Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:Rootkit-gen [Rtk] Possibly causing issue on Network?


  • This topic is locked This topic is locked
2 replies to this topic

#1 cccstech

cccstech

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 03 June 2010 - 08:28 AM

Yesterday morning after coming back from the Bank Holiday, we noticed on our Server 2003 Active Directory network that accounts were locking out, randomly, in roughly 5 minute periods.
We ran a script through the day to unlock the accounts and rebooted the servers over night and hoped today would be better.

Today however, it's worse. Avast has reported the virus Win32:Rootkit-gen [Rtk] throughout the network on most of our machines. Although it's saying it's quarantined the virus and therefore it shouldn't be on any of our Host machines. (I'm not rulling out that this may not be the case).
Accounts are still locking out just as fast as we can unlock them and this morning the Server service kept stopping, but seems to have been fixed with a windows update and a restard.

We believed it to be a fault with just one of our Domain Controllers as MOST of the accounts locked were showing as originally being locked from that source (Using LockOutStatus.exe tool from Microsoft), however it does appear to be locking from the others, just not as frequently.

We haven't currently run anything on the Servers in an attempt to remove any viruses, but I have run a HiJack This report to see if this could help you guys diagnose the issue.

The main server with the issue did have Avast on it, and did show an event log that it had the virus on it, the other servers don't have avast, so as yet, we're not sure. We're currently trying to get Avast on them and the Windows updates, but they're not letting us onto the sites required (usual trait of a virus)

As I've had a look through the site, I've download and run HiJack This and run a report.

We would appreciate any help at all as we're quite stuck as you can probably tell.

HiJack This Report:

QUOTE
******************************
Avast! reported the following:
******************************

avast! [ComputerName]: File "C:\WINDOWS\System32\x" is infected by "Win32:Rootkit-gen [Rtk]" virus.
"Resident protection (Standard Shield)" task used Version of current VPS file is 100602-1, 02/06/2010

******************************
Hijackthis Log File:
******************************

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:01:05, on 03/06/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\Program Files\MBS\Agent\VVAgent.exe
C:\Program Files\MBS\Agent\buagent.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PROTEUS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\hp\hpsmh\bin\smhstart.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\wins.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINNT\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\Program Files\Dictaphone\Freedom\FreedomEventService.exe
C:\WINNT\system32\sysdown.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\NCU\cpqteam.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE
E:\Program Files\Proteus v5\Programs\c3RealTime.exe
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
C:\WINNT\system32\ntvdm.exe
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\P5EntScheduler.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Enterprise\Common\QReportHKeeper.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
c:\winnt\system32\inetsrv\w3wp.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\NCU\cpqteam.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://XXXXXXXX
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O1 - Hosts: IPAddress server.co.uk
O4 - HKLM\..\Run: [CPQTEAM] "C:\Program Files\HP\NCU\cpqteam.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\PCM.exe
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Freedom Archive Manager.lnk = C:\Program Files\Dictaphone\Freedom\ArchiveManager.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Proteus Email Engine.lnk = E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Proteus Program Launcher.lnk = E:\Program Files\Proteus v5\Programs\P4Loader.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: RealTime Monitor.lnk = E:\Program Files\Proteus v5\Programs\c3RealTime.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Freedom Archive Manager.lnk = C:\Program Files\Dictaphone\Freedom\ArchiveManager.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Proteus Email Engine.lnk = E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Proteus Program Launcher.lnk = E:\Program Files\Proteus v5\Programs\P4Loader.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: RealTime Monitor.lnk = E:\Program Files\Proteus v5\Programs\c3RealTime.exe (User 'proteus')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://<ServerName>/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
O16 - DPF: {E0FC6C46-CE20-4413-A319-1917CDF41382} (hp ProLiant VCRM Upload Control) - https://XXXXXXXXX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DomainName
O17 - HKLM\Software\..\Telephony: DomainName = DomainName
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EBF3AE3-73DC-4DB6-8B5F-40CE170CAE7D}: NameServer = IP's
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Domain
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EBF3AE3-73DC-4DB6-8B5F-40CE170CAE7D}: NameServer = IP's
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\bin\hpapp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - c:\centenn.ial\audit\xferwan.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINNT\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINNT\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: MBS Agent (EVault InfoStage Agent) - Unknown owner - C:\Program Files\MBS\Agent\VVAgent.exe
O23 - Service: MBS BUAgent (EVault InfoStage BUAgent) - Unknown owner - C:\Program Files\MBS\Agent\buagent.exe
O23 - Service: FreedomEventService - Dictaphone Corporation - C:\Program Files\Dictaphone\Freedom\FreedomEventService.exe
O23 - Service: NetOp Helper ver. 7.65 (2004058) (NetOp Host for NT Service) - Danware Data A/S - e:\Program Files\Proteus v5\Remote Diagnostics\HOST\NHOSTSVC.EXE
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: PRTG 7 Probe Service (PRTG7ProbeService) - Paessler AG - C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
O23 - Service: RclService - EMCO http://www.emco.is - C:\WINNT\system32\RclServer.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 10948 bytes


Thank you,
Adam

Edited by boopme, 03 June 2010 - 10:50 AM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 AM

Posted 05 June 2010 - 09:41 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 AM

Posted 17 June 2010 - 08:26 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users