Win32:Rootkit-gen [Rtk] Virus Help Required

By Mark 'TechTank' Tank ·
I believe that my LAN network has been attacked and infected with a virus called Win32:Rootkit-gen [Rtk]. From what we have seen in terms of its behaviours, and what is documented about this particular virus and its variants, it appears not to be a virus that attacks either data or applications. Rather it tries to cause disruption, in this case by instigating thousands of automated log-ins between machines. It is this activity that has generated multiple failed log-in attempts, and which in turn, has caused the lock-outs.

The "Server Service" had been stopped on a DC and every attempt to start the service was met with another stop service command.

Avast! reported the following:

avast! [ComputerName]: File "C:\WINDOWS\System32\x" is infected by "Win32:Rootkit-gen [Rtk]" virus.
"Resident protection (Standard Shield)" task used Version of current VPS file is 100602-1, 02/06/2010

Hijackthis Log File:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:01:05, on 03/06/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\MBS\Agent\VVAgent.exe
C:\Program Files\MBS\Agent\buagent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PROTEUS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Dictaphone\Freedom\FreedomEventService.exe
C:\Program Files\HP\NCU\cpqteam.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE
E:\Program Files\Proteus v5\Programs\c3RealTime.exe
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\P5EntScheduler.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Enterprise\Common\QReportHKeeper.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\Program Files\HP\NCU\cpqteam.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://XXXXXXXX
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =;
O1 - Hosts: IPAddress
O4 - HKLM\..\Run: [CPQTEAM] "C:\Program Files\HP\NCU\cpqteam.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\PCM.exe
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Freedom Archive Manager.lnk = C:\Program Files\Dictaphone\Freedom\ArchiveManager.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Proteus Email Engine.lnk = E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Proteus Program Launcher.lnk = E:\Program Files\Proteus v5\Programs\P4Loader.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: RealTime Monitor.lnk = E:\Program Files\Proteus v5\Programs\c3RealTime.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Freedom Archive Manager.lnk = C:\Program Files\Dictaphone\Freedom\ArchiveManager.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Proteus Email Engine.lnk = E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Proteus Program Launcher.lnk = E:\Program Files\Proteus v5\Programs\P4Loader.exe (User 'proteus')
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: RealTime Monitor.lnk = E:\Program Files\Proteus v5\Programs\c3RealTime.exe (User 'proteus')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http:///crystalreportviewers10/ActiveXControls/
O16 - DPF: {E0FC6C46-CE20-4413-A319-1**7CDF41382} (hp ProLiant VCRM Upload Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DomainName
O17 - HKLM\Software\..\Telephony: DomainName = DomainName
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EBF3AE3-73DC-4DB6-8B5F-40CE170CAE7D}: NameServer = IP's
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Domain
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EBF3AE3-73DC-4DB6-8B5F-40CE170CAE7D}: NameServer = IP's
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\bin\hpapp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - c:\centenn.ial\audit\xferwan.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINNT\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINNT\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: MBS Agent (EVault InfoStage Agent) - Unknown owner - C:\Program Files\MBS\Agent\VVAgent.exe
O23 - Service: MBS BUAgent (EVault InfoStage BUAgent) - Unknown owner - C:\Program Files\MBS\Agent\buagent.exe
O23 - Service: FreedomEventService - Dictaphone Corporation - C:\Program Files\Dictaphone\Freedom\FreedomEventService.exe
O23 - Service: NetOp Helper ver. 7.65 (200405 (NetOp Host for NT Service) - Danware Data A/S - e:\Program Files\Proteus v5\Remote Diagnostics\HOST\NHOSTSVC.EXE
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: PRTG 7 Probe Service (PRTG7ProbeService) - Paessler AG - C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
O23 - Service: RclService - EMCO - C:\WINNT\system32\RclServer.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

End of file - 10948 bytes

Any help from anybody would be greatly appreciated.

Thank you for your time and any assistance.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

I have only the obvious answer

by seanferd In reply to Win32:Rootkit-gen [Rtk] V ...

which is to remove machines from the LAN and the internet, clean them, and don't reconnect anything until every last machine is clean.

Try cleaning one with MBAM to see how it goes.
Turn off System Restore, run it in Safe Mode repeatedly until you get no positive results. Then make sure the machine boots, runs, and connects to a network properly, as system files and/or registry entries may have been changed.

Autoruns can be very useful in finding which files and settings used in the startup process may have changed - certainly check under logon and winlogon that settings are pointing to the correct files. You may also wish to check under the network-oriented tabs (e.g., winsock). Browser proxy settings and the HOSTS file should also be checked in case of poor connectivity.

Rkill may be useful if the virus will not let other security software like MBAM or your AV run.

Other rootkit tools, if necessary, include GMER and Rootkit Revealer.

Be prepared to do a repair install or other repair operation from CD. Being able to boot from an OS on a live CD can be very helpful if the infection is resistant or the system will not successfully boot after cleaning. (UBCD, Bart PE (pre-made or custom), Knoppix, etc.). Recent article for reference:;leftCol

Edit: Yeah, I know no one likes taking down a production network, but better you do it before the virus does, and before any additional malware or the original infection steals your data or your customer's data, or whatever.

Collapse -

Also if this person was to use the

by OH Smeg Moderator In reply to I have only the obvious a ...

Ultimate Boot CD for Win

And build them self a Disc with up to Date AV on it as well as Up to Date Malware Bytes that may work.

This Disc has all of the Malware Removers and Root Kit Tools that should be required.

Alternatively F Secure would also probably do the job as well.


Collapse -

I agree

by bodonnell11 In reply to I have only the obvious a ...

Seanfred's answer says what I would have. Take each machine off the network and clean it individually then put the network back together once you're sure all the machines are clean. It's the only way otherwise they are reinfecting each other while you're working. Like a glass mountain - one step forward, two steps back.

Collapse -

Lacking Resources

by Mark 'TechTank' Tank In reply to I agree

thank you to all who have replied and suggested things to get us virus free again.

Unfortunatly we have 1000 users, homeworkers and 10 sites around the country and only 2 x 2nd Line Engineers and 4 x Technical Support Engineers.

Removing PC's from the LAN is an impossible task but I will pass the comments on to someone who gets paid more than me :0)

Thank you all so much though, nice to know that they're people out there that are still willing to help for the reward of a thumbs up and appreciation.

Collapse -

That's what I suspected.

by seanferd In reply to Lacking Resources

Let those folks with the higher pay scales know that if the infections take down the network by causing denial of service, it is going to be worse than if your engineers/sysadmins do it.

Collapse -

Your Welcome

by OH Smeg Moderator In reply to Lacking Resources

But if this is replicating across the Network you don't have much in the way of options here.

You'll have to remove everything from the Network or at least the Local Area Network and reimage the individual systems. I've seen the removal of some infections kill all Network Adapters in systems and they are not possible to replace them when this happens or add new ones.

If you clean one system and then reattach it to the LAN it just gets reinfected so you've wasted your time and effort cleaning it.

of course if this is not replicating across the network and is confined to just a few computers it may be possible to remove the infected systems wipe the internal HDD's and reimage them fairly quickly. On the up side if things are setup properly this infection should just be confined to the computers at the one location.

But if things have progressed so far that everything is infected it's going to require a lot of outside help to get over this one. If this is any help at one Government Department here it took all my 12 techs 3 days to change the product keys on 2,500 systems after a service pack rendered the old ones unusable on a very large Volume License network. It would have been better to do this over the weekend when there where none of the Departments Staff there to mess things up as well I should add.


Related Discussions

Related Forums