What a knightmare..

Right its not a fantasy or dream knightmare actually its happened a few minutes ago and i decided to jot in down here on blogger.

So recently i've been using the comp for quite a while after the post year exam and i did not realize there was a ROOTKIT buried inside my 10 year old comp.

Well teh story begins when i checked on the task manager that i've always had internet activity no matter how i stopped all the services on windows ( windows update or 3rd party softwares). At first i thought it was the usual pinging if windows's to certain sites to maintain keep-alive connections of some sort. But those small pings aren't exactly small, they are not small bursts either but their pattern is a continous sending and receiving of packets, which made me uneasy.
I ignored it.

Then until yesterday my internet from my comp started to fail completely (google took 20 secs to load), then i checked on task manager. Holy shit what i found was all the red lines plotted on the graph, well at that time i knew something was really really wrong (it was as if streaming uploading data to somewhere else at maximum of my internet bandwidth)

And hell yeah that worried me to the bones, i disabled Mcafee at that time and i did not use ZoneAlarm and i also disabled all the default windows defence system (firewall, etc.) and i thought i could handle viruses well (common sence is the best organic anti virus), i was hell worried, nothing could tell me what the heck is sending my harddrive to someone else.

I tried to trace the faulty program from task manager (highest CPU usage) and found all the processes are obedient and quite, apart from taskman.exe, duh. Gahh, then the highes VM or RAM usage programs and i cant seem to find anything suspicous.

Then, i remebered cmd propmt, i used the netstat -o command and found out the culprit from the process id (the whole analysis was bombarded by a single 1207 process id on the net traffic). I thought i hit the jackpot but i found no freakin 1207 on the processes. That buffled me but i suspected it must be a hidden rootkit somewhere, but i knew i was already half into the whole situation.

I must use somekind of software which does not fetch process list from the Query API instead i used HiddenFinder to trace the 1207 ( i used my phone to download the software and installed it via USB)

Then to my surprise, HiddenFinder DID find one hidden process, and its the process id is identical to the one on netstat, and that proves me right, apparently svchost.exe was the one behind all these.

svchost.exe are processes which it manages ur drivers (sound, graphics, spool) and a whole host of networking crap shit. What i knew was svchost.exe was a rootkit/backdoor masked as a, .. well ' hidden' legitimate windows process.

i tried circumvent it by Mcafee, hell no it does not even detect anything (except for false detection in the QUARANTINE folder) , and even with the latest virus definition. Then i had to use ZoneAlarm to control the internet traffic.

When i engaged internet lock, zonealarm did effectively blocked all the incoming or outbound traffic and caught quite a few requests (think thousands of requests just under a minute) . Apparently it was contacting mostly russian servers . "Generic Host Process for Win32 services ......" and there it is, my hypothesis was proved coreect.

_____________________________________________________________

Active Connections
Proto Local Address Foreign Address State PID TCP your-fd88e692c7:1224 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:1382 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:1483 hostv2.zj.abitcool.com:http FIN_WAIT_1 1312 TCP your-fd88e692c7:1486 itrc-forums13-pro1.austin.hp.com:http ESTABLISHED 1312 TCP your-fd88e692c7:1630 hostv2.zj.abitcool.com:http FIN_WAIT_1 1312 TCP your-fd88e692c7:1666 hostv2.zj.abitcool.com:http FIN_WAIT_2 1312 TCP your-fd88e692c7:2289 65.54.166.122:http ESTABLISHED 1312 TCP your-fd88e692c7:2424 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:2440 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:2628 c17-gdl-software1-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:2857 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:2869 192.168.1.2:1026 CLOSE_WAIT 1060 TCP your-fd88e692c7:2881 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:2888 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:2917 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:2936 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:2950 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3053 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3074 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3081 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3083 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3107 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3154 68.64.128.103:http TIME_WAIT 0 TCP your-fd88e692c7:3169 c20-gdl-software1-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3247 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3258 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3304 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3310 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3320 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3362 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3365 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3366 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3367 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3384 datacenter-196.169.ict-alphen.nl:http TIME_WAIT 0 TCP your-fd88e692c7:3424 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3449 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3458 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3492 ty-in-f138.google.com:http ESTABLISHED 1312
TCP your-fd88e692c7:3530 211.42.217.99:5051 ESTABLISHED 4004 TCP your-fd88e692c7:3543 92.241.170.41:http TIME_WAIT 0 TCP your-fd88e692c7:3578 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:3581 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3618 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3635 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3636 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3651 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3659 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3665 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:3693 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3703 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3705 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3721 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3728 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3740 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3755 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3834 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3842 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3878 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3884 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3895 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:3899 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3907 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3924 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3925 89.207.152.44:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3930 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3937 89.207.152.44:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3938 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3940 89.207.152.44:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3944 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3958 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4017 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4029 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4041 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4046 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4060 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4073 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4079 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4080 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4082 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4083 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4089 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4090 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4100 wwwbaytest1.microsoft.com:http TIME_WAIT0 TCP your-fd88e692c7:4101 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4102 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4110 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:4112 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4115 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4128 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4129 96.172.11.0:http SYN_SENT 1712 TCP your-fd88e692c7:4130 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4132 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4133 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4144 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4146 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4147 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4150 wwwbaytest1.microsoft.com:http ESTABLISHED1312 TCP your-fd88e692c7:4151 207.46.16.243:http TIME_WAIT 0 TCP your-fd88e692c7:4152 58-27-186-123.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4153 58-27-186-123.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4154 58-27-186-123.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4155 58-27-186-123.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4156 58-27-186-105.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4158 58-27-186-105.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4165 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4166 cm.netteller.com:http SYN_SENT 1712 TCP your-fd88e692c7:4168 112.109.10.0:http SYN_SENT 1712 TCP your-fd88e692c7:4169 cm.netteller.com:http SYN_SENT 1712 TCP your-fd88e692c7:4170 89.207.152.44:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4171 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4174 cm.netteller.com:http SYN_SENT 1712 TCP your-fd88e692c7:4176 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4180 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4183 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4184 cm.netteller.com:http SYN_SENT 1712 TCP your-fd88e692c7:4186 *.112.2o7.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4187 beta.blogs.msdn.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4192 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4193 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4194 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4195 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4200 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4201 112.109.10.0:http SYN_SENT 1712 TCP your-fd88e692c7:4203 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4206 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4211 m.webtrends.com:http SYN_SENT 1312 TCP your-fd88e692c7:4219 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4222 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4223 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4224 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4228 mediaplan.ovh.net:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4229 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4230 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4231 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4232 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4233 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4235 mediaplan.ovh.net:http SYN_SENT 1712 TCP your-fd88e692c7:4546 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:4820 hostv2.zj.abitcool.com:http LAST_ACK 1312

Analysis___

202.188.1.5 (Google Chrome too) <<< seems to be streamyx
81.177.157.74 <<< it is la2atom.ru
202.188.0.133 <<< seems to be streamyx
95.172.4.250
ns3.eu.editdns.net ---variation of 3 and 4
la2atom.ru <<<< relentless retry to access by Generic Host Process for Win32 Services (blocked by ZL) (132 retries in 4 seconds) (809 retries in 22 sexonds)
battlecore.ru <<<< could not be resolved
CONNECTION SOURCE DISPATCHED BY Generic Host Process for Win32 Services
mostly contacting russian servers

_______________________________________________________

this is the extract from my temporary .txt notebook when im trying to troubleshoot the destination that svchost.exe 1712 (always changes id with every boot) was trying to contact.

A check on ip-adress.com revealed the la2atom.ru was located in moscow.

and soon after i let it roam my internet bandwidth for a while i ran another netstat it diverted to connect to other IP's from UK.

Well la2atom.ru is a refferer and i suspected i might be a victim of a botnet PC to be used to attack another high profile target for active DoS attack.

I ran another thorough virus scan and booted my asus with all the Mcafee services on (msconfig) (and it took 10 minutes for the comp to boot with ZL and Mcafee loaded) .

To my surprise the faulty svchost.exe dissapeared, although windoes reported that 'Windows have recovered from a serious errror" , and a check on HiddenProcess the svchost.exe is truly gone. Maybe its because of the Mcafee i guess (buffer underrun protection? i dont really know how it works )

But hell it was quite an experience for to test my patience.