Virus, rootkit or something else ??? Strange network behavior...

  • Thread starter Thread starter Xavier
  • Start date Start date
X

Xavier

Hello,

I have encountered a very strange behavior on a XP SP2 system today. I was
called by a customer who had trouble with one PC. Basically here is what
happened:

1. Customer called saying Norton Internet Security update failed today
2. The eventlog contained some indications about services not working
(mostly network services, DNS client, DHCP client, etc.)
3. When I log on the system, Internet connectivity works fine (I can surf
sites like google, Symantec, etc.)
4. Triggering Symantec LiveUpdate results in an error message saying that
the update site could not be contacted
5. A network trace reveals that the system performs various DNS requests for
finding Symantec update sites
6. Valid responses to the DNS request are coming back to the client... that
does not send any other network packet but displays the error message
mentioned in 4.
7. I uninstalled Symantec antivirus suite and replaced it with CA eTrust.
Exactly the same bahavior: DNS requests and then nothing else... so an error
message is generated saying update could not complete.
8. Same thing with Avast and Sophos antivirus packages !
9. Internal network resources can't be contacted: a ping against a server
returns error 65.
10. The system uses a static IP address, no WINS server defined. The NetBIOS
node time returned in IPconfig is "unkown" ???

Looks like something is screwing the network stack. I must admit that I am a
bit lost. So I tried to run RootkitRevealer from sysInternals but it does
not complete and crashes.

I wonder if someone has ever seen this behavior (virus or rootkit, or
something else ?).

Any suggestion would be welcome.

Thanks,

Xavier
 
From: "Xavier" <[email protected]>

| Hello,
|
| I have encountered a very strange behavior on a XP SP2 system today. I was
| called by a customer who had trouble with one PC. Basically here is what
| happened:
|
| 1. Customer called saying Norton Internet Security update failed today
| 2. The eventlog contained some indications about services not working
| (mostly network services, DNS client, DHCP client, etc.)
| 3. When I log on the system, Internet connectivity works fine (I can surf
| sites like google, Symantec, etc.)
| 4. Triggering Symantec LiveUpdate results in an error message saying that
| the update site could not be contacted
| 5. A network trace reveals that the system performs various DNS requests for
| finding Symantec update sites
| 6. Valid responses to the DNS request are coming back to the client... that
| does not send any other network packet but displays the error message
| mentioned in 4.
| 7. I uninstalled Symantec antivirus suite and replaced it with CA eTrust.
| Exactly the same bahavior: DNS requests and then nothing else... so an error
| message is generated saying update could not complete.
| 8. Same thing with Avast and Sophos antivirus packages !
| 9. Internal network resources can't be contacted: a ping against a server
| returns error 65.
| 10. The system uses a static IP address, no WINS server defined. The NetBIOS
| node time returned in IPconfig is "unkown" ???
|
| Looks like something is screwing the network stack. I must admit that I am a
| bit lost. So I tried to run RootkitRevealer from sysInternals but it does
| not complete and crashes.
|
| I wonder if someone has ever seen this behavior (virus or rootkit, or
| something else ?).
|
| Any suggestion would be welcome.
|
| Thanks,
|
| Xavier
|


Look and see igf there are LSP insertions...

WINSOCK WinXP Fix -- http://www.spychecker.com/program/winsockxpfix.html
LSP Fix -- http://www.cexx.org/lspfix.htm



Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
Hi David,

Thank you for your suggestions.

After following them it appeared that I had no virus nor bad LSP insertions.
I eventually found out what happened: the customer had ZoneAlarm on its PC
and for some obscure reason tried to uninstall it by "deleting the
files...". The result was that some parts of ZA were still active on the
system and caused the behavior described in my post. To solve my problem I
had to re-install ZA and then uninstall it using the uninst.exe that comes
with it.

Thanks again for helping the community.

Xavier

David H. Lipman said:
From: "Xavier" <[email protected]>

| Hello,
|
| I have encountered a very strange behavior on a XP SP2 system today. I
was
| called by a customer who had trouble with one PC. Basically here is what
| happened:
|
| 1. Customer called saying Norton Internet Security update failed today
| 2. The eventlog contained some indications about services not working
| (mostly network services, DNS client, DHCP client, etc.)
| 3. When I log on the system, Internet connectivity works fine (I can
surf
| sites like google, Symantec, etc.)
| 4. Triggering Symantec LiveUpdate results in an error message saying
that
| the update site could not be contacted
| 5. A network trace reveals that the system performs various DNS requests
for
| finding Symantec update sites
| 6. Valid responses to the DNS request are coming back to the client...
that
| does not send any other network packet but displays the error message
| mentioned in 4.
| 7. I uninstalled Symantec antivirus suite and replaced it with CA
eTrust.
| Exactly the same bahavior: DNS requests and then nothing else... so an
error
| message is generated saying update could not complete.
| 8. Same thing with Avast and Sophos antivirus packages !
| 9. Internal network resources can't be contacted: a ping against a
server
| returns error 65.
| 10. The system uses a static IP address, no WINS server defined. The
NetBIOS
| node time returned in IPconfig is "unkown" ???
|
| Looks like something is screwing the network stack. I must admit that I
am a
| bit lost. So I tried to run RootkitRevealer from sysInternals but it
does
| not complete and crashes.
|
| I wonder if someone has ever seen this behavior (virus or rootkit, or
| something else ?).
|
| Any suggestion would be welcome.
|
| Thanks,
|
| Xavier
|


Look and see igf there are LSP insertions...

WINSOCK WinXP Fix -- http://www.spychecker.com/program/winsockxpfix.html
LSP Fix -- http://www.cexx.org/lspfix.htm



Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
Click to expand...
 
Back
Top