I believe that my LAN network has been attacked and infected with a virus called Win32:Rootkit-gen [Rtk]. From what we have seen in terms of its behaviours, and what is documented about this particular virus and its variants, it appears not to be a virus that attacks either data or applications. Rather it tries to cause disruption, in this case by instigating thousands of automated log-ins between machines. It is this activity that has generated multiple failed log-in attempts, and which in turn, has caused the lock-outs.
The “Server Service” had been stopped on a DC and every attempt to start the service was met with another stop service command.
******************************
Avast! reported the following:
******************************
avast! [ComputerName]: File “C:\WINDOWS\System32\x” is infected by “Win32:Rootkit-gen [Rtk]” virus.
“Resident protection (Standard Shield)” task used Version of current VPS file is 100602-1, 02/06/2010
******************************
Hijackthis Log File:
******************************
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:01:05, on 03/06/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\Program Files\MBS\Agent\VVAgent.exe
C:\Program Files\MBS\Agent\buagent.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PROTEUS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\hp\hpsmh\bin\smhstart.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\wins.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINNT\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\Program Files\Dictaphone\Freedom\FreedomEventService.exe
C:\WINNT\system32\sysdown.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\NCU\cpqteam.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE
E:\Program Files\Proteus v5\Programs\c3RealTime.exe
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
C:\WINNT\system32\ntvdm.exe
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\P5EntScheduler.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Enterprise\Common\QReportHKeeper.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
c:\winnt\system32\inetsrv\w3wp.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\NCU\cpqteam.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://XXXXXXXX
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
O1 – Hosts: IPAddress server.co.uk
O4 – HKLM\..\Run: [CPQTEAM] “C:\Program Files\HP\NCU\cpqteam.exe”
O4 – HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 – HKLM\..\Run: [WinVNC] “C:\Program Files\UltraVNC\WinVNC.exe” -servicehelper
O4 – HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\PCM.exe
O4 – HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User ‘NETWORK SERVICE’)
O4 – HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘NETWORK SERVICE’)
O4 – HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User ‘SYSTEM’)
O4 – HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User ‘Default user’)
O4 – HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘Default user’)
O4 – S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Freedom Archive Manager.lnk = C:\Program Files\Dictaphone\Freedom\ArchiveManager.exe (User ‘proteus’)
O4 – S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Proteus Email Engine.lnk = E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE (User ‘proteus’)
O4 – S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Proteus Program Launcher.lnk = E:\Program Files\Proteus v5\Programs\P4Loader.exe (User ‘proteus’)
O4 – S-1-5-21-1925261247-738753776-1233803906-4485 Startup: RealTime Monitor.lnk = E:\Program Files\Proteus v5\Programs\c3RealTime.exe (User ‘proteus’)
O4 – S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Freedom Archive Manager.lnk = C:\Program Files\Dictaphone\Freedom\ArchiveManager.exe (User ‘proteus’)
O4 – S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Proteus Email Engine.lnk = E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE (User ‘proteus’)
O4 – S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Proteus Program Launcher.lnk = E:\Program Files\Proteus v5\Programs\P4Loader.exe (User ‘proteus’)
O4 – S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: RealTime Monitor.lnk = E:\Program Files\Proteus v5\Programs\c3RealTime.exe (User ‘proteus’)
O4 – Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 – DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) – http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 – DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) – http:///crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
O16 – DPF: {E0FC6C46-CE20-4413-A319-1917CDF41382} (hp ProLiant VCRM Upload Control) – https://XXXXXXXXX.cab
O17 – HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DomainName
O17 – HKLM\Software\..\Telephony: DomainName = DomainName
O17 – HKLM\System\CCS\Services\Tcpip\..\{0EBF3AE3-73DC-4DB6-8B5F-40CE170CAE7D}: NameServer = IP’s
O17 – HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Domain
O17 – HKLM\System\CS1\Services\Tcpip\..\{0EBF3AE3-73DC-4DB6-8B5F-40CE170CAE7D}: NameServer = IP’s
O18 – Protocol: hpapp – {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} – C:\Program Files\Compaq\Cpqacuxe\bin\hpapp.dll
O22 – SharedTaskScheduler: Browseui preloader – {438755C2-A8BA-11D1-B96B-00A0C90312E1} – C:\WINNT\system32\browseui.dll
O22 – SharedTaskScheduler: Component Categories cache daemon – {8C7461EF-2B13-11d2-BE35-3078302C2030} – C:\WINNT\system32\browseui.dll
O23 – Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) – Symantec Corporation – C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 – Service: CentennialClientAgent – Centennial Software Limited – C:\centenn.ial\audit\CAgent32.exe
O23 – Service: CentennialIPTransferAgent – Centennial Software Limited – c:\centenn.ial\audit\xferwan.exe
O23 – Service: HP Insight NIC Agents (CpqNicMgmt) – Hewlett-Packard Company – C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
O23 – Service: HP ProLiant Remote Monitor Service (CpqRcmc) – Hewlett-Packard Company – C:\WINNT\system32\cpqrcmc.exe
O23 – Service: HP Version Control Agent (cpqvcagent) – Hewlett-Packard Company – C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 – Service: HP Insight Foundation Agents (CqMgHost) – Hewlett-Packard Company – C:\WINNT\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 – Service: HP Insight Server Agents (CqMgServ) – Hewlett-Packard Company – C:\WINNT\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 – Service: HP Insight Storage Agents (CqMgStor) – Hewlett-Packard Company – C:\WINNT\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 – Service: MBS Agent (EVault InfoStage Agent) – Unknown owner – C:\Program Files\MBS\Agent\VVAgent.exe
O23 – Service: MBS BUAgent (EVault InfoStage BUAgent) – Unknown owner – C:\Program Files\MBS\Agent\buagent.exe
O23 – Service: FreedomEventService – Dictaphone Corporation – C:\Program Files\Dictaphone\Freedom\FreedomEventService.exe
O23 – Service: NetOp Helper ver. 7.65 (2004058) (NetOp Host for NT Service) – Danware Data A/S – e:\Program Files\Proteus v5\Remote Diagnostics\HOST\NHOSTSVC.EXE
O23 – Service: Seagate Page Server (pageserver) – Seagate Software, Inc. – C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 – Service: PRTG 7 Probe Service (PRTG7ProbeService) – Paessler AG – C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
O23 – Service: RclService – EMCO http://www.emco.is – C:\WINNT\system32\RclServer.exe
O23 – Service: Surveyor – Hewlett-Packard Development Group, L.P. – C:\compaq\survey\Surveyor.EXE
O23 – Service: HP ProLiant System Shutdown Service (sysdown) – Compaq Computer Corporation – C:\WINNT\system32\sysdown.exe
O23 – Service: HP System Management Homepage (SysMgmtHp) – Hewlett-Packard Company – C:\hp\hpsmh\bin\smhstart.exe
O23 – Service: Seagate Web Component Server (WebCompServer) – Seagate Software, Inc. – C:\Program Files\Seagate Software\WCS\WebCompServer.exe
O23 – Service: VNC Server (winvnc) – UltraVNC – C:\Program Files\UltraVNC\WinVNC.exe
—
End of file – 10948 bytes
Any help from anybody would be greatly appreciated.
Thank you for your time and any assistance.
Mark.