MrPhil

Will do... thanks.

Hi screen317, Thanks for replying. I think I got it all... rewriting the MBR seemed to eliminate the last remnants... MBR.EXE can successfully read in both user and kernel mode now, and I no longer get the driver error with the rootkit tools. Only one problem remains... I still cannot run RootRepeal. It displays the "Initializing" message, goes to near 100% utilization and grabs most of the available memory in the machine. Does RootRepeal have this problem with certain platforms/systems or should I be concerned about it? All other symptoms are gone. - Phil

Here is the attach.txt log. Attach.zip

Hi all, A few days ago I received a message from a client I do part-time system admin work for, showing a bounce message for an email they sent referring to reputation problems (they had been blacklisted). A number of scans were performed on the server, including a DrWeb CureIt scan from a PE bootdisk, which turned up nothing. HijackThis and RunScanner logs looked pretty clean to me. I'm fairly experienced in removing the more stubborn infections with these tools and have had a great deal of success with them. Many of the anti-rootkit tools like Rootrepeal failed with a message that they can't load the driver, find a handle to the driver, or that an "overlapped I/O operation is in progress". GMER fails with the overlapped I/O error: code 0xC000010E. Suspicious. Attempts to run Process Explorer under AntiHookExec failed. This system runs Exchange and ASSP for email spam and virus filtering and the only true confirmation that there was malware running on the machine was a network traffic capture with WireShark showing all kinds of SMTP traffic being sent even though Exchange had been shut down. Email addresses to be spammed were coming in on port 1080 (SOCKS), and the spam traffic was going out on 25. There was also HTTP traffic present and coming through the SOCKS port, making it appear that the server may have been turned into an anonymous web proxy as well. I'd have to take a more in-depth look at that capture to be sure. Using a number of tools including IceSword and "UnHackMe", I was able to remove the hidden malware processes on the system and the server is no longer sending out spam. One of the processes was named rtrpl.sys but most of them were randomly named and would keep reappearing after a reboot until it seemed that I got them all. MBAM found a single rogue.virex or it may have been rogue.unvirex process and removed it. A differential scan of the machine to compare directory listings from the native OS and a PE boot yielded no significant differences and an "offline" (PE boot) dump of the registry, looking in the usual suspect areas of hkxx>...>run, etc yielded no additional entries. I still can't run many of the rootkit tools and GMER's mbr.exe gives me: device: opened successfully user: MBR read successfully kernel: error reading MBR Trying to use mbr.exe to copy the boot sector to a file gives the error: error: Read The handle is invalid. It's possible that the UnHackMe/Partizan driver could be causing some of these issues. I'm currently offsite so I can't do on offline fixmbr but am thinking that might be a good idea at this point. I'd like to be sure that everything is gone. I can't send you the ark file from GMER since GMER fails with the error message given above. The interface still comes up but I doubt it will be of much use since the driver apparently won't load. Any help or advice would be greatly appreciated, I think I may have finally met my match. Thanks and best regards, - Phil DDS Log ---------- DDS (Ver_10-03-17.01) - NTFSx86 Run by administrator at 12:08:31.70 on Tue 06/01/2010 Internet Explorer: 6.0.2800.1106 Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.3071.2305 [GMT -4:00] ============== Running Processes =============== C:\WINNT\System32\termsrv.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe C:\Program Files\ComputerAssociates\ARCserve\RDS.EXE C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe D:\Program Files\Perl\bin\perl.exe C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe C:\WINNT\System32\ati2plxx.exe C:\CA_LIC\lic98rmt.exe D:\AntiSpam\ASSP\ClamAV\clamd.exe C:\WINNT\system32\Dfssvc.exe D:\AntiSpam\ASSP\ClamAV\freshclam.exe C:\Program Files\CA\iGateway\igateway.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\llssrv.exe D:\Program Files\Core Security Technologies\CORE FORCE\Repository\LocalCpa.exe C:\CA_LIC\LogWatNT.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\sfmsvc.exe C:\WINNT\System32\sfmprint.exe D:\Program Files\Dell\AM\mr2kserv.exe C:\Program Files\Exchsrvr\bin\srsmain.exe C:\WINNT\System32\NMSSvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\RsFsa.exe C:\WINNT\system32\RsSub.exe C:\WINNT\System32\locator.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\lserver.exe D:\Program Files\Dell\AM\VxSvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wins.exe C:\WINNT\System32\mspmspsv.exe C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe C:\WINNT\System32\dns.exe C:\WINNT\System32\ismserv.exe C:\WINNT\System32\modemshr.exe C:\WINNT\System32\msdtc.exe C:\Program Files\Exchsrvr\bin\exmgmt.exe C:\Program Files\Exchsrvr\bin\mad.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe c:\Program Files\Microsoft Shared Fax\Bin\FXSSVC.exe C:\Program Files\Microsoft ISA Server\mspadmin.exe C:\Program Files\Microsoft ISA Server\wspsrv.exe C:\Program Files\Microsoft ISA Server\W3Prefch.exe C:\Program Files\Exchsrvr\bin\store.exe C:\Program Files\Exchsrvr\bin\emsmta.exe C:\Program Files\Exchsrvr\bin\events.exe C:\WINNT\system32\rdpclip.exe C:\WINNT\Explorer.EXE C:\Program Files\ClamWin\bin\ClamTray.exe D:\Program Files\Core Security Technologies\CORE FORCE\Policy Developer\PolicyDeveloper.exe C:\Program Files\UHM\hackmon.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uDefault_Page_URL = hxxp://smbusiness.dellnet.com/ uInternet Settings,ProxyServer = SERVER:8080 uInternet Settings,ProxyOverride = <local> EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll uRun: [<NO NAME>] uRun: [unHackMe Monitor] c:\program files\uhm\hackmon.exe mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon mRun: [CORE FORCE] d:\program files\core security technologies\core force\policy developer\PolicyDeveloper.exe dRun: [<NO NAME>] StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE mPolicies-explorer: ShowSuperHidden = 1 (0x1) mPolicies-explorer: NoFileAssociate = 1 (0x1) Trusted Zone: dell.com\support DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab DPF: symsupportutil - hxxps://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://dell.webex.com/client/T26L/support/ieatgpc.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab TCP: {6C34E555-9F78-41BE-91E6-148D0EC3C778} = 127.0.0.1 TCP: {7C336167-EFE2-4538-B3AA-CC3FBE3AB963} = 10.0.0.13,68.87.73.242 Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli ============= SERVICES / DRIVERS =============== R0 afamgt;afamgt;c:\winnt\system32\drivers\afamgt.sys [2002-2-12 92951] R0 Alpha2;Alpha2;c:\winnt\system32\drivers\alpha2.sys [2010-5-14 59904] R0 Alpha2R;Alpha2R;c:\winnt\system32\drivers\alpha2r.sys [2010-5-14 31232] R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [1979-12-31 74448] R0 Dispatcher;Dispatcher;c:\winnt\system32\drivers\dispant.sys [2010-5-14 82560] R0 RSFilter;Remote Storage Recall Support;c:\winnt\system32\drivers\RsFilter.sys [2007-6-5 54768] R0 vxio;Array Manager Device Driver;c:\winnt\system32\drivers\vxio.sys [2009-3-26 164016] R1 Dlc;DLC Protocol;c:\winnt\system32\drivers\DLC.SYS [1979-12-31 56112] R1 TDIFilter;TDIFilter;c:\winnt\system32\drivers\tdifilter.sys [2010-5-14 23424] R2 AppleTalk;AppleTalk Protocol;c:\winnt\system32\drivers\sfmatalk.sys [1979-12-31 148400] R2 ASDBEngine;ARCserve Database Engine;c:\program files\computerassociates\arcserve\DBENG.exe [2000-5-25 28672] R2 ASDiscoverySvc;ARCserve Discovery Service;c:\program files\computerassociates\arcserveitds\asdscsvc.exe [2001-10-5 133632] R2 ASJobEngine;ARCserve Job Engine;c:\program files\computerassociates\arcserve\jobeng.exe [2001-10-5 24576] R2 ASMsgEngine;ARCserve Message Engine;c:\program files\computerassociates\arcserve\msgeng.exe [2000-4-30 43008] R2 ASSPSMTP;Anti-Spam Smtp Proxy;d:\program files\perl\bin\perl.exe [2010-1-26 49233] R2 ASTapeEngine;ARCserve Tape Engine;c:\program files\computerassociates\arcserve\tapeeng.exe [2001-4-10 20480] R2 CA_LIC_CLNT;CA License Client;c:\ca_lic\lic98rmt.exe [2004-3-1 143360] R2 ClamD;ClamWin Free Antivirus Scanner Service;d:\antispam\assp\clamav\clamd.exe --daemon --> d:\antispam\assp\clamav\clamd.exe --daemon [?] R2 DHCPServer;DHCP Server;c:\winnt\system32\tcpsvcs.exe [1979-12-31 25360] R2 DNS;DNS Server;c:\winnt\system32\DNS.EXE [2002-2-23 335120] R2 EXIFS;EXIFS;c:\winnt\system32\drivers\exifs.sys [2007-4-13 196192] R2 FreshClam;ClamWin Free Antivirus Database Updater;d:\antispam\assp\clamav\freshclam.exe --daemon -c 4 --> d:\antispam\assp\clamav\freshclam.exe --daemon -c 4 [?] R2 Fwsrv;Microsoft Firewall;c:\program files\microsoft isa server\WSPSRV.EXE [2002-2-12 292112] R2 GKSVC;Microsoft H.323 Gatekeeper;svchost.exe -k iptelsvcs --> svchost.exe [?] R2 IMAP4Svc;Microsoft Exchange IMAP4;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608] R2 isactrl;Microsoft ISA Server Control;c:\program files\microsoft isa server\MSPADMIN.EXE [2002-2-12 172816] R2 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2003-8-13 25872] R2 kdc;Kerberos Key Distribution Center;c:\winnt\system32\LSASS.EXE [1979-12-31 33552] R2 LocalCpa;Force Repository;d:\program files\core security technologies\core force\repository\LocalCpa.exe [2008-1-11 700416] R2 LogWatch;Event Log Watch;c:\ca_lic\LogWatNT.exe [2002-9-20 53248] R2 MacFile;File Server for Macintosh;c:\winnt\system32\SFMSVC.EXE [2003-8-13 68368] R2 MacPrint;Print Server for Macintosh;c:\winnt\system32\sfmprint.exe [1979-12-31 85264] R2 ModemSharingDriver;Shared Modem Service Driver;c:\winnt\system32\drivers\modemshr.sys [2002-2-12 145920] R2 ModemSharingServer;Shared Modem Services;c:\winnt\system32\modemshr.exe [2002-2-12 18272] R2 MSExchangeES;Microsoft Exchange Event;c:\program files\exchsrvr\bin\events.exe [2007-4-13 94720] R2 MSExchangeIS;Microsoft Exchange Information Store;c:\program files\exchsrvr\bin\store.exe [2007-4-13 5227520] R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\exchsrvr\bin\exmgmt.exe [2007-4-13 3217408] R2 MSExchangeMTA;Microsoft Exchange MTA Stacks;c:\program files\exchsrvr\bin\emsmta.exe [2007-4-13 3592704] R2 MSExchangeSA;Microsoft Exchange System Attendant;c:\program files\exchsrvr\bin\mad.exe [2007-4-13 8920064] R2 MSExchangeSRS;Microsoft Exchange Site Replication Service;c:\program files\exchsrvr\bin\srsmain.exe [2007-4-13 339456] R2 MspFltEx;ISA Server Packet Filter Extension Driver;c:\winnt\system32\drivers\MSPFLTEX.SYS [2002-2-12 41328] R2 MspNAT;ISA Server Network Address Translation (NAT) Driver;c:\winnt\system32\drivers\MSPNAT.SYS [2002-2-12 24976] R2 MSSEARCH;Microsoft Search;c:\program files\common files\system\mssearch\bin\mssearch.exe [2007-4-13 69632] R2 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2009-10-20 50704] R2 Remote_Storage_File_System_Agent;Remote Storage File;c:\winnt\system32\RsFsa.exe [2007-6-5 437008] R2 Remote_Storage_Subsystem;Remote Storage Media;c:\winnt\system32\RsSub.exe [2007-6-5 440592] R2 RESvc;Microsoft Exchange Routing Engine;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608] R2 SharedFax;Microsoft Shared Fax;c:\program files\microsoft shared fax\bin\FXSSVC.exe [2000-12-17 676496] R2 TermServLicensing;Terminal Services Licensing;c:\winnt\system32\lserver.exe [2003-8-13 330512] R2 TrkSvr;Distributed Link Tracking Server;c:\winnt\system32\SERVICES.EXE [1979-12-31 92944] R2 w3schdwn;Microsoft Scheduled Cache Content Download;c:\program files\microsoft isa server\W3PREFCH.EXE [2002-2-12 34064] R2 wins;Windows Internet Name Service (WINS);c:\winnt\system32\WINS.EXE [2009-5-28 153360] R3 ati2mpad;ati2mpad;c:\winnt\system32\drivers\ati2mpad.sys [1979-12-31 264896] R3 CROXYCL;Force Network Driver miniport;c:\winnt\system32\drivers\croxy.sys [2010-5-13 132736] R3 MACSRV;SFM Kernel Driver;c:\winnt\system32\drivers\sfmsrv.sys [1979-12-31 154160] R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1979-12-31 24784] R3 pvdatw2k;pvdatw2k;c:\winnt\system32\drivers\pvdatw2k.sys [2006-6-12 8960] R3 spud;Special Purpose Utility Driver;c:\winnt\system32\drivers\spud.sys [2002-2-12 12336] S0 dcdbas;Systems management base driver;c:\winnt\system32\drivers\dcdbas32.sys --> c:\winnt\system32\drivers\dcdbas32.sys [?] S0 Partizan;Partizan;c:\winnt\system32\drivers\Partizan.sys [2010-5-18 35816] S0 vxboot;vxboot;c:\winnt\system32\drivers\vxboot.sys [2009-3-26 382736] S2 InoculateIT Server;InoculateIT Server;c:\program files\computerassociates\inoculan\inojobsv.exe [2006-7-24 329840] S2 Remote_Storage_Engine;Remote Storage Engine;c:\winnt\system32\RsEng.exe [2007-6-5 132368] S3 AutoDownload Server;AutoDownload Server;c:\program files\computerassociates\inoculan\GetBBS.exe [2006-7-24 97728] S3 bnchtape;bnchtape;c:\winnt\system32\drivers\bnchtape.sys [1979-12-31 6961] S3 CA_LIC_SRVR;CA License Server;c:\ca_lic\lic98rmtd.exe [2004-3-1 155648] S3 Cheyenne Alert Notification Server;Cheyenne Alert Notification Server;c:\program files\computerassociates\arcserve\alert\ALERT.exe [1998-12-1 194048] S3 IAS;Internet Authentication Service;c:\winnt\system32\svchost.exe -k netsvcs [1979-12-31 7952] S3 LDAPSVCX;Site Server ILS Service;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608] S3 MSPOP3Connector;Microsoft Connector for POP3 Mailboxes;c:\program files\microsoft backoffice\connectivity\pop3 connector\vmimb.exe [2002-2-23 265488] S3 NntpSvc;Network News Transport Protocol (NNTP);c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608] S3 NtFrs;File Replication Service;c:\winnt\system32\ntfrs.exe [2003-8-13 745232] S3 POP3Svc;Microsoft Exchange POP3;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608] S3 QntmDLT;QntmDLT;c:\winnt\system32\drivers\QntmDLT.sys [2003-11-20 9728] S3 RegGuard;RegGuard;c:\winnt\system32\drivers\regguard.sys [2010-5-18 24416] S3 Remote_Storage_User_Link;Remote Storage Notification;c:\winnt\system32\RsFsa.exe [2007-6-5 437008] S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2002-2-12 12664] S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2002-2-12 20760] S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2002-2-12 18392] S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2002-2-12 18264] S3 W3Proxy;Microsoft Web Proxy;c:\program files\microsoft isa server\W3PROXY.EXE [2002-2-12 367888] =============== Created Last 30 ================ 2010-06-01 15:49:59 8192 ----a-w- c:\winnt\system32\AntiHookExec.exe 2010-06-01 15:11:59 8192 ----a-w- c:\winnt\system32\AHE.exe 2010-06-01 13:47:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_838.dat 2010-05-27 17:00:18 161296 ----a-w- c:\winnt\system32\drivers\tmcomm.sys 2010-05-25 15:36:03 87083330 ----a-w- C:\rgout.reg 2010-05-25 14:58:33 141265180 ----a-w- C:\rgoutPE.reg 2010-05-18 15:10:41 0 d-----w- c:\winnt\RestoreSafeDeleted 2010-05-18 15:10:29 24416 ----a-w- c:\winnt\system32\drivers\regguard.sys (Part of UnHackMe) 2010-05-18 14:37:55 37600 ----a-w- c:\winnt\system32\Partizan.exe (Part of UnHackMe) 2010-05-18 14:37:55 35816 ----a-w- c:\winnt\system32\drivers\Partizan.sys " 2010-05-18 14:36:39 12752 ----a-w- c:\winnt\system32\drivers\UnHackMeDrv.sys " 2010-05-18 14:36:32 0 d-----w- c:\program files\UHM 2010-05-14 19:25:26 0 d-----w- c:\docume~1\admini~1\applic~1\Core Security Technologies 2010-05-14 18:53:23 82560 ----a-w- c:\winnt\system32\drivers\dispant.sys (Part of Core Force Firewall) 2010-05-14 18:53:23 31232 ----a-w- c:\winnt\system32\drivers\alpha2r.sys " 2010-05-14 18:53:23 23424 ----a-w- c:\winnt\system32\drivers\tdifilter.sys " 2010-05-14 18:53:19 59904 ----a-w- c:\winnt\system32\drivers\alpha2.sys " 2010-05-14 18:53:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Core Security Technologies 2010-05-13 19:25:56 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7d8.dat 2010-05-13 18:49:21 132736 ----a-w- c:\winnt\system32\drivers\croxy.sys 2010-05-13 02:34:27 0 d-----w- c:\docume~1\admini~1\applic~1\Wireshark 2010-05-13 02:02:42 74 ----a-w- c:\winnt\system32\-1 2010-05-12 16:03:17 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2010-05-12 16:03:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys 2010-05-12 16:03:06 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys 2010-05-12 16:03:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes ==================== Find3M ==================== 2010-04-12 13:48:44 87421 ----a-w- c:\winnt\system32\stdout.tmp 2010-04-01 03:49:03 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_11b0.dat 2010-03-31 08:25:33 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7cc.dat 2010-03-22 10:33:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7b8.dat 2010-03-12 09:14:24 401408 ----a-w- c:\winnt\system32\vbscript.dll 2002-02-13 01:15:46 271 ---h--w- c:\program files\desktop.ini 2002-02-13 01:15:46 21952 ---h--w- c:\program files\folder.htt 2000-07-26 04:00:00 32528 ------w- c:\winnt\inf\wbfirdma.sys ============= FINISH: 12:09:49.28 ===============