Jump to content

Possible MBR rootkit on Win2K server

Recommended Posts

Hi all,

A few days ago I received a message from a client I do part-time system admin work for, showing a bounce message for an email they sent referring to reputation problems (they had been blacklisted). A number of scans were performed on the server, including a DrWeb CureIt scan from a PE bootdisk, which turned up nothing. HijackThis and RunScanner logs looked pretty clean to me. I'm fairly experienced in removing the more stubborn infections with these tools and have had a great deal of success with them. Many of the anti-rootkit tools like Rootrepeal failed with a message that they can't load the driver, find a handle to the driver, or that an "overlapped I/O operation is in progress". GMER fails with the overlapped I/O error: code 0xC000010E. Suspicious. Attempts to run Process Explorer under AntiHookExec failed.

This system runs Exchange and ASSP for email spam and virus filtering and the only true confirmation that there was malware running on the machine was a network traffic capture with WireShark showing all kinds of SMTP traffic being sent even though Exchange had been shut down. Email addresses to be spammed were coming in on port 1080 (SOCKS), and the spam traffic was going out on 25. There was also HTTP traffic present and coming through the SOCKS port, making it appear that the server may have been turned into an anonymous web proxy as well. I'd have to take a more in-depth look at that capture to be sure.

Using a number of tools including IceSword and "UnHackMe", I was able to remove the hidden malware processes on the system and the server is no longer sending out spam. One of the processes was named rtrpl.sys but most of them were randomly named and would keep reappearing after a reboot until it seemed that I got them all. MBAM found a single rogue.virex or it may have been rogue.unvirex process and removed it.

A differential scan of the machine to compare directory listings from the native OS and a PE boot yielded no significant differences and an "offline" (PE boot) dump of the registry, looking in the usual suspect areas of hkxx>...>run, etc yielded no additional entries.

I still can't run many of the rootkit tools and GMER's mbr.exe gives me:

device: opened successfully

user: MBR read successfully

kernel: error reading MBR

Trying to use mbr.exe to copy the boot sector to a file gives the error:

error: Read The handle is invalid.

It's possible that the UnHackMe/Partizan driver could be causing some of these issues.

I'm currently offsite so I can't do on offline fixmbr but am thinking that might be a good idea at this point. I'd like to be sure that everything is gone.

I can't send you the ark file from GMER since GMER fails with the error message given above. The interface still comes up but I doubt it will be of much use since the driver apparently won't load.

Any help or advice would be greatly appreciated, I think I may have finally met my match.

Thanks and best regards,

- Phil



DDS (Ver_10-03-17.01) - NTFSx86

Run by administrator at 12:08:31.70 on Tue 06/01/2010

Internet Explorer: 6.0.2800.1106

Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.3071.2305 [GMT -4:00]

============== Running Processes ===============





C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe

C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe

C:\Program Files\ComputerAssociates\ARCserve\RDS.EXE

C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe

D:\Program Files\Perl\bin\perl.exe

C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe

C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe






C:\Program Files\CA\iGateway\igateway.exe



D:\Program Files\Core Security Technologies\CORE FORCE\Repository\LocalCpa.exe





D:\Program Files\Dell\AM\mr2kserv.exe

C:\Program Files\Exchsrvr\bin\srsmain.exe








D:\Program Files\Dell\AM\VxSvc.exe




C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe

C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe





C:\Program Files\Exchsrvr\bin\exmgmt.exe

C:\Program Files\Exchsrvr\bin\mad.exe

C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe

c:\Program Files\Microsoft Shared Fax\Bin\FXSSVC.exe

C:\Program Files\Microsoft ISA Server\mspadmin.exe

C:\Program Files\Microsoft ISA Server\wspsrv.exe

C:\Program Files\Microsoft ISA Server\W3Prefch.exe

C:\Program Files\Exchsrvr\bin\store.exe

C:\Program Files\Exchsrvr\bin\emsmta.exe

C:\Program Files\Exchsrvr\bin\events.exe



C:\Program Files\ClamWin\bin\ClamTray.exe

D:\Program Files\Core Security Technologies\CORE FORCE\Policy Developer\PolicyDeveloper.exe

C:\Program Files\UHM\hackmon.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://smbusiness.dellnet.com/

uInternet Settings,ProxyServer = SERVER:8080

uInternet Settings,ProxyOverride = <local>

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll

uRun: [<NO NAME>]

uRun: [unHackMe Monitor] c:\program files\uhm\hackmon.exe

mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon

mRun: [CORE FORCE] d:\program files\core security technologies\core force\policy developer\PolicyDeveloper.exe

dRun: [<NO NAME>]

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

mPolicies-explorer: ShowSuperHidden = 1 (0x1)

mPolicies-explorer: NoFileAssociate = 1 (0x1)

Trusted Zone: dell.com\support

DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab

DPF: symsupportutil - hxxps://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://dell.webex.com/client/T26L/support/ieatgpc.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab

TCP: {6C34E555-9F78-41BE-91E6-148D0EC3C778} =

TCP: {7C336167-EFE2-4538-B3AA-CC3FBE3AB963} =,

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll

LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli

============= SERVICES / DRIVERS ===============

R0 afamgt;afamgt;c:\winnt\system32\drivers\afamgt.sys [2002-2-12 92951]

R0 Alpha2;Alpha2;c:\winnt\system32\drivers\alpha2.sys [2010-5-14 59904]

R0 Alpha2R;Alpha2R;c:\winnt\system32\drivers\alpha2r.sys [2010-5-14 31232]

R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [1979-12-31 74448]

R0 Dispatcher;Dispatcher;c:\winnt\system32\drivers\dispant.sys [2010-5-14 82560]

R0 RSFilter;Remote Storage Recall Support;c:\winnt\system32\drivers\RsFilter.sys [2007-6-5 54768]

R0 vxio;Array Manager Device Driver;c:\winnt\system32\drivers\vxio.sys [2009-3-26 164016]

R1 Dlc;DLC Protocol;c:\winnt\system32\drivers\DLC.SYS [1979-12-31 56112]

R1 TDIFilter;TDIFilter;c:\winnt\system32\drivers\tdifilter.sys [2010-5-14 23424]

R2 AppleTalk;AppleTalk Protocol;c:\winnt\system32\drivers\sfmatalk.sys [1979-12-31 148400]

R2 ASDBEngine;ARCserve Database Engine;c:\program files\computerassociates\arcserve\DBENG.exe [2000-5-25 28672]

R2 ASDiscoverySvc;ARCserve Discovery Service;c:\program files\computerassociates\arcserveitds\asdscsvc.exe [2001-10-5 133632]

R2 ASJobEngine;ARCserve Job Engine;c:\program files\computerassociates\arcserve\jobeng.exe [2001-10-5 24576]

R2 ASMsgEngine;ARCserve Message Engine;c:\program files\computerassociates\arcserve\msgeng.exe [2000-4-30 43008]

R2 ASSPSMTP;Anti-Spam Smtp Proxy;d:\program files\perl\bin\perl.exe [2010-1-26 49233]

R2 ASTapeEngine;ARCserve Tape Engine;c:\program files\computerassociates\arcserve\tapeeng.exe [2001-4-10 20480]

R2 CA_LIC_CLNT;CA License Client;c:\ca_lic\lic98rmt.exe [2004-3-1 143360]

R2 ClamD;ClamWin Free Antivirus Scanner Service;d:\antispam\assp\clamav\clamd.exe --daemon --> d:\antispam\assp\clamav\clamd.exe --daemon [?]

R2 DHCPServer;DHCP Server;c:\winnt\system32\tcpsvcs.exe [1979-12-31 25360]

R2 DNS;DNS Server;c:\winnt\system32\DNS.EXE [2002-2-23 335120]

R2 EXIFS;EXIFS;c:\winnt\system32\drivers\exifs.sys [2007-4-13 196192]

R2 FreshClam;ClamWin Free Antivirus Database Updater;d:\antispam\assp\clamav\freshclam.exe --daemon -c 4 --> d:\antispam\assp\clamav\freshclam.exe --daemon -c 4 [?]

R2 Fwsrv;Microsoft Firewall;c:\program files\microsoft isa server\WSPSRV.EXE [2002-2-12 292112]

R2 GKSVC;Microsoft H.323 Gatekeeper;svchost.exe -k iptelsvcs --> svchost.exe [?]

R2 IMAP4Svc;Microsoft Exchange IMAP4;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]

R2 isactrl;Microsoft ISA Server Control;c:\program files\microsoft isa server\MSPADMIN.EXE [2002-2-12 172816]

R2 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2003-8-13 25872]

R2 kdc;Kerberos Key Distribution Center;c:\winnt\system32\LSASS.EXE [1979-12-31 33552]

R2 LocalCpa;Force Repository;d:\program files\core security technologies\core force\repository\LocalCpa.exe [2008-1-11 700416]

R2 LogWatch;Event Log Watch;c:\ca_lic\LogWatNT.exe [2002-9-20 53248]

R2 MacFile;File Server for Macintosh;c:\winnt\system32\SFMSVC.EXE [2003-8-13 68368]

R2 MacPrint;Print Server for Macintosh;c:\winnt\system32\sfmprint.exe [1979-12-31 85264]

R2 ModemSharingDriver;Shared Modem Service Driver;c:\winnt\system32\drivers\modemshr.sys [2002-2-12 145920]

R2 ModemSharingServer;Shared Modem Services;c:\winnt\system32\modemshr.exe [2002-2-12 18272]

R2 MSExchangeES;Microsoft Exchange Event;c:\program files\exchsrvr\bin\events.exe [2007-4-13 94720]

R2 MSExchangeIS;Microsoft Exchange Information Store;c:\program files\exchsrvr\bin\store.exe [2007-4-13 5227520]

R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\exchsrvr\bin\exmgmt.exe [2007-4-13 3217408]

R2 MSExchangeMTA;Microsoft Exchange MTA Stacks;c:\program files\exchsrvr\bin\emsmta.exe [2007-4-13 3592704]

R2 MSExchangeSA;Microsoft Exchange System Attendant;c:\program files\exchsrvr\bin\mad.exe [2007-4-13 8920064]

R2 MSExchangeSRS;Microsoft Exchange Site Replication Service;c:\program files\exchsrvr\bin\srsmain.exe [2007-4-13 339456]

R2 MspFltEx;ISA Server Packet Filter Extension Driver;c:\winnt\system32\drivers\MSPFLTEX.SYS [2002-2-12 41328]

R2 MspNAT;ISA Server Network Address Translation (NAT) Driver;c:\winnt\system32\drivers\MSPNAT.SYS [2002-2-12 24976]

R2 MSSEARCH;Microsoft Search;c:\program files\common files\system\mssearch\bin\mssearch.exe [2007-4-13 69632]

R2 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2009-10-20 50704]

R2 Remote_Storage_File_System_Agent;Remote Storage File;c:\winnt\system32\RsFsa.exe [2007-6-5 437008]

R2 Remote_Storage_Subsystem;Remote Storage Media;c:\winnt\system32\RsSub.exe [2007-6-5 440592]

R2 RESvc;Microsoft Exchange Routing Engine;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]

R2 SharedFax;Microsoft Shared Fax;c:\program files\microsoft shared fax\bin\FXSSVC.exe [2000-12-17 676496]

R2 TermServLicensing;Terminal Services Licensing;c:\winnt\system32\lserver.exe [2003-8-13 330512]

R2 TrkSvr;Distributed Link Tracking Server;c:\winnt\system32\SERVICES.EXE [1979-12-31 92944]

R2 w3schdwn;Microsoft Scheduled Cache Content Download;c:\program files\microsoft isa server\W3PREFCH.EXE [2002-2-12 34064]

R2 wins;Windows Internet Name Service (WINS);c:\winnt\system32\WINS.EXE [2009-5-28 153360]

R3 ati2mpad;ati2mpad;c:\winnt\system32\drivers\ati2mpad.sys [1979-12-31 264896]

R3 CROXYCL;Force Network Driver miniport;c:\winnt\system32\drivers\croxy.sys [2010-5-13 132736]

R3 MACSRV;SFM Kernel Driver;c:\winnt\system32\drivers\sfmsrv.sys [1979-12-31 154160]

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1979-12-31 24784]

R3 pvdatw2k;pvdatw2k;c:\winnt\system32\drivers\pvdatw2k.sys [2006-6-12 8960]

R3 spud;Special Purpose Utility Driver;c:\winnt\system32\drivers\spud.sys [2002-2-12 12336]

S0 dcdbas;Systems management base driver;c:\winnt\system32\drivers\dcdbas32.sys --> c:\winnt\system32\drivers\dcdbas32.sys [?]

S0 Partizan;Partizan;c:\winnt\system32\drivers\Partizan.sys [2010-5-18 35816]

S0 vxboot;vxboot;c:\winnt\system32\drivers\vxboot.sys [2009-3-26 382736]

S2 InoculateIT Server;InoculateIT Server;c:\program files\computerassociates\inoculan\inojobsv.exe [2006-7-24 329840]

S2 Remote_Storage_Engine;Remote Storage Engine;c:\winnt\system32\RsEng.exe [2007-6-5 132368]

S3 AutoDownload Server;AutoDownload Server;c:\program files\computerassociates\inoculan\GetBBS.exe [2006-7-24 97728]

S3 bnchtape;bnchtape;c:\winnt\system32\drivers\bnchtape.sys [1979-12-31 6961]

S3 CA_LIC_SRVR;CA License Server;c:\ca_lic\lic98rmtd.exe [2004-3-1 155648]

S3 Cheyenne Alert Notification Server;Cheyenne Alert Notification Server;c:\program files\computerassociates\arcserve\alert\ALERT.exe [1998-12-1 194048]

S3 IAS;Internet Authentication Service;c:\winnt\system32\svchost.exe -k netsvcs [1979-12-31 7952]

S3 LDAPSVCX;Site Server ILS Service;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]

S3 MSPOP3Connector;Microsoft Connector for POP3 Mailboxes;c:\program files\microsoft backoffice\connectivity\pop3 connector\vmimb.exe [2002-2-23 265488]

S3 NntpSvc;Network News Transport Protocol (NNTP);c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]

S3 NtFrs;File Replication Service;c:\winnt\system32\ntfrs.exe [2003-8-13 745232]

S3 POP3Svc;Microsoft Exchange POP3;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]

S3 QntmDLT;QntmDLT;c:\winnt\system32\drivers\QntmDLT.sys [2003-11-20 9728]

S3 RegGuard;RegGuard;c:\winnt\system32\drivers\regguard.sys [2010-5-18 24416]

S3 Remote_Storage_User_Link;Remote Storage Notification;c:\winnt\system32\RsFsa.exe [2007-6-5 437008]

S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2002-2-12 12664]

S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2002-2-12 20760]

S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2002-2-12 18392]

S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2002-2-12 18264]

S3 W3Proxy;Microsoft Web Proxy;c:\program files\microsoft isa server\W3PROXY.EXE [2002-2-12 367888]

=============== Created Last 30 ================

2010-06-01 15:49:59 8192 ----a-w- c:\winnt\system32\AntiHookExec.exe

2010-06-01 15:11:59 8192 ----a-w- c:\winnt\system32\AHE.exe

2010-06-01 13:47:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_838.dat

2010-05-27 17:00:18 161296 ----a-w- c:\winnt\system32\drivers\tmcomm.sys

2010-05-25 15:36:03 87083330 ----a-w- C:\rgout.reg

2010-05-25 14:58:33 141265180 ----a-w- C:\rgoutPE.reg

2010-05-18 15:10:41 0 d-----w- c:\winnt\RestoreSafeDeleted

2010-05-18 15:10:29 24416 ----a-w- c:\winnt\system32\drivers\regguard.sys (Part of UnHackMe)

2010-05-18 14:37:55 37600 ----a-w- c:\winnt\system32\Partizan.exe (Part of UnHackMe)

2010-05-18 14:37:55 35816 ----a-w- c:\winnt\system32\drivers\Partizan.sys "

2010-05-18 14:36:39 12752 ----a-w- c:\winnt\system32\drivers\UnHackMeDrv.sys "

2010-05-18 14:36:32 0 d-----w- c:\program files\UHM

2010-05-14 19:25:26 0 d-----w- c:\docume~1\admini~1\applic~1\Core Security Technologies

2010-05-14 18:53:23 82560 ----a-w- c:\winnt\system32\drivers\dispant.sys (Part of Core Force Firewall)

2010-05-14 18:53:23 31232 ----a-w- c:\winnt\system32\drivers\alpha2r.sys "

2010-05-14 18:53:23 23424 ----a-w- c:\winnt\system32\drivers\tdifilter.sys "

2010-05-14 18:53:19 59904 ----a-w- c:\winnt\system32\drivers\alpha2.sys "

2010-05-14 18:53:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Core Security Technologies

2010-05-13 19:25:56 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7d8.dat

2010-05-13 18:49:21 132736 ----a-w- c:\winnt\system32\drivers\croxy.sys

2010-05-13 02:34:27 0 d-----w- c:\docume~1\admini~1\applic~1\Wireshark

2010-05-13 02:02:42 74 ----a-w- c:\winnt\system32\-1

2010-05-12 16:03:17 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-05-12 16:03:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-05-12 16:03:06 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-05-12 16:03:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-04-12 13:48:44 87421 ----a-w- c:\winnt\system32\stdout.tmp

2010-04-01 03:49:03 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_11b0.dat

2010-03-31 08:25:33 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7cc.dat

2010-03-22 10:33:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7b8.dat

2010-03-12 09:14:24 401408 ----a-w- c:\winnt\system32\vbscript.dll

2002-02-13 01:15:46 271 ---h--w- c:\program files\desktop.ini

2002-02-13 01:15:46 21952 ---h--w- c:\program files\folder.htt

2000-07-26 04:00:00 32528 ------w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 12:09:49.28 ===============

Link to post
Share on other sites

  • 4 weeks later...
Hi and welcome to Malwarebytes.

My apologies for the extended delay. Do you still need help?

Hi screen317,

Thanks for replying.

I think I got it all... rewriting the MBR seemed to eliminate the last remnants... MBR.EXE can successfully read in both user and kernel mode now, and I no longer get the driver error with the rootkit tools.

Only one problem remains... I still cannot run RootRepeal. It displays the "Initializing" message, goes to near 100% utilization and grabs most of the available memory in the machine. Does RootRepeal have this problem with certain platforms/systems or should I be concerned about it? All other symptoms are gone.

- Phil

Link to post
Share on other sites

Hi Phil,

Good to hear you could figure it out.

Yes I imagine there are compatibility issues with some platforms, and there are a myriad of reasons for why rootkit scans fail (active SPTD drivers, etc.); let me know if there's anything else I can do for you.

Will do... thanks.

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.