser ( https://www.grc.com/ ) I get these results:

    Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.



    Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)



    Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.




    Port
    Service
    Status Security Implications

    0
    <nil>
    Closed Your computer has responded that this port exists but is currently closed to connections.

    21
    FTP
    Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

    22
    SSH
    Closed Your computer has responded that this port exists but is currently closed to connections.

    23
    Telnet
    Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

    25
    SMTP
    Closed Your computer has responded that this port exists but is currently closed to connections.

    79
    Finger
    Closed Your computer has responded that this port exists but is currently closed to connections.

    80
    HTTP
    Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

    110
    POP3
    Closed Your computer has responded that this port exists but is currently closed to connections.

    113
    IDENT
    Closed Your computer has responded that this port exists but is currently closed to connections.

    119
    NNTP
    Closed Your computer has responded that this port exists but is currently closed to connections.

    135
    RPC
    Closed Your computer has responded that this port exists but is currently closed to connections.

    139
    Net
    BIOS
    Closed Your computer has responded that this port exists but is currently closed to connections.

    143
    IMAP
    Closed Your computer has responded that this port exists but is currently closed to connections.

    389
    LDAP
    Closed Your computer has responded that this port exists but is currently closed to connections.

    443
    HTTPS
    Closed Your computer has responded that this port exists but is currently closed to connections.

    445
    MSFT
    DS
    Closed Your computer has responded that this port exists but is currently closed to connections.

    1002
    ms-ils
    Closed Your computer has responded that this port exists but is currently closed to connections.

    1024
    DCOM
    Closed Your computer has responded that this port exists but is currently closed to connections.

    1025
    Host
    Closed Your computer has responded that this port exists but is currently closed to connections.

    1026
    Host
    Closed Your computer has responded that this port exists but is currently closed to connections.

    1027
    Host
    Closed Your computer has responded that this port exists but is currently closed to connections.

    1028
    Host
    Closed Your computer has responded that this port exists but is currently closed to connections.

    1029
    Host
    Closed Your computer has responded that this port exists but is currently closed to connections.

    1030
    Host
    Closed Your computer has responded that this port exists but is currently closed to connections.

    1720
    H.323
    Closed Your computer has responded that this port exists but is currently closed to connections.

    5000
    UPnP
    Closed Your computer has responded that this port exists but is currently closed to connections.
    ---
    end of shields up test

    My concern is, if this is the normal reply of a Windows XP SP2 system with windows firewall enabled and automatic updates enabled. Or has the malware edited my firewall settings (which I had already restored to their default settings (Control Panel->Windows Firewall->Advanced->Restore Defaults)?

    Hijackthis Log: View attachment hijackthis.txt
     
  2. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Just to check, go thru SecurityCenter to open firewall...in advanced settings there is a "restore defaults", click that and see if that makes a diff.
     
  3. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    I already did that before doing the Shields UP Test.

    Are these supposed to be the results of Windows XP SP2 Firewall? Or are these my ISP's settings?
     
Loading...
Thread Status:
Not open for further replies.