MBR Rootkit on Win2k3 server

pvadmin · Apr 13, 2010

Hello,

I have run the following

Spybot - Found Cookies and some BHO - Removed
Malwarebytes - Found a couple of files - Removed
SuperAnitSpyware - Came up clean
ComboFix - Won't run. Click exe and nothing happens
CCcleaner - cleaned all temp files
Prevx - Finds nothing
RootRepeal - Says I have a rootkit on C: and D:

I am running Avira Antivir Server. Each time the machine is rebooted I get new virus and malware detections. Reboots are required daily as the file server will lock up and all access to shares and printers is cut off. Can't even log into the server. Would you please assist me on how to remove this mbr rootkit. Thanks in advance.

Files attached

chaslang · Apr 15, 2010

Welcome to Major Geeks!

You need to attach the logs as requested.

Did you shut down Avira before trying to run it? If not, that may be your problem.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {F4F5B58A-D3A6-4F85-B3EF-5642E8937E6F} - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop
Run avenger.exe by double-clicking on it.
Do not change any check box options!!
Copy everything in the code box below ( be sure to scroll all the way thru to the end to get everything), and paste it into the Input script here: part of the window:

Code:

Files to delete:
C:\Documents and Settings\administrator.partsvalue\Local Settings\Temp\mmc0662DC15.xml
C:\WINDOWS\Temp\R1EGTMP.ini
C:\WINDOWS\system32\DROPPEDFILEOK0002.tmp
C:\WINDOWS\system32\DROPPEDFILEOKWwW.tmp
C:\WINDOWS\system32\fsc.txt
C:\WINDOWS\system32\ide.txt
C:\WINDOWS\system32\klgd.bmp
C:\WINDOWS\system32\krv
C:\WINDOWS\system32\qks.txt
 
Folders to delete:
C:\Documents and Settings\administrator.partsvalue\Local Settings\Temp\2
C:\Documents and Settings\All Users\Application Data\53197934
C:\Windows\temp\abld.tmp
C:\Windows\temp\acpf.tmp
C:\Windows\temp\aeef.tmp
C:\Windows\temp\aege.tmp
C:\Windows\temp\aflm.tmp
C:\Windows\temp\alcg.tmp
C:\Windows\temp\alfp.tmp
C:\Windows\temp\amjl.tmp
C:\Windows\temp\apsc.tmp
C:\Windows\temp\aqar.tmp
C:\Windows\temp\asft.tmp
C:\Windows\temp\avyj.tmp
C:\Windows\temp\axsf.tmp
C:\Windows\temp\aybt.tmp
C:\Windows\temp\bajc.tmp
C:\Windows\temp\bdwp.tmp
C:\Windows\temp\bfbx.tmp
C:\Windows\temp\bgxo.tmp
C:\Windows\temp\bhor.tmp
C:\Windows\temp\bimu.tmp
C:\Windows\temp\biwp.tmp
C:\Windows\temp\bkfo.tmp
C:\Windows\temp\bnvu.tmp
C:\Windows\temp\brow.tmp
C:\Windows\temp\bttb.tmp
C:\Windows\temp\btya.tmp
C:\Windows\temp\bugl.tmp
C:\Windows\temp\bula.tmp
C:\Windows\temp\bwxu.tmp
C:\Windows\temp\bxju.tmp
C:\Windows\temp\cbuh.tmp
C:\Windows\temp\ccbd.tmp
C:\Windows\temp\ccdi.tmp
C:\Windows\temp\cdcs.tmp
C:\Windows\temp\cdxb.tmp
C:\Windows\temp\ceem.tmp
C:\Windows\temp\cful.tmp
C:\Windows\temp\cikb.tmp
C:\Windows\temp\citv.tmp
C:\Windows\temp\cjmq.tmp
C:\Windows\temp\cksd.tmp
C:\Windows\temp\clpr.tmp
C:\Windows\temp\cmup.tmp
C:\Windows\temp\cndy.tmp
C:\Windows\temp\coon.tmp
C:\Windows\temp\cpds.tmp
C:\Windows\temp\cpnw.tmp
C:\Windows\temp\cpyd.tmp
C:\Windows\temp\cqcb.tmp
C:\Windows\temp\csnv.tmp
C:\Windows\temp\csuf.tmp
C:\Windows\temp\ctnt.tmp
C:\Windows\temp\cuer.tmp
C:\Windows\temp\cwxs.tmp
C:\Windows\temp\cxgi.tmp
C:\Windows\temp\cyxw.tmp
C:\Windows\temp\dakw.tmp
C:\Windows\temp\davh.tmp
C:\Windows\temp\dbim.tmp
C:\Windows\temp\dbin.tmp
C:\Windows\temp\dbpo.tmp
C:\Windows\temp\dciu.tmp
C:\Windows\temp\ddxl.tmp
C:\Windows\temp\dgdf.tmp
C:\Windows\temp\dlbw.tmp
C:\Windows\temp\dnth.tmp
C:\Windows\temp\dpwu.tmp
C:\Windows\temp\dwgp.tmp
C:\Windows\temp\dwvs.tmp
C:\Windows\temp\dyvt.tmp
C:\Windows\temp\eacl.tmp
C:\Windows\temp\eanl.tmp
C:\Windows\temp\edeo.tmp
C:\Windows\temp\efka.tmp
C:\Windows\temp\efyb.tmp
C:\Windows\temp\egkq.tmp
C:\Windows\temp\ehsx.tmp
C:\Windows\temp\ehyh.tmp
C:\Windows\temp\eiam.tmp
C:\Windows\temp\eiis.tmp
C:\Windows\temp\eixt.tmp
C:\Windows\temp\ejju.tmp
C:\Windows\temp\ekiq.tmp
C:\Windows\temp\eoah.tmp
C:\Windows\temp\eqgg.tmp
C:\Windows\temp\esjn.tmp
C:\Windows\temp\etxq.tmp
C:\Windows\temp\euyf.tmp
C:\Windows\temp\ewnu.tmp
C:\Windows\temp\eyjt.tmp
C:\Windows\temp\faqc.tmp
C:\Windows\temp\fdae.tmp
C:\Windows\temp\fdhj.tmp
C:\Windows\temp\fdhx.tmp
C:\Windows\temp\fera.tmp
C:\Windows\temp\ffhk.tmp
C:\Windows\temp\fgqr.tmp
C:\Windows\temp\fgtx.tmp
C:\Windows\temp\fhln.tmp
C:\Windows\temp\fjwt.tmp
C:\Windows\temp\fkiq.tmp
C:\Windows\temp\foxk.tmp
C:\Windows\temp\fpex.tmp
C:\Windows\temp\fpff.tmp
C:\Windows\temp\fphf.tmp
C:\Windows\temp\fpow.tmp
C:\Windows\temp\fqlg.tmp
C:\Windows\temp\fsmb.tmp
C:\Windows\temp\fsta.tmp
C:\Windows\temp\ftlh.tmp
C:\Windows\temp\ftnj.tmp
C:\Windows\temp\ftts.tmp
C:\Windows\temp\fuil.tmp
C:\Windows\temp\fvnh.tmp
C:\Windows\temp\fxqt.tmp
C:\Windows\temp\fxtv.tmp
C:\Windows\temp\fxxb.tmp
C:\Windows\temp\gcda.tmp
C:\Windows\temp\gcrf.tmp
C:\Windows\temp\gefr.tmp
C:\Windows\temp\gexl.tmp
C:\Windows\temp\gfys.tmp
C:\Windows\temp\ggac.tmp
C:\Windows\temp\gihu.tmp
C:\Windows\temp\gkpn.tmp
C:\Windows\temp\gmfa.tmp
C:\Windows\temp\gplo.tmp
C:\Windows\temp\gpyl.tmp
C:\Windows\temp\gqpe.tmp
C:\Windows\temp\gthrsvc
C:\Windows\temp\gttt.tmp
C:\Windows\temp\gwpq.tmp
C:\Windows\temp\gxmp.tmp
C:\Windows\temp\gxmr.tmp
C:\Windows\temp\hcbu.tmp
C:\Windows\temp\heoj.tmp
C:\Windows\temp\hesi.tmp
C:\Windows\temp\hewl.tmp
C:\Windows\temp\hfbt.tmp
C:\Windows\temp\hfrv.tmp
C:\Windows\temp\hfww.tmp
C:\Windows\temp\hhjk.tmp
C:\Windows\temp\hjbq.tmp
C:\Windows\temp\hjkk.tmp
C:\Windows\temp\hlgx.tmp
C:\Windows\temp\hlmq.tmp
C:\Windows\temp\hplr.tmp
C:\Windows\temp\hqho.tmp
C:\Windows\temp\hral.tmp
C:\Windows\temp\hrjq.tmp
C:\Windows\temp\hrov.tmp
C:\Windows\temp\hsyp.tmp
C:\Windows\temp\htib.tmp
C:\Windows\temp\ifbh.tmp
C:\Windows\temp\iheq.tmp
C:\Windows\temp\ihum.tmp
C:\Windows\temp\iimt.tmp
C:\Windows\temp\ijeh.tmp
C:\Windows\temp\ijtk.tmp
C:\Windows\temp\ijue.tmp
C:\Windows\temp\ilpw.tmp
C:\Windows\temp\imxi.tmp
C:\Windows\temp\iqkr.tmp
C:\Windows\temp\itsj.tmp
C:\Windows\temp\itvt.tmp
C:\Windows\temp\iukd.tmp
C:\Windows\temp\iunf.tmp
C:\Windows\temp\iuys.tmp
C:\Windows\temp\iwxp.tmp
C:\Windows\temp\iysc.tmp
C:\Windows\temp\jdll.tmp
C:\Windows\temp\jekk.tmp
C:\Windows\temp\jfsv.tmp
C:\Windows\temp\jify.tmp
C:\Windows\temp\jkkt.tmp
C:\Windows\temp\jlab.tmp
C:\Windows\temp\jmrh.tmp
C:\Windows\temp\jocs.tmp
C:\Windows\temp\joot.tmp
C:\Windows\temp\jpsd.tmp
C:\Windows\temp\jsiq.tmp
C:\Windows\temp\jsjd.tmp
C:\Windows\temp\jslx.tmp
C:\Windows\temp\jwep.tmp
C:\Windows\temp\kcsa.tmp
C:\Windows\temp\kddk.tmp
C:\Windows\temp\kean.tmp
C:\Windows\temp\kfqb.tmp
C:\Windows\temp\kgnr.tmp
C:\Windows\temp\kgrf.tmp
C:\Windows\temp\khfp.tmp
C:\Windows\temp\kihu.tmp
C:\Windows\temp\kikf.tmp
C:\Windows\temp\kjat.tmp
C:\Windows\temp\kjyb.tmp
C:\Windows\temp\kktx.tmp
C:\Windows\temp\klns.tmp
C:\Windows\temp\kluh.tmp
C:\Windows\temp\kmse.tmp
C:\Windows\temp\koug.tmp
C:\Windows\temp\kpia.tmp
C:\Windows\temp\kqim.tmp
C:\Windows\temp\kstn.tmp
C:\Windows\temp\kutt.tmp
C:\Windows\temp\kxuo.tmp
C:\Windows\temp\laby.tmp
C:\Windows\temp\laup.tmp
C:\Windows\temp\lcsn.tmp
C:\Windows\temp\lfaq.tmp
C:\Windows\temp\lgkt.tmp
C:\Windows\temp\lhjv.tmp
C:\Windows\temp\lkmm.tmp
C:\Windows\temp\llxl.tmp
C:\Windows\temp\lmjr.tmp
C:\Windows\temp\lpfw.tmp
C:\Windows\temp\lpfx.tmp
C:\Windows\temp\lvjw.tmp
C:\Windows\temp\lxln.tmp
C:\Windows\temp\lywv.tmp
C:\Windows\temp\mand.tmp
C:\Windows\temp\maxx.tmp
C:\Windows\temp\mflw.tmp
C:\Windows\temp\mftj.tmp
C:\Windows\temp\mgmo.tmp
C:\Windows\temp\mgsx.tmp
C:\Windows\temp\mhnm.tmp
C:\Windows\temp\mjhw.tmp
C:\Windows\temp\mkbh.tmp
C:\Windows\temp\mnnl.tmp
C:\Windows\temp\moff.tmp
C:\Windows\temp\molo.tmp
C:\Windows\temp\moyk.tmp
C:\Windows\temp\munl.tmp
C:\Windows\temp\mvhp.tmp
C:\Windows\temp\mwex.tmp
C:\Windows\temp\mwik.tmp
C:\Windows\temp\mwoc.tmp
C:\Windows\temp\myxv.tmp
C:\Windows\temp\nacj.tmp
C:\Windows\temp\nalr.tmp
C:\Windows\temp\nbdx.tmp
C:\Windows\temp\nbfb.tmp
C:\Windows\temp\ncmu.tmp
C:\Windows\temp\ndyv.tmp
C:\Windows\temp\nebu.tmp
C:\Windows\temp\ngut.tmp
C:\Windows\temp\nguu.tmp
C:\Windows\temp\nmxn.tmp
C:\Windows\temp\nngp.tmp
C:\Windows\temp\nnlc.tmp
C:\Windows\temp\npjn.tmp
C:\Windows\temp\nrib.tmp
C:\Windows\temp\nrjb.tmp
C:\Windows\temp\nxgh.tmp
C:\Windows\temp\nxos.tmp
C:\Windows\temp\oalo.tmp
C:\Windows\temp\ogac.tmp
C:\Windows\temp\ohab.tmp
C:\Windows\temp\ohfu.tmp
C:\Windows\temp\oigb.tmp
C:\Windows\temp\ojea.tmp
C:\Windows\temp\oluq.tmp
C:\Windows\temp\omdl.tmp
C:\Windows\temp\omgb.tmp
C:\Windows\temp\omkk.tmp
C:\Windows\temp\opef.tmp
C:\Windows\temp\orbr.tmp
C:\Windows\temp\orcc.tmp
C:\Windows\temp\osbx.tmp
C:\Windows\temp\osnj.tmp
C:\Windows\temp\osuk.tmp
C:\Windows\temp\otck.tmp
C:\Windows\temp\oubx.tmp
C:\Windows\temp\ovas.tmp
C:\Windows\temp\owpt.tmp
C:\Windows\temp\oyor.tmp
C:\Windows\temp\palq.tmp
C:\Windows\temp\pbls.tmp
C:\Windows\temp\pcau.tmp
C:\Windows\temp\pejf.tmp
C:\Windows\temp\peqw.tmp
C:\Windows\temp\phhk.tmp
C:\Windows\temp\phmr.tmp
C:\Windows\temp\pjph.tmp
C:\Windows\temp\pmoq.tmp
C:\Windows\temp\poqt.tmp
C:\Windows\temp\ppft.tmp
C:\Windows\temp\ppwe.tmp
C:\Windows\temp\psck.tmp
C:\Windows\temp\psgn.tmp
C:\Windows\temp\pskb.tmp
C:\Windows\temp\psqv.tmp
C:\Windows\temp\pusm.tmp
C:\Windows\temp\pybt.tmp
C:\Windows\temp\qbhe.tmp
C:\Windows\temp\qbun.tmp
C:\Windows\temp\qdaa.tmp
C:\Windows\temp\qeld.tmp
C:\Windows\temp\qgga.tmp
C:\Windows\temp\qhch.tmp
C:\Windows\temp\qkms.tmp
C:\Windows\temp\qmpk.tmp
C:\Windows\temp\qocy.tmp
C:\Windows\temp\qopc.tmp
C:\Windows\temp\qoss.tmp
C:\Windows\temp\qpes.tmp
C:\Windows\temp\qrmw.tmp
C:\Windows\temp\qvsn.tmp
C:\Windows\temp\qxyq.tmp
C:\Windows\temp\qylv.tmp
C:\Windows\temp\rbkk.tmp
C:\Windows\temp\rbtv.tmp
C:\Windows\temp\rcdv.tmp
C:\Windows\temp\rdoq.tmp
C:\Windows\temp\recb.tmp
C:\Windows\temp\rejx.tmp
C:\Windows\temp\rgjl.tmp
C:\Windows\temp\riey.tmp
C:\Windows\temp\ripn.tmp
C:\Windows\temp\rkdj.tmp
C:\Windows\temp\rlws.tmp
C:\Windows\temp\rmoe.tmp
C:\Windows\temp\rmog.tmp
C:\Windows\temp\rnsx.tmp
C:\Windows\temp\rpby.tmp
C:\Windows\temp\rpyn.tmp
C:\Windows\temp\rqkb.tmp
C:\Windows\temp\rtmj.tmp
C:\Windows\temp\rvsb.tmp
C:\Windows\temp\rvxy.tmp
C:\Windows\temp\rwsb.tmp
C:\Windows\temp\rxwu.tmp
C:\Windows\temp\rykl.tmp
C:\Windows\temp\saaj.tmp
C:\Windows\temp\sckw.tmp
C:\Windows\temp\scxt.tmp
C:\Windows\temp\sfnm.tmp
C:\Windows\temp\shgk.tmp
C:\Windows\temp\sjmw.tmp
C:\Windows\temp\sjrn.tmp
C:\Windows\temp\sphy.tmp
C:\Windows\temp\sqyl.tmp
C:\Windows\temp\sthx.tmp
C:\Windows\temp\suxn.tmp
C:\Windows\temp\sval.tmp
C:\Windows\temp\swuk.tmp
C:\Windows\temp\sxat.tmp
C:\Windows\temp\tabw.tmp
C:\Windows\temp\taqx.tmp
C:\Windows\temp\tbxu.tmp
C:\Windows\temp\tcgm.tmp
C:\Windows\temp\tdak.tmp
C:\Windows\temp\tdvi.tmp
C:\Windows\temp\tfat.tmp
C:\Windows\temp\tglt.tmp
C:\Windows\temp\tgsr.tmp
C:\Windows\temp\tgta.tmp
C:\Windows\temp\thvp.tmp
C:\Windows\temp\tint.tmp
C:\Windows\temp\tips.tmp
C:\Windows\temp\tjwd.tmp
C:\Windows\temp\tkac.tmp
C:\Windows\temp\tksl.tmp
C:\Windows\temp\tlfd.tmp
C:\Windows\temp\tlkq.tmp
C:\Windows\temp\toar.tmp
C:\Windows\temp\tqlp.tmp
C:\Windows\temp\trrw.tmp
C:\Windows\temp\txgl.tmp
C:\Windows\temp\uask.tmp
C:\Windows\temp\uccg.tmp
C:\Windows\temp\uehy.tmp
C:\Windows\temp\uftj.tmp
C:\Windows\temp\ugba.tmp
C:\Windows\temp\ujby.tmp
C:\Windows\temp\ukyf.tmp
C:\Windows\temp\unfl.tmp
C:\Windows\temp\unvb.tmp
C:\Windows\temp\uosm.tmp
C:\Windows\temp\upyq.tmp
C:\Windows\temp\urie.tmp
C:\Windows\temp\uvqv.tmp
C:\Windows\temp\uwqt.tmp
C:\Windows\temp\uwso.tmp
C:\Windows\temp\uxkw.tmp
C:\Windows\temp\uxnu.tmp
C:\Windows\temp\valw.tmp
C:\Windows\temp\vbmj.tmp
C:\Windows\temp\vhhw.tmp
C:\Windows\temp\vkai.tmp
C:\Windows\temp\vlqy.tmp
C:\Windows\temp\vmoi.tmp
C:\Windows\temp\vmwe.tmp
C:\Windows\temp\vnun.tmp
C:\Windows\temp\vpvo.tmp
C:\Windows\temp\vrur.tmp
C:\Windows\temp\vssm.tmp
C:\Windows\temp\vvha.tmp
C:\Windows\temp\vxct.tmp
C:\Windows\temp\vydd.tmp
C:\Windows\temp\vyja.tmp
C:\Windows\temp\wcud.tmp
C:\Windows\temp\wdko.tmp
C:\Windows\temp\wexq.tmp
C:\Windows\temp\weyj.tmp
C:\Windows\temp\wgff.tmp
C:\Windows\temp\whex.tmp
C:\Windows\temp\wkib.tmp
C:\Windows\temp\wkjy.tmp
C:\Windows\temp\wkyt.tmp
C:\Windows\temp\wpnu.tmp
C:\Windows\temp\wqvc.tmp
C:\Windows\temp\wryj.tmp
C:\Windows\temp\wulq.tmp
C:\Windows\temp\wusi.tmp
C:\Windows\temp\wxjq.tmp
C:\Windows\temp\wxst.tmp
C:\Windows\temp\wxuj.tmp
C:\Windows\temp\xabn.tmp
C:\Windows\temp\xaju.tmp
C:\Windows\temp\xcit.tmp
C:\Windows\temp\xctq.tmp
C:\Windows\temp\xeie.tmp
C:\Windows\temp\xejt.tmp
C:\Windows\temp\xhks.tmp
C:\Windows\temp\xise.tmp
C:\Windows\temp\xjcu.tmp
C:\Windows\temp\xlks.tmp
C:\Windows\temp\xmnr.tmp
C:\Windows\temp\xmpn.tmp
C:\Windows\temp\xmrb.tmp
C:\Windows\temp\xocr.tmp
C:\Windows\temp\xoki.tmp
C:\Windows\temp\xrdc.tmp
C:\Windows\temp\xrkc.tmp
C:\Windows\temp\xrki.tmp
C:\Windows\temp\xsfh.tmp
C:\Windows\temp\xssm.tmp
C:\Windows\temp\xuvq.tmp
C:\Windows\temp\xvon.tmp
C:\Windows\temp\xvrg.tmp
C:\Windows\temp\xwib.tmp
C:\Windows\temp\xyqe.tmp
C:\Windows\temp\ybih.tmp
C:\Windows\temp\ybrn.tmp
C:\Windows\temp\ybti.tmp
C:\Windows\temp\ycbo.tmp
C:\Windows\temp\yfsi.tmp
C:\Windows\temp\yggr.tmp
C:\Windows\temp\ygmg.tmp
C:\Windows\temp\yhxv.tmp
C:\Windows\temp\yjff.tmp
C:\Windows\temp\ykjy.tmp
C:\Windows\temp\yles.tmp
C:\Windows\temp\ymdw.tmp
C:\Windows\temp\ynao.tmp
C:\Windows\temp\yphf.tmp
C:\Windows\temp\ypjb.tmp
C:\Windows\temp\ypwn.tmp
C:\Windows\temp\yrvx.tmp
C:\Windows\temp\yrwg.tmp
C:\Windows\temp\yudt.tmp
C:\Windows\temp\ywft.tmp
C:\Windows\temp\ywww.tmp
C:\Windows\temp\yxff.tmp
C:\Windows\temp\yysq.tmp
 
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4F5B58A-D3A6-4F85-B3EF-5642E8937E6F}

Now click the Execute button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the Reboot now? question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\administrator.partsvalue\Local Settings\Temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:

C:\avenger.txt
C:\MGlogs.zip

Make sure you tell me how things are working now!

pvadmin · Apr 15, 2010

I checked again on the combo fix. This time a message was displayed. It stated it could not run on my version of Windows (win2k3). The same was true for the avenger program.

That being said I deleted all the files, registry entries and folders mentioned manually. I used Hijack this to remove the BHO.

RootRepeal still shows an MBR Rootkit on the Local drive, D: and E: drive. Was avenger meant to be used to remove this? Is there a program like it that will remove the rootkits from these drives?

Since I was not able to run Avenger no reboot has been performed. I am reluctant to do so as every attempt in the past has resulted in a repopulation of more malware folders and files. Please advise as to what my next step should be. Logs attached.

Thanks

chaslang · Apr 16, 2010

pvadmin said: ↑

I checked again on the combo fix. This time a message was displayed. It stated it could not run on my version of Windows (win2k3). The same was true for the avenger program.
Click to expand...

Ah!! I did not noticed that you had Win 2003. None of these special tools will work with it.

RootRepeal still shows an MBR Rootkit on the Local drive, D: and E: drive. [/quote] I don't think this is valid. RootRepeal could be misreading info.

pvadmin said: ↑

Is there a program like it that will remove the rootkits from these drives?
Click to expand...

I don't think you have a root kit. Your logs are all clean but let's run a couple other scans.

Download OTL by Old Timer and save it to your Desktop.

Double-click OTL.exe to start the program.

Under Output, make sure that Standard Output is selected.

Under Extra Registry section, select Use SafeList.

Click the Scan All Users checkbox.

Click on Run Scan at the top left hand corner.

When done, two Notepad files will open.

OTL.txt <-- Will be opened

Extras.txt <-- Will be minimized

Click the OK button.

Just close the notepad windows and attach these logs from OTL to your next message.

Now let's also see if the below will run on Win 2003.

Please run this: GMER - running with a random name and attach the log from GMER.

pvadmin · Apr 16, 2010

I rebooted this morning as the server was completely unresponsive. Sure enough something has created more malware junk on the server. I will attach the logs you requested.

Gmer does run however it crashed the server twice. I might attempt to run again later.

Hope you can help me get to the bottom of this. Thanks again.

chaslang · Apr 17, 2010

I think part of your problem is that you are someone else keeps inserting other infected drives of media into this PC. Some of your logs are showing infections coming from a drive H which is not internal to this PC. Whatever it is that is drive H ( like a CD or a USB drive ) is infected and will spread your infections over and over again to any PC it is connected to. You need to find ALL external drives that you are potentially using for backups that are infected and either remove the infections from them or format them.

Also your network drives like drives X, Y and Z are likely infected and have to be cleaned which is why you keep spreading the infected. Your logs show the below list of drives which some are local and some are network and some are removavble devices:
Code:
Drive C: 
Description Local Fixed Disk 
Size 136.69 GB (146,770,309,120 bytes) 
Free Space 42.11 GB (45,212,987,392 bytes) 
Volume Name 
Volume Serial Number 74549C81 
 
Drive D: 
Description Local Fixed Disk 
Size 273.40 GB (293,561,528,320 bytes) 
Free Space 273.33 GB (293,480,579,072 bytes) 
Volume Name SQLData1 
Volume Serial Number F8CB2667 
 
Drive E: 
Description Local Fixed Disk 
Size 273.40 GB (293,560,209,408 bytes) 
Free Space 273.32 GB (293,477,027,840 bytes) 
Volume Name Backup Partition 
Volume Serial Number 70F581A0 
 
Drive F: 
Description CD-ROM Disc 
 
Drive X: 
Description Network Connection 
Provider Name [URL="file://\\Partsvaluefs1\Partsvalue"]\\Partsvaluefs1\Partsvalue[/URL] share1 
 
Drive Y: 
Description Network Connection 
Provider Name [URL="file://\\192.168.10.198\c$\Richard"]\\192.168.10.198\c$\Richard[/URL] Jones 
 
Drive Z: 
Description Network Connection 
Provider Name [URL="file://\\192.168.10.197\mitchell"]\\192.168.10.197\mitchell[/URL]
Note that your back drives are likely infected. If people have been inserting USB flashdrives, they are potentially infected too. Sometimes the best things to do is to remove all network and file sharing on ALL PCs until you get the infections cleaned up. Any single drive/PC could otherwise keep respawning the infection to other drives/PCs. Apparently this is a business related PC, I assume you have an IT Department or person that can help you with this? Or are you the Admin?

Also look on drive X ( or every drive, even the removable ones ) for things like below and delete them:
Code:
X:\autorun.inf
H:\AutoRun
X:\RECYCLER\recycld.exe
H:\RECYCLER\recycld.exe 
It would be a good idea to run the below on all PCs.

Autorun Eater

The infected autorun.inf files and the recycld.exe files are what is causing files like C:\WINDOWS\Temp\vnun.tmp\svchost.exe to appear and you need to delete any of these too.

Also your logs indicated the potential that some web pages you are accessing or web designs of your own could be carrying PHP type infections. We cannot really help you with these since it is really security issue/flaws in the web designs or within the software being used.

pvadmin · Apr 20, 2010

I have removed all mapped drives. They were all scanned and came up clean. There were some autorun items on the H: External drive and the D: and E: partitions. I removed thoughs.

What is my next step. The server is still locking up and having to be rebooted. Something continues to add content to the Default user account under the temporary internet files folder. It is also populating the temp folder under system32.

Thanks

chaslang · Apr 20, 2010

Make sure that you still have all mapped/shared drives disconnected and then continue.

Double-click OTL.exe to start the program.

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following
Code:
:OTL
O32 - AutoRun File - [2010/03/17 10:44:18 | 000,000,000 | ---D | M] - X:\AutoPart -- [ NTFS ]
O32 - AutoRun File - [2010/04/08 13:43:32 | 000,000,199 | -H-- | M] () - X:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\##Partsvaluefs1#Partsvalue share1\Shell - "" = AutoRun
O33 - MountPoints2\##Partsvaluefs1#Partsvalue share1\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##Partsvaluefs1#Partsvalue share1\Shell\AutoRun\command - "" = X:\RECYCLER\recycld.exe -- File not found
O33 - MountPoints2\##Partsvaluefs1#Partsvalue share1\Shell\open\command - "" = X:\RECYCLER\recycld.exe -- File not found
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\RECYCLER\recycld.exe -- File not found
O33 - MountPoints2\H\Shell\open\command - "" = H:\RECYCLER\recycld.exe -- File not found
[2010/04/15 13:35:05 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/04/14 10:39:36 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1

:Commands
[purity]
[emptytemp]
[Reboot]
 
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Open OTL again and click the Quick Scan button. Attach the new OTL.txt log it produces to your next reply

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\ComboFix.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

pvadmin · Apr 22, 2010

Thanks for your help. Unfortunately the server finally gave up and would not boot anymore. I brought up another server and we are running on that.

I did run a Kaspersky scan which found a MBR Rootkit. It refered to it as TDSS Rootkit and pointed to c:\windows\system32\drivers\HpCISSs2.sys

One memory object that was not able to be dealt with.

Somehow this is still affected, when I try to reinstall windows server I can't complete the installation. It tells me the file is corrupt. If you know how I can fix this please advise.

Thank you

chaslang · Apr 24, 2010

pvadmin said: ↑

Somehow this is still affected, when I try to reinstall windows server I can't complete the installation. It tells me the file is corrupt. If you know how I can fix this please advise.
Click to expand...

If the PC no longer boots, you will have to either boot up with the Recovery Console or a BartPE type boot disk and manually replace the file with a good uninfected copy.

Log in or Sign up

MBR Rootkit on Win2k3 server

pvadmin Private E-2

Attached Files:

MGlogs.zip

RootRepeal report 04-13-10 (11-13-39).txt

AviraEvents.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pvadmin Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 04-15-2010 - 07-08-41.log

hijackthis.log

mbam-log-2010-04-15 (07-08-34).txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pvadmin Private E-2

Attached Files:

OTL.Txt

Extras.Txt

AviraEvents.txt

aviraquarantenelog.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pvadmin Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pvadmin Private E-2

Attached Files:

tdss rootkit.gif

chaslang MajorGeeks Admin - Master Malware Expert Staff Member