Possible MBR rootkit on Win2K server - not convinced it's gone

Hi all,

A few days ago I received a message from a client I do part-time system admin work for, showing a bounce message for an email they sent referring to reputation problems (they had been blacklisted). A number of scans were performed on the server, including a DrWeb CureIt scan from a PE bootdisk, which turned up nothing (??!!). HijackThis and RunScanner logs looked pretty clean to me. I'm fairly experienced in removing the more stubborn infections with these tools and have had a great deal of success helping friends and family members with them.

Many of the anti-rootkit tools like Rootrepeal failed with a message that they can't load the driver, find a handle to the driver, or that an "overlapped I/O operation is in progress". GMER fails with the overlapped I/O error: code 0xC000010E. Suspicious. Attempts to run Process Explorer under AntiHookExec failed.

This system runs Exchange and ASSP for email spam and virus filtering and the only true confirmation that there was malware running on the machine was a network traffic capture with WireShark showing all kinds of SMTP traffic being sent even though Exchange had been shut down. Email addresses to be spammed were coming in on port 1080 (SOCKS), and the spam traffic was going out on 25. There was also HTTP traffic present and coming through the SOCKS port, making it appear that the server may have been turned into an anonymous web proxy as well. I'd have to take a more in-depth look at that capture to be sure.

I should mention that all of this happened because a malfunctioning router from their ISP was allowing all network traffic through... all ports were essentially wide open including the soft & chewy MS NETBIOS ports, etc. This has been corrected.

Using a number of rootkit-oriented tools including IceSword and "UnHackMe", I was able to remove the hidden malware processes on the system and the server is no longer sending out spam. One of the processes was named rtrpl.sys but most of them were randomly named and would keep reappearing after a reboot until it seemed that I got them all. MBAM found a single rogue.virex or it may have been rogue.unvirex process and removed it.

A differential scan of the machine to compare directory listings from the native OS and a PE boot yielded no significant differences and an "offline" (PE boot) dump of the registry, looking in the usual suspect areas of hkxx>...>run, etc yielded no additional entries.

Here's what worries me:

I still can't run many of the rootkit tools and GMER's mbr.exe gives me:
device: opened successfully
user: MBR read successfully
kernel: error reading MBR

Trying to use mbr.exe to copy the boot sector to a file gives the error:
error: Read The handle is invalid.

It's possible that the UnHackMe/Partizan driver could be causing some of these issues.

I'm currently offsite so I can't do on offline fixmbr but am thinking that might be a good idea at this point. I'd like to be sure that everything is gone.

I can't post the ark file from GMER since GMER fails with the "overlapped I/O operation" error message given above. The interface still comes up but I doubt it will be of much use since the driver apparently won't load.

I did PE vs native-OS directory and registry dumps for differential analysis and can post them if desired.

Any help or advice would be greatly appreciated, I think I may have finally met my match. After running into this, I'm considering enrolling in your malware-removal training program.

Thanks and best regards,

- Phil


DDS Log
----------

DDS (Ver_10-03-17.01) - NTFSx86
Run by administrator at 12:08:31.70 on Tue 06/01/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.3071.2305 [GMT -4:00]


============== Running Processes ===============

C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
C:\Program Files\ComputerAssociates\ARCserve\RDS.EXE
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Perl\bin\perl.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
C:\WINNT\System32\ati2plxx.exe
C:\CA_LIC\lic98rmt.exe
D:\AntiSpam\ASSP\ClamAV\clamd.exe
C:\WINNT\system32\Dfssvc.exe
D:\AntiSpam\ASSP\ClamAV\freshclam.exe
C:\Program Files\CA\iGateway\igateway.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
D:\Program Files\Core Security Technologies\CORE FORCE\Repository\LocalCpa.exe
C:\CA_LIC\LogWatNT.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
D:\Program Files\Dell\AM\mr2kserv.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
D:\Program Files\Dell\AM\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\modemshr.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
c:\Program Files\Microsoft Shared Fax\Bin\FXSSVC.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Exchsrvr\bin\events.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
D:\Program Files\Core Security Technologies\CORE FORCE\Policy Developer\PolicyDeveloper.exe
C:\Program Files\UHM\hackmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://smbusiness.dellnet.com/
uInternet Settings,ProxyServer = SERVER:8080
uInternet Settings,ProxyOverride = <local>
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [<NO NAME>]
uRun: [UnHackMe Monitor] c:\program files\uhm\hackmon.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [CORE FORCE] d:\program files\core security technologies\core force\policy developer\PolicyDeveloper.exe
dRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 1 (0x1)
Trusted Zone: dell.com\support
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: symsupportutil - hxxps://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://dell.webex.com/client/T26L/support/ieatgpc.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
TCP: {6C34E555-9F78-41BE-91E6-148D0EC3C778} = 127.0.0.1
TCP: {7C336167-EFE2-4538-B3AA-CC3FBE3AB963} = 10.0.0.13,68.87.73.242
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli

============= SERVICES / DRIVERS ===============

R0 afamgt;afamgt;c:\winnt\system32\drivers\afamgt.sys [2002-2-12 92951]
R0 Alpha2;Alpha2;c:\winnt\system32\drivers\alpha2.sys [2010-5-14 59904]
R0 Alpha2R;Alpha2R;c:\winnt\system32\drivers\alpha2r.sys [2010-5-14 31232]
R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [1979-12-31 74448]
R0 Dispatcher;Dispatcher;c:\winnt\system32\drivers\dispant.sys [2010-5-14 82560]
R0 RSFilter;Remote Storage Recall Support;c:\winnt\system32\drivers\RsFilter.sys [2007-6-5 54768]
R0 vxio;Array Manager Device Driver;c:\winnt\system32\drivers\vxio.sys [2009-3-26 164016]
R1 Dlc;DLC Protocol;c:\winnt\system32\drivers\DLC.SYS [1979-12-31 56112]
R1 TDIFilter;TDIFilter;c:\winnt\system32\drivers\tdifilter.sys [2010-5-14 23424]
R2 AppleTalk;AppleTalk Protocol;c:\winnt\system32\drivers\sfmatalk.sys [1979-12-31 148400]
R2 ASDBEngine;ARCserve Database Engine;c:\program files\computerassociates\arcserve\DBENG.exe [2000-5-25 28672]
R2 ASDiscoverySvc;ARCserve Discovery Service;c:\program files\computerassociates\arcserveitds\asdscsvc.exe [2001-10-5 133632]
R2 ASJobEngine;ARCserve Job Engine;c:\program files\computerassociates\arcserve\jobeng.exe [2001-10-5 24576]
R2 ASMsgEngine;ARCserve Message Engine;c:\program files\computerassociates\arcserve\msgeng.exe [2000-4-30 43008]
R2 ASSPSMTP;Anti-Spam Smtp Proxy;d:\program files\perl\bin\perl.exe [2010-1-26 49233]
R2 ASTapeEngine;ARCserve Tape Engine;c:\program files\computerassociates\arcserve\tapeeng.exe [2001-4-10 20480]
R2 CA_LIC_CLNT;CA License Client;c:\ca_lic\lic98rmt.exe [2004-3-1 143360]
R2 ClamD;ClamWin Free Antivirus Scanner Service;d:\antispam\assp\clamav\clamd.exe --daemon --> d:\antispam\assp\clamav\clamd.exe --daemon [?]
R2 DHCPServer;DHCP Server;c:\winnt\system32\tcpsvcs.exe [1979-12-31 25360]
R2 DNS;DNS Server;c:\winnt\system32\DNS.EXE [2002-2-23 335120]
R2 EXIFS;EXIFS;c:\winnt\system32\drivers\exifs.sys [2007-4-13 196192]
R2 FreshClam;ClamWin Free Antivirus Database Updater;d:\antispam\assp\clamav\freshclam.exe --daemon -c 4 --> d:\antispam\assp\clamav\freshclam.exe --daemon -c 4 [?]
R2 Fwsrv;Microsoft Firewall;c:\program files\microsoft isa server\WSPSRV.EXE [2002-2-12 292112]
R2 GKSVC;Microsoft H.323 Gatekeeper;svchost.exe -k iptelsvcs --> svchost.exe [?]
R2 IMAP4Svc;Microsoft Exchange IMAP4;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
R2 isactrl;Microsoft ISA Server Control;c:\program files\microsoft isa server\MSPADMIN.EXE [2002-2-12 172816]
R2 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2003-8-13 25872]
R2 kdc;Kerberos Key Distribution Center;c:\winnt\system32\LSASS.EXE [1979-12-31 33552]
R2 LocalCpa;Force Repository;d:\program files\core security technologies\core force\repository\LocalCpa.exe [2008-1-11 700416]
R2 LogWatch;Event Log Watch;c:\ca_lic\LogWatNT.exe [2002-9-20 53248]
R2 MacFile;File Server for Macintosh;c:\winnt\system32\SFMSVC.EXE [2003-8-13 68368]
R2 MacPrint;Print Server for Macintosh;c:\winnt\system32\sfmprint.exe [1979-12-31 85264]
R2 ModemSharingDriver;Shared Modem Service Driver;c:\winnt\system32\drivers\modemshr.sys [2002-2-12 145920]
R2 ModemSharingServer;Shared Modem Services;c:\winnt\system32\modemshr.exe [2002-2-12 18272]
R2 MSExchangeES;Microsoft Exchange Event;c:\program files\exchsrvr\bin\events.exe [2007-4-13 94720]
R2 MSExchangeIS;Microsoft Exchange Information Store;c:\program files\exchsrvr\bin\store.exe [2007-4-13 5227520]
R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\exchsrvr\bin\exmgmt.exe [2007-4-13 3217408]
R2 MSExchangeMTA;Microsoft Exchange MTA Stacks;c:\program files\exchsrvr\bin\emsmta.exe [2007-4-13 3592704]
R2 MSExchangeSA;Microsoft Exchange System Attendant;c:\program files\exchsrvr\bin\mad.exe [2007-4-13 8920064]
R2 MSExchangeSRS;Microsoft Exchange Site Replication Service;c:\program files\exchsrvr\bin\srsmain.exe [2007-4-13 339456]
R2 MspFltEx;ISA Server Packet Filter Extension Driver;c:\winnt\system32\drivers\MSPFLTEX.SYS [2002-2-12 41328]
R2 MspNAT;ISA Server Network Address Translation (NAT) Driver;c:\winnt\system32\drivers\MSPNAT.SYS [2002-2-12 24976]
R2 MSSEARCH;Microsoft Search;c:\program files\common files\system\mssearch\bin\mssearch.exe [2007-4-13 69632]
R2 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2009-10-20 50704]
R2 Remote_Storage_File_System_Agent;Remote Storage File;c:\winnt\system32\RsFsa.exe [2007-6-5 437008]
R2 Remote_Storage_Subsystem;Remote Storage Media;c:\winnt\system32\RsSub.exe [2007-6-5 440592]
R2 RESvc;Microsoft Exchange Routing Engine;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
R2 SharedFax;Microsoft Shared Fax;c:\program files\microsoft shared fax\bin\FXSSVC.exe [2000-12-17 676496]
R2 TermServLicensing;Terminal Services Licensing;c:\winnt\system32\lserver.exe [2003-8-13 330512]
R2 TrkSvr;Distributed Link Tracking Server;c:\winnt\system32\SERVICES.EXE [1979-12-31 92944]
R2 w3schdwn;Microsoft Scheduled Cache Content Download;c:\program files\microsoft isa server\W3PREFCH.EXE [2002-2-12 34064]
R2 wins;Windows Internet Name Service (WINS);c:\winnt\system32\WINS.EXE [2009-5-28 153360]
R3 ati2mpad;ati2mpad;c:\winnt\system32\drivers\ati2mpad.sys [1979-12-31 264896]
R3 CROXYCL;Force Network Driver miniport;c:\winnt\system32\drivers\croxy.sys [2010-5-13 132736]
R3 MACSRV;SFM Kernel Driver;c:\winnt\system32\drivers\sfmsrv.sys [1979-12-31 154160]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1979-12-31 24784]
R3 pvdatw2k;pvdatw2k;c:\winnt\system32\drivers\pvdatw2k.sys [2006-6-12 8960]
R3 spud;Special Purpose Utility Driver;c:\winnt\system32\drivers\spud.sys [2002-2-12 12336]
S0 dcdbas;Systems management base driver;c:\winnt\system32\drivers\dcdbas32.sys --> c:\winnt\system32\drivers\dcdbas32.sys [?]
S0 Partizan;Partizan;c:\winnt\system32\drivers\Partizan.sys [2010-5-18 35816]
S0 vxboot;vxboot;c:\winnt\system32\drivers\vxboot.sys [2009-3-26 382736]
S2 InoculateIT Server;InoculateIT Server;c:\program files\computerassociates\inoculan\inojobsv.exe [2006-7-24 329840]
S2 Remote_Storage_Engine;Remote Storage Engine;c:\winnt\system32\RsEng.exe [2007-6-5 132368]
S3 AutoDownload Server;AutoDownload Server;c:\program files\computerassociates\inoculan\GetBBS.exe [2006-7-24 97728]
S3 bnchtape;bnchtape;c:\winnt\system32\drivers\bnchtape.sys [1979-12-31 6961]
S3 CA_LIC_SRVR;CA License Server;c:\ca_lic\lic98rmtd.exe [2004-3-1 155648]
S3 Cheyenne Alert Notification Server;Cheyenne Alert Notification Server;c:\program files\computerassociates\arcserve\alert\ALERT.exe [1998-12-1 194048]
S3 IAS;Internet Authentication Service;c:\winnt\system32\svchost.exe -k netsvcs [1979-12-31 7952]
S3 LDAPSVCX;Site Server ILS Service;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
S3 MSPOP3Connector;Microsoft Connector for POP3 Mailboxes;c:\program files\microsoft backoffice\connectivity\pop3 connector\vmimb.exe [2002-2-23 265488]
S3 NntpSvc;Network News Transport Protocol (NNTP);c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
S3 NtFrs;File Replication Service;c:\winnt\system32\ntfrs.exe [2003-8-13 745232]
S3 POP3Svc;Microsoft Exchange POP3;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
S3 QntmDLT;QntmDLT;c:\winnt\system32\drivers\QntmDLT.sys [2003-11-20 9728]
S3 RegGuard;RegGuard;c:\winnt\system32\drivers\regguard.sys [2010-5-18 24416]
S3 Remote_Storage_User_Link;Remote Storage Notification;c:\winnt\system32\RsFsa.exe [2007-6-5 437008]
S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2002-2-12 12664]
S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2002-2-12 20760]
S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2002-2-12 18392]
S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2002-2-12 18264]
S3 W3Proxy;Microsoft Web Proxy;c:\program files\microsoft isa server\W3PROXY.EXE [2002-2-12 367888]

=============== Created Last 30 ================

2010-06-01 15:49:59 8192 ----a-w- c:\winnt\system32\AntiHookExec.exe
2010-06-01 15:11:59 8192 ----a-w- c:\winnt\system32\AHE.exe
2010-06-01 13:47:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_838.dat
2010-05-27 17:00:18 161296 ----a-w- c:\winnt\system32\drivers\tmcomm.sys
2010-05-25 15:36:03 87083330 ----a-w- C:\rgout.reg
2010-05-25 14:58:33 141265180 ----a-w- C:\rgoutPE.reg
2010-05-18 15:10:41 0 d-----w- c:\winnt\RestoreSafeDeleted
2010-05-18 15:10:29 24416 ----a-w- c:\winnt\system32\drivers\regguard.sys (Part of UnHackMe)
2010-05-18 14:37:55 37600 ----a-w- c:\winnt\system32\Partizan.exe (Part of UnHackMe)
2010-05-18 14:37:55 35816 ----a-w- c:\winnt\system32\drivers\Partizan.sys "
2010-05-18 14:36:39 12752 ----a-w- c:\winnt\system32\drivers\UnHackMeDrv.sys "
2010-05-18 14:36:32 0 d-----w- c:\program files\UHM
2010-05-14 19:25:26 0 d-----w- c:\docume~1\admini~1\applic~1\Core Security Technologies
2010-05-14 18:53:23 82560 ----a-w- c:\winnt\system32\drivers\dispant.sys (Part of Core Force Firewall)
2010-05-14 18:53:23 31232 ----a-w- c:\winnt\system32\drivers\alpha2r.sys "
2010-05-14 18:53:23 23424 ----a-w- c:\winnt\system32\drivers\tdifilter.sys "
2010-05-14 18:53:19 59904 ----a-w- c:\winnt\system32\drivers\alpha2.sys "
2010-05-14 18:53:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Core Security Technologies
2010-05-13 19:25:56 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7d8.dat
2010-05-13 18:49:21 132736 ----a-w- c:\winnt\system32\drivers\croxy.sys
2010-05-13 02:34:27 0 d-----w- c:\docume~1\admini~1\applic~1\Wireshark
2010-05-13 02:02:42 74 ----a-w- c:\winnt\system32\-1
2010-05-12 16:03:17 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-05-12 16:03:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-05-12 16:03:06 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-05-12 16:03:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-04-12 13:48:44 87421 ----a-w- c:\winnt\system32\stdout.tmp
2010-04-01 03:49:03 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_11b0.dat
2010-03-31 08:25:33 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7cc.dat
2010-03-22 10:33:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7b8.dat
2010-03-12 09:14:24 401408 ----a-w- c:\winnt\system32\vbscript.dll
2002-02-13 01:15:46 271 ---h--w- c:\program files\desktop.ini
2002-02-13 01:15:46 21952 ---h--w- c:\program files\folder.htt
2000-07-26 04:00:00 32528 ------w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 12:09:49.28 ===============

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

Yup, I'm here. Thanks.

- Phil

Let's see if we can narrow the MBR problem down

Download and run HAMeb_check.exe

Post the contents of the resulting log.

m0le,

Thanks for the quick reply. Log follows (via RDP):

D:\Downloads\Security\HAMeb_check.exe
Tue 06/08/2010 at 21:26:54.71

No HelpAssistant account in User list


~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


Error: Value: "ServiceDll" does not exist!


~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

There's one other thing I should mention. I'm not totally sure about this but the "Windows 2000 Server Family" boot-up screen doesn't look quite right to me now. I can't quite put my finger on it, but it looks darker... like its slightly purplish instead of the usual blue, and something about the graphics look a bit different. I asked someone else there (not a computer person but they have seen the server boot many times) and it didn't look quite right to them either.

This may be irrelevant or perhaps a recent MS update changed it slightly but it just seemed weird so I thought I'd at least mention it.

Thanks again for all the help.

Cheers,

- Phil

Plenty of symptoms but nothing showing or available.


Please run Combofix

Please download ComboFix from one of these locations:

• Bleepingcomputer
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Comfix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Since I think Combofix disconnects the machine from the Internet, at least temporarily, I was a bit nervous trying to run it off-site. I went on site today and decided to back-up and rebuild the MBR, even though it looked "normal" to every tool I ran, even from a PE boot. I scanned for viruses again for good measure but still found nothing. After rewriting the MBR and rebooting, I can now run GMER and most other rootkit tools, and GMER's mbr.exe now gives the following:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


Instead of:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR

I'd call that progress!

The only rootkit tool I tried to run but couldn't was RootRepeal. The UnhackMe/Partizan driver tagged it as malware and I believe would not let it run. Either that or the driver conflicted with one of the other rootkit tool drivers. I'll reboot and try again to see if it works. That was the rtrpl.sys file I mentioned in my original post... I had tried to run RootRepeal and UnhackMe tagged it.

GMER gives no red entries other than UnHackMe, I'm attaching the log.

The HAlog is now as follows:
D:\Downloads\Security\HAMeb_check.exe
Thu 06/10/2010 at 18:20:48.12

No HelpAssistant account in User list


~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll perc2.sys
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


Error: Value: "ServiceDll" does not exist!


~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


Sorry to deviate from your instructions somewhat... do you still want me to run ComboFix or any other tools at this point?

Again, many thanks for all of the help.

- Phil

Your MBR looks fine now.

Unless you have any other issues we can wrap this up after a quick scan

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Leave the top box checked and then check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le

Hey,

Sorry... I didn't do much with this over the weekend since it at least gives the appearance of being clean. I did discover after rebooting the server again though that the "Kernel: error reading MBR" problem has returned. I believe that the UnHackMe/Partizan driver might be causing it this time so I've just uninstalled it and rebooted the server to try and eliminate that as a variable. It's a boot-watch driver that loads at startup - kind of like IceSword's "reboot and monitor" function, so I'm thinking it's pretty likely that it's causing the problem at this point. Once I've verified that's the case, I'll go ahead and do the online scan as instructed.

If that's not the case... well, I guess I'll have to wipe the MBR again and go from there... see if some other process is putting it back. I'll let you know and see how you think we should proceed.

What's really interesting to me about this whole thing is that PE scans with several different tools (including AntiVir, which allegedly checks for modifications to system files ) booted under both Windows and Linux environments found absolutely nothing... nada. A second Malwarebytes scan before the reboot while the MBR was completely readable found nothing also, so hopefully it's just the leftovers from UnHackMe.

More info to come...

- Phil

Ok... after removing the tool and rebooting, the problem still exists. We know that rebuilding the MBR will fix it at least temporarily... until a subsequent reboot. The question is, did the tool put the "problem" boot-code back or was it something else?

If I rewrite the MBR again and the error recurs after a second reboot, I guess we'll know it was something else now that UnHackMe/Partizan is gone.

Let me know how you would like to proceed with this, and if you still want me to run the ESET online scan even though the MBR is once again suspect.

Thanks,

- Phil

The MBR problem resolved itself... oddly enough. I'm thinking that I might have used the "reboot and monitor" function in IceSword when I restarted the machine after rewriting the MBR the first time, so that may have caused the problem.

I had to go back on-site yesterday and since I hadn't heard anything back from you, I decided to check and rewrite the MBR again for good measure while I was there. Everything appears to be fine. I can run GMER, etc. but still not RootRepeal. RootRepeal goes to high processor utilization and grabs most of the available memory in the machine as reported by Task Manager but never gets past the "Initializing" screen. I have never been able to get RootRepeal to run, even when I've renamed it.

I did do the ESET online scan back when you originally asked. It found a few infections in the badmail queue and some old user folders. The scan log is attached.

Everything appears to be fine now, except for the issue of being able to run RootRepeal. What could be causing this? Do you think I should be concerned about it or does it have this problem with certain platforms/systems?

Thanks again for all of your help so far.

Cheers,

- Phil