Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server 2003 possible rootkit infection


  • Please log in to reply
9 replies to this topic

#1 Robert Adamski

Robert Adamski

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 19 March 2009 - 06:19 PM

Hello everyone, thank you in advance for any help you can provide.

I have:

o Windows Server 2K3 R2 domain controller (Active Directory)
o Symantec Endpoint Protection (client was *not* installed at time of infection)

I cannot get to any Microsoft domain, nor any Symantec domain. This server is a Virus Def distribution point, so no new defs have come in since time of infection.

Malware scanners will execute if the executable is renamed, but no scanner has yet found any infected files / services / processes / registry keys.

I have run every conceivable malware scanner -- not one of them can find anything wrong.

I also cannot boot into Safe Mode; it gets through a certain number of drivers, then reboots the machine. I'm assuming this is a symptom of the infection.

I am completely at my wits' end. I have tried every trick I can think of, and every malware/trojan scanner I can find. I would be eternally grateful if someone could look at my logs (I'll generate whatever you need/want - just let me know) and let me know what I've got here. I *will* blow up the server and start again if I absolutely have to, but of course I sure as heck don't want to!

What can I do?!

Thanks,
Bob

BC AdBot (Login to Remove)

 


#2 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 20 March 2009 - 11:04 AM

I have run every conceivable malware scanner -- not one of them can find anything wrong.


Maybe A starting point might be to tell us exactly which scanners you HAVE run on it so that helpers can select which report)s) to view or rerun :thumbsup:

May we also assume you have not presently got it antivirus protected?

#3 Robert Adamski

Robert Adamski
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 24 March 2009 - 08:43 AM

Hi Snowdrop, thanks for responding.

I have used the following scanners on this machine:

o Symantec cleaning tool for downadup.b (this malware was floating around our org at the time)
o Malwarebytes Anti-malware
o Microsoft Malicious Software Removal Tool (March 2009)
o RootKitRevealer
o AutoRun Eater
o Avast

I have also run HijackThis just to read over the log myself. I am usually pretty good at spotting services that "don't belong", but as I said, this one has me stumped. If instructed, I will be more than happy to post up a HJT log in the appropriate forum.

Additional information: We use SEPM 11 (MR4) in the organization, but I didn't have enough free space to install it on this server. Whatever is infecting this machine won't let SEP client install properly, so no, it is not currently virus protected.

Thank you for helping me out - please let me know what additional information you might need.
Bob

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:00 AM

Posted 24 March 2009 - 10:06 AM

I would like to see an older MBAM log showing some infections

and the rootkitrevealer log
Chewy

No. Try not. Do... or do not. There is no try.

#5 Robert Adamski

Robert Adamski
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 24 March 2009 - 11:03 AM

Thanks for responding, DaChew.

I don't have an older MBAM log, but as I said, no scanner has yet found anything anyway. I will paste below the rootkitrevealer log.

Thanks,
Bob

HKU\S-1-5-21-1192376260-287755425-2332264786-500\Software\ComputerAssociates\CA ARCserve Backup\Base\ASMgr\NavBar\LastExpandManager 1/22/2009 1:24 PM 55 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 12/6/2005 10:35 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 12/6/2005 10:35 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{148f1a14-53f3-4074-a573-e1ccd344e1d0}* 12/6/2005 10:28 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 11/4/2008 2:48 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{76db1bf3-e820-4765-a1b2-0b16a86b1950}* 2/28/2007 12:46 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32\ThreadingModel 11/4/2008 2:49 PM 5 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\uptime_time_utc 3/24/2009 10:55 AM 8 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{2F433579-B285-5F17-E9B5-A673B58D636E}\HelpSetup 3/24/2009 10:53 AM 24 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{2F433579-B285-5F17-E9B5-A673B58D636E}\Componentsregistration 3/24/2009 10:53 AM 8.00 KB Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{2F433579-B285-5F17-E9B5-A673B58D636E}\ServiceGlobalization 3/24/2009 10:53 AM 40.02 KB Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009022320090302 3/4/2009 9:09 AM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009022320090302\index.dat 3/4/2009 9:09 AM 32.00 KB Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009031620090317 3/16/2009 4:12 PM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009031620090317\index.dat 3/16/2009 4:12 PM 32.00 KB Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009031620090323 3/24/2009 10:58 AM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009031620090323\index.dat 3/4/2009 9:09 AM 32.00 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009031720090318 3/17/2009 10:40 AM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009031720090318\index.dat 3/17/2009 4:33 PM 48.00 KB Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009032020090321 3/20/2009 10:08 AM 0 bytes Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009032020090321\index.dat 3/20/2009 4:24 PM 32.00 KB Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009032420090325 3/24/2009 10:58 AM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Administrator.EPCUSD401\Local Settings\History\History.IE5\MSHist012009032420090325\index.dat 3/16/2009 4:12 PM 32.00 KB Visible in directory index, but not Windows API or MFT

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:00 AM

Posted 24 March 2009 - 03:55 PM

Let's try a different RKS, pay special attention to the directions

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Chewy

No. Try not. Do... or do not. There is no try.

#7 Robert Adamski

Robert Adamski
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 25 March 2009 - 08:24 AM

OK! Needed to rename the executable, since the *whatever* on this machine wouldn't let gmer.exe run, but no big deal. It would appear that this is the first malware scanner of any type to find something sinister! It did immediately want to scan, so I clicked "yes", but only the C: drive was checked by default. So posted below is the "c: volume only" log -- I am rescanning with all drives checked, and can post that log as well, if requested.

Thanks - it feels like I'm finally getting somewhere!
Bob

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-25 08:16:52
Windows 5.2.3790 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT 8625EF48 ZwAlertResumeThread
SSDT 8622EA70 ZwAlertThread
SSDT 863CA1A8 ZwAllocateVirtualMemory
SSDT 8623C728 ZwCreateMutant
SSDT 86273890 ZwCreateThread
SSDT 861E3C28 ZwFreeVirtualMemory
SSDT 8623C7F8 ZwImpersonateAnonymousToken
SSDT 8625EE88 ZwImpersonateThread
SSDT 863B99D8 ZwMapViewOfSection
SSDT 85FD8008 ZwOpenEvent
SSDT 860510E8 ZwOpenProcessToken
SSDT 8621B390 ZwOpenThreadToken
SSDT 861B4098 ZwResumeThread
SSDT 86072008 ZwSetContextThread
SSDT 8621B460 ZwSetInformationProcess
SSDT 86072120 ZwSetInformationThread
SSDT 85FD8138 ZwSuspendProcess
SSDT 8622EB78 ZwSuspendThread
SSDT 863B1058 ZwTerminateProcess
SSDT 86072060 ZwTerminateThread
SSDT 861E3AE0 ZwUnmapViewOfSection
SSDT 863CA0D8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeQuerySystemTime + 60 8083E5FC 8 Bytes [48, EF, 25, 86, 70, EA, 22, ...]
.text ntoskrnl.exe!KeQuerySystemTime + 74 8083E610 4 Bytes [A8, A1, 3C, 86] {TEST AL, 0xa1; CMP AL, 0x86}
.text ntoskrnl.exe!KeQuerySystemTime + E1 8083E67D 3 Bytes [C7, 23, 86]
.text ntoskrnl.exe!KeQuerySystemTime + 108 8083E6A4 4 Bytes [90, 38, 27, 86]
.text ntoskrnl.exe!KeQuerySystemTime + 188 8083E724 4 Bytes [28, 3C, 1E, 86]
.text ...
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtQueryInformationProcess 7C82757F 5 Bytes JMP 00EC54C0
.text C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!NtQueryInformationProcess 7C82757F 5 Bytes JMP 087E54C0
.text C:\WINDOWS\System32\svchost.exe[872] NETAPI32.dll!NetpwPathCanonicalize 71C49511 5 Bytes JMP 087E5460

---- Devices - GMER 1.0.15 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] wscagent <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\wscagent@DisplayName Hardware Microsoft
Reg HKLM\SYSTEM\CurrentControlSet\Services\wscagent@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\wscagent@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\wscagent@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\wscagent@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\wscagent@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\wscagent@Description Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\wscagent\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\wscagent\Parameters@ServiceDll C:\WINDOWS\system32\hxjtcbdi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\wscagent@DisplayName Hardware Microsoft
Reg HKLM\SYSTEM\ControlSet002\Services\wscagent@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\wscagent@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\wscagent@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\wscagent@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\wscagent@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\wscagent@Description Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\wscagent\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\wscagent\Parameters@ServiceDll C:\WINDOWS\system32\hxjtcbdi.dll

---- EOF - GMER 1.0.15 ----

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:00 AM

Posted 25 March 2009 - 09:03 AM

You will need to attack this rootkit at the point where it was detected and then try to remove the infection with other tools before the service is restarted

A standalone scanner like Drwebbcureit or the maliscous software removal tool?

I betatested the 2003 server for just a few weeks so have no idea what will or will not work.

The basic kernel was xpsp2

I hope this is not a domain wide infection
Chewy

No. Try not. Do... or do not. There is no try.

#9 Robert Adamski

Robert Adamski
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 25 March 2009 - 11:29 AM

Well I think I've finally got this thing beat. I used GMER to disable the WSCAGENT process, then I was able to unhide and rename c:\windows\system32\hxjtcbdi.dll. After that, everything seemed to "wake up" -- security-related sites are visible to me again, and SEPM is now functioning properly. And I can't describe the big sigh of relief that is escaping this data center.

THANK YOU THANK YOU - you've made my week!

Bob

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:00 AM

Posted 25 March 2009 - 01:44 PM

You are more than welcome, if you ever figure out what infected the server please pass that on. My google attempts were fruitless.

I am glad I could help you find that key, you had to unlock the door tho.

Those random 8 letter files have been associated with vundo.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users