William wrote:
> On 12/26/2006 10:21 PM, something possessed Raffi to write:
> > David H. Lipman wrote:
> >> From: "Raffi" <thegrizzzly@yahoo.com>
> >>
> >>
> >>
> >> | I had some time to do packet analysis using Etherial and most of the
> >> | conenctions were DNS queries and SMTP connections.
> >>
> >> | I went ahead and blocked all traffic from the PC to the ISP DNS servers
> >> | in my firewall (Comodo). The DNS server for my PC is statically defined
> >> | as the gateway router. Since the ISP DNS was no longer accessible it
> >> | rerouted the DNS queries (and/or query responses) to the gateway
> >> | router. These were a bunch of MX queries for mostly .ru domains.
> >>
> >> | Next I blocked all inbound and outbound UDP connections for svchost.exe
> >> | and services.exe. This stopped most of the traffic. After a while I
> >> | started seeing traffic to a couple of specific ip addresses
> >> | (208.66.195.78 and 62.189.194.215) which don't resolve to anything with
> >> | nslookup. I blocked these IP addresses in the firewall as well. Next
> >> | the PC started sending out a bunch of broadcasts (.255). So I blocked
> >> | outbound broadcast connections.
> >>
> >> | Next it started sending broadcast to 0.255 using the ZIP (Zone
> >> | Information Protocol) protocol. I don't think I've seen this one
> >> | before. I haven't been able to block these yet.
> >>
> >> | My guess is the PC is somehow being used as a DNS/SMTP relay. Another
> >> | guess is my svchost.exe and/or services.exe have been compromized.
> >>
> >> | As usual, any help in getting to the bottom of this would be welcome.
> >>
> >> | Raffi
> >>
> >> http://www.dnsstuff.com/tools/whois....whois.arin.net
> >>
> >> http://www.dnsstuff.com/tools/whois....4.215&email=on
> >>
> >>
> >> This is suspicious.
> >>
> >> You may have to backup the PC, wipe it and then reinstall the OS from scratch if all the
> >> csnas have come up negative.
> >>
> >> The only other option is to use anti RootKit software such as Gmer and BlackLight to find
> >> the malware. Otherwise, wipe the system.
> >>
> >> --
> >> Dave
> >> http://www.claymania.com/removal-trojan-adware.html
> >> http://www.ik-cs.com/got-a-virus.htm
> >
> > Update - I had tried a couple of rootkit detection software without
> > success and had given up. But gmer finally found it. Turns out it is a
> > rootkit. It's called Backdoor.Rustock.B. It uses the following hidden
> > data stream c:\windows\system32:lzx32.sys (c:\windows\system32:18467).
> > This Symantec website has more information:
> > http://www.symantec.com/security_res...305-99&tabid=3
> >
> > The syptoms for the rootkit are similar to what I'm experiencing. From
> > what I've read so far it might be tricky to get rid of. It seems to be
> > active in safe mode as well. I'll be searching for a way to get rid of
> > it. If there are any ideas out there, please let me know.
> >
> > Thanks for all the help.
> > Raffi
> >
> First, stay of the network with your infected PC. Secondly, Get
> PEBuilder and create a BartPE LiveCD. Use this to edit your
> registry.hiv file in order to remove the rootkit (I haven't done the
> research because my blood sugar is getting low, so you'll need to do the
> research to figure out what registry keys in registry.hiv should be
> deleted (or maybe someone else here will be nice enough to post those
> for you). Good luck.
>
> Cheers,
>
> Will

Will,

Thanks for the suggestions. I did manage to clean my system using a
tool called "rustbfix.exe". My guess is this tool disables the root kit
in the registry but doesn't actually delete the stream
(c:\windows\system32:lzx32.sys). After running the tool, I ran gmer.exe
again and had to manually delete the stream. The stream was
inaccessible before but after running the cleaning tool, I was able to
delete it.

Anyway, this little adventure took up alot of my time and hopefully
this message thread will help others get to a fix much quicker/easier.

Thanks for everyone for the help and suggestions.

Raffi