techteendaily
been there, done tech

Well i love doing things that you wont find necessary to do. Ive done lots of mods and projects on stuffs and i wont talk bout them in context anymore cuz basically you wont be in any interest after all.

ive used my beloved 5800 for quite a few months now and its a kick ass phone and it has brought me much envy and awe..

but it tends to kinda get really warm ( i mean you it ) when you do intensive tasks on it (watch youtube videos or running benchmarks) . Long before, i dismissed this issue by placing a large heatsink that was used for my amplifier but it seems that would make the mobile phone very immobile.

And for some reason im scared of this cuz a warm phone would end up gettin fried like overclockers PC (hey, nokia runs on a 420mhz ARM, its blazing fast, faster than a iphone 3gs yaknoe).



So few days ago i had this idea do go to my 'electronic grave' and dug a 12v pentium2 fan and plug it in with a 9v batt. it worked great and i placed it at the back of the phone and sticked it with blue tac (to cushion vibration and noise, and prevents stickyness)

yay now i have a mobile cooling solution.

Right its not a fantasy or dream knightmare actually its happened a few minutes ago and i decided to jot in down here on blogger.

So recently i've been using the comp for quite a while after the post year exam and i did not realize there was a ROOTKIT buried inside my 10 year old comp.

Well teh story begins when i checked on the task manager that i've always had internet activity no matter how i stopped all the services on windows ( windows update or 3rd party softwares). At first i thought it was the usual pinging if windows's to certain sites to maintain keep-alive connections of some sort. But those small pings aren't exactly small, they are not small bursts either but their pattern is a continous sending and receiving of packets, which made me uneasy.
I ignored it.

Then until yesterday my internet from my comp started to fail completely (google took 20 secs to load), then i checked on task manager. Holy shit what i found was all the red lines plotted on the graph, well at that time i knew something was really really wrong (it was as if streaming uploading data to somewhere else at maximum of my internet bandwidth)

And hell yeah that worried me to the bones, i disabled Mcafee at that time and i did not use ZoneAlarm and i also disabled all the default windows defence system (firewall, etc.) and i thought i could handle viruses well (common sence is the best organic anti virus), i was hell worried, nothing could tell me what the heck is sending my harddrive to someone else.

I tried to trace the faulty program from task manager (highest CPU usage) and found all the processes are obedient and quite, apart from taskman.exe, duh. Gahh, then the highes VM or RAM usage programs and i cant seem to find anything suspicous.

Then, i remebered cmd propmt, i used the netstat -o command and found out the culprit from the process id (the whole analysis was bombarded by a single 1207 process id on the net traffic). I thought i hit the jackpot but i found no freakin 1207 on the processes. That buffled me but i suspected it must be a hidden rootkit somewhere, but i knew i was already half into the whole situation.

I must use somekind of software which does not fetch process list from the Query API instead i used HiddenFinder to trace the 1207 ( i used my phone to download the software and installed it via USB)

Then to my surprise, HiddenFinder DID find one hidden process, and its the process id is identical to the one on netstat, and that proves me right, apparently svchost.exe was the one behind all these.

svchost.exe are processes which it manages ur drivers (sound, graphics, spool) and a whole host of networking crap shit. What i knew was svchost.exe was a rootkit/backdoor masked as a, .. well ' hidden' legitimate windows process.

i tried circumvent it by Mcafee, hell no it does not even detect anything (except for false detection in the QUARANTINE folder) , and even with the latest virus definition. Then i had to use ZoneAlarm to control the internet traffic.

When i engaged internet lock, zonealarm did effectively blocked all the incoming or outbound traffic and caught quite a few requests (think thousands of requests just under a minute) . Apparently it was contacting mostly russian servers . "Generic Host Process for Win32 services ......" and there it is, my hypothesis was proved coreect.

_____________________________________________________________

Active Connections
Proto Local Address Foreign Address State PID TCP your-fd88e692c7:1224 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:1382 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:1483 hostv2.zj.abitcool.com:http FIN_WAIT_1 1312 TCP your-fd88e692c7:1486 itrc-forums13-pro1.austin.hp.com:http ESTABLISHED 1312 TCP your-fd88e692c7:1630 hostv2.zj.abitcool.com:http FIN_WAIT_1 1312 TCP your-fd88e692c7:1666 hostv2.zj.abitcool.com:http FIN_WAIT_2 1312 TCP your-fd88e692c7:2289 65.54.166.122:http ESTABLISHED 1312 TCP your-fd88e692c7:2424 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:2440 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:2628 c17-gdl-software1-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:2857 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:2869 192.168.1.2:1026 CLOSE_WAIT 1060 TCP your-fd88e692c7:2881 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:2888 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:2917 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:2936 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:2950 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3053 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3074 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3081 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3083 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3107 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3154 68.64.128.103:http TIME_WAIT 0 TCP your-fd88e692c7:3169 c20-gdl-software1-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3247 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3258 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3304 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3310 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3320 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3362 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3365 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3366 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3367 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:3384 datacenter-196.169.ict-alphen.nl:http TIME_WAIT 0 TCP your-fd88e692c7:3424 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3449 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3458 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3492 ty-in-f138.google.com:http ESTABLISHED 1312
TCP your-fd88e692c7:3530 211.42.217.99:5051 ESTABLISHED 4004 TCP your-fd88e692c7:3543 92.241.170.41:http TIME_WAIT 0 TCP your-fd88e692c7:3578 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:3581 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3618 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3635 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3636 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3651 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3659 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3665 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:3693 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3703 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3705 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3721 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3728 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3740 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3755 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3834 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3842 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3878 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3884 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3895 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:3899 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3907 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3924 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3925 89.207.152.44:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3930 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3937 89.207.152.44:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3938 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3940 89.207.152.44:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3944 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:3958 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4017 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4029 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4041 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4046 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4060 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4073 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4079 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4080 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4082 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4083 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4089 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4090 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4100 wwwbaytest1.microsoft.com:http TIME_WAIT0 TCP your-fd88e692c7:4101 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4102 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4110 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:4112 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4115 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4128 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4129 96.172.11.0:http SYN_SENT 1712 TCP your-fd88e692c7:4130 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4132 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4133 beta.blogs.technet.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4144 92.241.170.41:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4146 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4147 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4150 wwwbaytest1.microsoft.com:http ESTABLISHED1312 TCP your-fd88e692c7:4151 207.46.16.243:http TIME_WAIT 0 TCP your-fd88e692c7:4152 58-27-186-123.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4153 58-27-186-123.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4154 58-27-186-123.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4155 58-27-186-123.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4156 58-27-186-105.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4158 58-27-186-105.wateen.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4165 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4166 cm.netteller.com:http SYN_SENT 1712 TCP your-fd88e692c7:4168 112.109.10.0:http SYN_SENT 1712 TCP your-fd88e692c7:4169 cm.netteller.com:http SYN_SENT 1712 TCP your-fd88e692c7:4170 89.207.152.44:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4171 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4174 cm.netteller.com:http SYN_SENT 1712 TCP your-fd88e692c7:4176 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4180 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4183 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4184 cm.netteller.com:http SYN_SENT 1712 TCP your-fd88e692c7:4186 *.112.2o7.net:http ESTABLISHED 1312 TCP your-fd88e692c7:4187 beta.blogs.msdn.com:http ESTABLISHED 1312 TCP your-fd88e692c7:4192 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4193 mediaplan.ovh.net:http FIN_WAIT_2 1712 TCP your-fd88e692c7:4194 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4195 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4200 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4201 112.109.10.0:http SYN_SENT 1712 TCP your-fd88e692c7:4203 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4206 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4211 m.webtrends.com:http SYN_SENT 1312 TCP your-fd88e692c7:4219 89.207.152.44:http SYN_SENT 1712 TCP your-fd88e692c7:4222 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4223 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4224 92.241.170.41:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4228 mediaplan.ovh.net:http FIN_WAIT_1 1712 TCP your-fd88e692c7:4229 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4230 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4231 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4232 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4233 92.241.170.41:http SYN_SENT 1712 TCP your-fd88e692c7:4235 mediaplan.ovh.net:http SYN_SENT 1712 TCP your-fd88e692c7:4546 c20-gdl-software3-lb.cnet.com:http ESTABLISHED 3184 TCP your-fd88e692c7:4820 hostv2.zj.abitcool.com:http LAST_ACK 1312

Analysis___

202.188.1.5 (Google Chrome too) <<< seems to be streamyx
81.177.157.74 <<< it is la2atom.ru
202.188.0.133 <<< seems to be streamyx
95.172.4.250
ns3.eu.editdns.net ---variation of 3 and 4
la2atom.ru <<<< relentless retry to access by Generic Host Process for Win32 Services (blocked by ZL) (132 retries in 4 seconds) (809 retries in 22 sexonds)
battlecore.ru <<<< could not be resolved
CONNECTION SOURCE DISPATCHED BY Generic Host Process for Win32 Services
mostly contacting russian servers

_______________________________________________________

this is the extract from my temporary .txt notebook when im trying to troubleshoot the destination that svchost.exe 1712 (always changes id with every boot) was trying to contact.

A check on ip-adress.com revealed the la2atom.ru was located in moscow.

and soon after i let it roam my internet bandwidth for a while i ran another netstat it diverted to connect to other IP's from UK.

Well la2atom.ru is a refferer and i suspected i might be a victim of a botnet PC to be used to attack another high profile target for active DoS attack.

I ran another thorough virus scan and booted my asus with all the Mcafee services on (msconfig) (and it took 10 minutes for the comp to boot with ZL and Mcafee loaded) .

To my surprise the faulty svchost.exe dissapeared, although windoes reported that 'Windows have recovered from a serious errror" , and a check on HiddenProcess the svchost.exe is truly gone. Maybe its because of the Mcafee i guess (buffer underrun protection? i dont really know how it works )

But hell it was quite an experience for to test my patience.

With the plugin of orbit downloader in IE8, all my flash video or music downloads are made oh so much easier, without all the pain for gettin separate downloader for different websites (e.g. redtube, youtube)

Well lets say Orbit downloader plugin is more like a universal content downloader, (since most of multimedia content are hosted in flash objects). And it does it's job really well.

For example, recently i got all my music for free. Yes, for free, courtesy of imeem.com
Imeem uses flash to stream music, so i used the orbit plugin to 'grab' the flash content and download it to a folder of my liking. Sure enough, by the end of the day, all my favourite imeem music are all stored in my harddrive.

But the music downloaded are all in .flv format. A check inside the container revealed that it contains mp3, simple enough, i downloaded a flv audio extractor and voila there is my free music downloaded hassle free (since immem streaming are WHOLE lot faster than say, downloadin music from P2P. Moreover the mp3's are all in its original state (identical to downloaded stream) without any quality degrading! ( since it doesn't need recoding, just extracting)

I used to use LimeWire at first to do the dirty things, which you know... (google the billboard top 100 and grap a playlist to download on the p2p) . Then i found a way to get through Limewire basic to Pro .. (faster speed)..

Then not long after i found Frostwire, another identical java p2p client to limewire but its free with all the Pro features in Limewire pro.

Then i used the 'cookie cheat' to get free music from free music streaming site (such as haoting.com which hosts quite everything you can find on iTunes), which i do require IE set to accept all cookies or temporary internet files (only it then saves the streamed .wma or .mp3 to the cache for me to retrieve). But theres a catch, i can only cheat free music streamed by WMP plugin to IE, but it excludes flash cuz flash files ends up in the RAM instead permanently on the HDD.

Then one day when i was looking for the most approriate software to actually properly download youtube videos i came across this download manager, named Orbit downloader. At first i was quite sceptical cuz usually those 'flash' downloaders does not work well and usually downloads thrash instead. But this orbit downloader does quite a great job. It actually enables me to download ANY flash content within a flash player. And it neatly download it in its raw format (.flv, container for mp3 or xvid vids of anykind), and sits there waiting for me to convert it to the format of my choice (using a very reliable all-in-one MediaCoder).

Suddenly i thoght about creating a blog post about my own life on the web , a true, distictive one, without showing off or bullshitin. Well i'm planning to make this blog as my diary by the way, as a way to publicly introduce myself to the world, anonymously if you will.

I've always wanted to write something about myself for so long, before the exam when everything grinds to a halt and all you can do is just sit there and watch the books, and perhaps sneak a few Facebook session on the phone...

So here i am, its already 2:53AM (+8GMT) , and im still up and awake to conquer the unknowns of the forest of the web2.0. Bla bla bleak.