Hi all,
A few days ago I received a message from a client I do part-time system admin work for, showing a bounce message for an email they sent referring to reputation problems (they had been blacklisted). A number of scans were performed on the server, including a DrWeb CureIt scan from a PE bootdisk, which turned up nothing (??!!). HijackThis and RunScanner logs looked pretty clean to me. I'm fairly experienced in removing the more stubborn infections with these tools and have had a great deal of success helping friends and family members with them.
Many of the anti-rootkit tools like Rootrepeal failed with a message that they can't load the driver, find a handle to the driver, or that an "overlapped I/O operation is in progress". GMER fails with the overlapped I/O error: code 0xC000010E. Suspicious. Attempts to run Process Explorer under AntiHookExec failed.
This system runs Exchange and ASSP for email spam and virus filtering and the only true confirmation that there was malware running on the machine was a network traffic capture with WireShark showing all kinds of SMTP traffic being sent even though Exchange had been shut down. Email addresses to be spammed were coming in on port 1080 (SOCKS), and the spam traffic was going out on 25. There was also HTTP traffic present and coming through the SOCKS port, making it appear that the server may have been turned into an anonymous web proxy as well. I'd have to take a more in-depth look at that capture to be sure.
I should mention that all of this happened because a malfunctioning router from their ISP was allowing all network traffic through... all ports were essentially wide open including the soft & chewy MS NETBIOS ports, etc. This has been corrected.
Using a number of rootkit-oriented tools including IceSword and "UnHackMe", I was able to remove the hidden malware processes on the system and the server is no longer sending out spam. One of the processes was named rtrpl.sys but most of them were randomly named and would keep reappearing after a reboot until it seemed that I got them all. MBAM found a single rogue.virex or it may have been rogue.unvirex process and removed it.
A differential scan of the machine to compare directory listings from the native OS and a PE boot yielded no significant differences and an "offline" (PE boot) dump of the registry, looking in the usual suspect areas of hkxx>...>run, etc yielded no additional entries.
Here's what worries me:
I still can't run many of the rootkit tools and GMER's mbr.exe gives me:
device: opened successfully
user: MBR read successfully
kernel: error reading MBR
Trying to use mbr.exe to copy the boot sector to a file gives the error:
error: Read The handle is invalid.
It's possible that the UnHackMe/Partizan driver could be causing some of these issues.
I'm currently offsite so I can't do on offline fixmbr but am thinking that might be a good idea at this point. I'd like to be sure that everything is gone.
I can't post the ark file from GMER since GMER fails with the "overlapped I/O operation" error message given above. The interface still comes up but I doubt it will be of much use since the driver apparently won't load.
I did PE vs native-OS directory and registry dumps for differential analysis and can post them if desired.
Any help or advice would be greatly appreciated, I think I may have finally met my match. After running into this, I'm considering enrolling in your malware-removal training program.
Thanks and best regards,
- Phil
DDS Log
----------
DDS (Ver_10-03-17.01) - NTFSx86
Run by administrator at 12:08:31.70 on Tue 06/01/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.3071.2305 [GMT -4:00]
============== Running Processes ===============
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
C:\Program Files\ComputerAssociates\ARCserve\RDS.EXE
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
D:\Program Files\Perl\bin\perl.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
C:\WINNT\System32\ati2plxx.exe
C:\CA_LIC\lic98rmt.exe
D:\AntiSpam\ASSP\ClamAV\clamd.exe
C:\WINNT\system32\Dfssvc.exe
D:\AntiSpam\ASSP\ClamAV\freshclam.exe
C:\Program Files\CA\iGateway\igateway.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
D:\Program Files\Core Security Technologies\CORE FORCE\Repository\LocalCpa.exe
C:\CA_LIC\LogWatNT.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
D:\Program Files\Dell\AM\mr2kserv.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
D:\Program Files\Dell\AM\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\modemshr.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
c:\Program Files\Microsoft Shared Fax\Bin\FXSSVC.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Exchsrvr\bin\events.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
D:\Program Files\Core Security Technologies\CORE FORCE\Policy Developer\PolicyDeveloper.exe
C:\Program Files\UHM\hackmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://smbusiness.dellnet.com/
uInternet Settings,ProxyServer = SERVER:8080
uInternet Settings,ProxyOverride = <local>
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [<NO NAME>]
uRun: [UnHackMe Monitor] c:\program files\uhm\hackmon.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [CORE FORCE] d:\program files\core security technologies\core force\policy developer\PolicyDeveloper.exe
dRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 1 (0x1)
Trusted Zone: dell.com\support
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: symsupportutil - hxxps://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://dell.webex.com/client/T26L/support/ieatgpc.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
TCP: {6C34E555-9F78-41BE-91E6-148D0EC3C778} = 127.0.0.1
TCP: {7C336167-EFE2-4538-B3AA-CC3FBE3AB963} = 10.0.0.13,68.87.73.242
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli
============= SERVICES / DRIVERS ===============
R0 afamgt;afamgt;c:\winnt\system32\drivers\afamgt.sys [2002-2-12 92951]
R0 Alpha2;Alpha2;c:\winnt\system32\drivers\alpha2.sys [2010-5-14 59904]
R0 Alpha2R;Alpha2R;c:\winnt\system32\drivers\alpha2r.sys [2010-5-14 31232]
R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [1979-12-31 74448]
R0 Dispatcher;Dispatcher;c:\winnt\system32\drivers\dispant.sys [2010-5-14 82560]
R0 RSFilter;Remote Storage Recall Support;c:\winnt\system32\drivers\RsFilter.sys [2007-6-5 54768]
R0 vxio;Array Manager Device Driver;c:\winnt\system32\drivers\vxio.sys [2009-3-26 164016]
R1 Dlc;DLC Protocol;c:\winnt\system32\drivers\DLC.SYS [1979-12-31 56112]
R1 TDIFilter;TDIFilter;c:\winnt\system32\drivers\tdifilter.sys [2010-5-14 23424]
R2 AppleTalk;AppleTalk Protocol;c:\winnt\system32\drivers\sfmatalk.sys [1979-12-31 148400]
R2 ASDBEngine;ARCserve Database Engine;c:\program files\computerassociates\arcserve\DBENG.exe [2000-5-25 28672]
R2 ASDiscoverySvc;ARCserve Discovery Service;c:\program files\computerassociates\arcserveitds\asdscsvc.exe [2001-10-5 133632]
R2 ASJobEngine;ARCserve Job Engine;c:\program files\computerassociates\arcserve\jobeng.exe [2001-10-5 24576]
R2 ASMsgEngine;ARCserve Message Engine;c:\program files\computerassociates\arcserve\msgeng.exe [2000-4-30 43008]
R2 ASSPSMTP;Anti-Spam Smtp Proxy;d:\program files\perl\bin\perl.exe [2010-1-26 49233]
R2 ASTapeEngine;ARCserve Tape Engine;c:\program files\computerassociates\arcserve\tapeeng.exe [2001-4-10 20480]
R2 CA_LIC_CLNT;CA License Client;c:\ca_lic\lic98rmt.exe [2004-3-1 143360]
R2 ClamD;ClamWin Free Antivirus Scanner Service;d:\antispam\assp\clamav\clamd.exe --daemon --> d:\antispam\assp\clamav\clamd.exe --daemon [?]
R2 DHCPServer;DHCP Server;c:\winnt\system32\tcpsvcs.exe [1979-12-31 25360]
R2 DNS;DNS Server;c:\winnt\system32\DNS.EXE [2002-2-23 335120]
R2 EXIFS;EXIFS;c:\winnt\system32\drivers\exifs.sys [2007-4-13 196192]
R2 FreshClam;ClamWin Free Antivirus Database Updater;d:\antispam\assp\clamav\freshclam.exe --daemon -c 4 --> d:\antispam\assp\clamav\freshclam.exe --daemon -c 4 [?]
R2 Fwsrv;Microsoft Firewall;c:\program files\microsoft isa server\WSPSRV.EXE [2002-2-12 292112]
R2 GKSVC;Microsoft H.323 Gatekeeper;svchost.exe -k iptelsvcs --> svchost.exe [?]
R2 IMAP4Svc;Microsoft Exchange IMAP4;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
R2 isactrl;Microsoft ISA Server Control;c:\program files\microsoft isa server\MSPADMIN.EXE [2002-2-12 172816]
R2 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2003-8-13 25872]
R2 kdc;Kerberos Key Distribution Center;c:\winnt\system32\LSASS.EXE [1979-12-31 33552]
R2 LocalCpa;Force Repository;d:\program files\core security technologies\core force\repository\LocalCpa.exe [2008-1-11 700416]
R2 LogWatch;Event Log Watch;c:\ca_lic\LogWatNT.exe [2002-9-20 53248]
R2 MacFile;File Server for Macintosh;c:\winnt\system32\SFMSVC.EXE [2003-8-13 68368]
R2 MacPrint;Print Server for Macintosh;c:\winnt\system32\sfmprint.exe [1979-12-31 85264]
R2 ModemSharingDriver;Shared Modem Service Driver;c:\winnt\system32\drivers\modemshr.sys [2002-2-12 145920]
R2 ModemSharingServer;Shared Modem Services;c:\winnt\system32\modemshr.exe [2002-2-12 18272]
R2 MSExchangeES;Microsoft Exchange Event;c:\program files\exchsrvr\bin\events.exe [2007-4-13 94720]
R2 MSExchangeIS;Microsoft Exchange Information Store;c:\program files\exchsrvr\bin\store.exe [2007-4-13 5227520]
R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\exchsrvr\bin\exmgmt.exe [2007-4-13 3217408]
R2 MSExchangeMTA;Microsoft Exchange MTA Stacks;c:\program files\exchsrvr\bin\emsmta.exe [2007-4-13 3592704]
R2 MSExchangeSA;Microsoft Exchange System Attendant;c:\program files\exchsrvr\bin\mad.exe [2007-4-13 8920064]
R2 MSExchangeSRS;Microsoft Exchange Site Replication Service;c:\program files\exchsrvr\bin\srsmain.exe [2007-4-13 339456]
R2 MspFltEx;ISA Server Packet Filter Extension Driver;c:\winnt\system32\drivers\MSPFLTEX.SYS [2002-2-12 41328]
R2 MspNAT;ISA Server Network Address Translation (NAT) Driver;c:\winnt\system32\drivers\MSPNAT.SYS [2002-2-12 24976]
R2 MSSEARCH;Microsoft Search;c:\program files\common files\system\mssearch\bin\mssearch.exe [2007-4-13 69632]
R2 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2009-10-20 50704]
R2 Remote_Storage_File_System_Agent;Remote Storage File;c:\winnt\system32\RsFsa.exe [2007-6-5 437008]
R2 Remote_Storage_Subsystem;Remote Storage Media;c:\winnt\system32\RsSub.exe [2007-6-5 440592]
R2 RESvc;Microsoft Exchange Routing Engine;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
R2 SharedFax;Microsoft Shared Fax;c:\program files\microsoft shared fax\bin\FXSSVC.exe [2000-12-17 676496]
R2 TermServLicensing;Terminal Services Licensing;c:\winnt\system32\lserver.exe [2003-8-13 330512]
R2 TrkSvr;Distributed Link Tracking Server;c:\winnt\system32\SERVICES.EXE [1979-12-31 92944]
R2 w3schdwn;Microsoft Scheduled Cache Content Download;c:\program files\microsoft isa server\W3PREFCH.EXE [2002-2-12 34064]
R2 wins;Windows Internet Name Service (WINS);c:\winnt\system32\WINS.EXE [2009-5-28 153360]
R3 ati2mpad;ati2mpad;c:\winnt\system32\drivers\ati2mpad.sys [1979-12-31 264896]
R3 CROXYCL;Force Network Driver miniport;c:\winnt\system32\drivers\croxy.sys [2010-5-13 132736]
R3 MACSRV;SFM Kernel Driver;c:\winnt\system32\drivers\sfmsrv.sys [1979-12-31 154160]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1979-12-31 24784]
R3 pvdatw2k;pvdatw2k;c:\winnt\system32\drivers\pvdatw2k.sys [2006-6-12 8960]
R3 spud;Special Purpose Utility Driver;c:\winnt\system32\drivers\spud.sys [2002-2-12 12336]
S0 dcdbas;Systems management base driver;c:\winnt\system32\drivers\dcdbas32.sys --> c:\winnt\system32\drivers\dcdbas32.sys [?]
S0 Partizan;Partizan;c:\winnt\system32\drivers\Partizan.sys [2010-5-18 35816]
S0 vxboot;vxboot;c:\winnt\system32\drivers\vxboot.sys [2009-3-26 382736]
S2 InoculateIT Server;InoculateIT Server;c:\program files\computerassociates\inoculan\inojobsv.exe [2006-7-24 329840]
S2 Remote_Storage_Engine;Remote Storage Engine;c:\winnt\system32\RsEng.exe [2007-6-5 132368]
S3 AutoDownload Server;AutoDownload Server;c:\program files\computerassociates\inoculan\GetBBS.exe [2006-7-24 97728]
S3 bnchtape;bnchtape;c:\winnt\system32\drivers\bnchtape.sys [1979-12-31 6961]
S3 CA_LIC_SRVR;CA License Server;c:\ca_lic\lic98rmtd.exe [2004-3-1 155648]
S3 Cheyenne Alert Notification Server;Cheyenne Alert Notification Server;c:\program files\computerassociates\arcserve\alert\ALERT.exe [1998-12-1 194048]
S3 IAS;Internet Authentication Service;c:\winnt\system32\svchost.exe -k netsvcs [1979-12-31 7952]
S3 LDAPSVCX;Site Server ILS Service;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
S3 MSPOP3Connector;Microsoft Connector for POP3 Mailboxes;c:\program files\microsoft backoffice\connectivity\pop3 connector\vmimb.exe [2002-2-23 265488]
S3 NntpSvc;Network News Transport Protocol (NNTP);c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
S3 NtFrs;File Replication Service;c:\winnt\system32\ntfrs.exe [2003-8-13 745232]
S3 POP3Svc;Microsoft Exchange POP3;c:\winnt\system32\inetsrv\inetinfo.exe [2003-8-13 14608]
S3 QntmDLT;QntmDLT;c:\winnt\system32\drivers\QntmDLT.sys [2003-11-20 9728]
S3 RegGuard;RegGuard;c:\winnt\system32\drivers\regguard.sys [2010-5-18 24416]
S3 Remote_Storage_User_Link;Remote Storage Notification;c:\winnt\system32\RsFsa.exe [2007-6-5 437008]
S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2002-2-12 12664]
S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2002-2-12 20760]
S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2002-2-12 18392]
S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2002-2-12 18264]
S3 W3Proxy;Microsoft Web Proxy;c:\program files\microsoft isa server\W3PROXY.EXE [2002-2-12 367888]
=============== Created Last 30 ================
2010-06-01 15:49:59 8192 ----a-w- c:\winnt\system32\AntiHookExec.exe
2010-06-01 15:11:59 8192 ----a-w- c:\winnt\system32\AHE.exe
2010-06-01 13:47:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_838.dat
2010-05-27 17:00:18 161296 ----a-w- c:\winnt\system32\drivers\tmcomm.sys
2010-05-25 15:36:03 87083330 ----a-w- C:\rgout.reg
2010-05-25 14:58:33 141265180 ----a-w- C:\rgoutPE.reg
2010-05-18 15:10:41 0 d-----w- c:\winnt\RestoreSafeDeleted
2010-05-18 15:10:29 24416 ----a-w- c:\winnt\system32\drivers\regguard.sys (Part of UnHackMe)
2010-05-18 14:37:55 37600 ----a-w- c:\winnt\system32\Partizan.exe (Part of UnHackMe)
2010-05-18 14:37:55 35816 ----a-w- c:\winnt\system32\drivers\Partizan.sys "
2010-05-18 14:36:39 12752 ----a-w- c:\winnt\system32\drivers\UnHackMeDrv.sys "
2010-05-18 14:36:32 0 d-----w- c:\program files\UHM
2010-05-14 19:25:26 0 d-----w- c:\docume~1\admini~1\applic~1\Core Security Technologies
2010-05-14 18:53:23 82560 ----a-w- c:\winnt\system32\drivers\dispant.sys (Part of Core Force Firewall)
2010-05-14 18:53:23 31232 ----a-w- c:\winnt\system32\drivers\alpha2r.sys "
2010-05-14 18:53:23 23424 ----a-w- c:\winnt\system32\drivers\tdifilter.sys "
2010-05-14 18:53:19 59904 ----a-w- c:\winnt\system32\drivers\alpha2.sys "
2010-05-14 18:53:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Core Security Technologies
2010-05-13 19:25:56 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7d8.dat
2010-05-13 18:49:21 132736 ----a-w- c:\winnt\system32\drivers\croxy.sys
2010-05-13 02:34:27 0 d-----w- c:\docume~1\admini~1\applic~1\Wireshark
2010-05-13 02:02:42 74 ----a-w- c:\winnt\system32\-1
2010-05-12 16:03:17 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-05-12 16:03:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-05-12 16:03:06 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-05-12 16:03:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
==================== Find3M ====================
2010-04-12 13:48:44 87421 ----a-w- c:\winnt\system32\stdout.tmp
2010-04-01 03:49:03 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_11b0.dat
2010-03-31 08:25:33 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7cc.dat
2010-03-22 10:33:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7b8.dat
2010-03-12 09:14:24 401408 ----a-w- c:\winnt\system32\vbscript.dll
2002-02-13 01:15:46 271 ---h--w- c:\program files\desktop.ini
2002-02-13 01:15:46 21952 ---h--w- c:\program files\folder.htt
2000-07-26 04:00:00 32528 ------w- c:\winnt\inf\wbfirdma.sys
============= FINISH: 12:09:49.28 ===============