Win32:Rootkit-gen [Rtk] Issue on Network.

Yesterday morning after coming back from the Bank Holiday, we noticed on our Server 2003 Active Directory network that accounts were locking out, randomly and in roughly 5 minute periods.
We ran a script through the day to unlock the accounts and rebooted the servers over night and hoped today would be better.

Today however, it’s worse. Avast has reported the virus Win32:Rootkit-gen [Rtk] throughout the network on most of our machines. Although it’s saying it’s found it and therefore it hasn’t gone onto the clients. (I’m not rulling out that this may not be the case).
Accounts are still locking out just as fast as we can unlock them.

We believed it to be a fault with just one of our Domain Controllers as MOST of the accounts locked are locked from their, however it does appear to be locking from the others, just not as frequently.

We haven’t currently run anything on the Servers in an attempt to remove any viruses, but I have run a HiJack This report to see if this could help you guys diagnose the issue.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:01:05, on 03/06/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\Program Files\MBS\Agent\VVAgent.exe
C:\Program Files\MBS\Agent\buagent.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PROTEUS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\hp\hpsmh\bin\smhstart.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\wins.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINNT\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\Program Files\Dictaphone\Freedom\FreedomEventService.exe
C:\WINNT\system32\sysdown.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\NCU\cpqteam.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE
E:\Program Files\Proteus v5\Programs\c3RealTime.exe
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
C:\WINNT\system32\ntvdm.exe
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\TMSLOGGER.EXE
e:\Program Files\Proteus v5\Programs\P5EntScheduler.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Programs\RemoteQ32.exe
e:\Program Files\Proteus v5\Enterprise\Common\QReportHKeeper.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
c:\winnt\system32\inetsrv\w3wp.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\NCU\cpqteam.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://XXXXXXXX
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
O1 - Hosts: IPAddress server.co.uk
O4 - HKLM..\Run: [CPQTEAM] “C:\Program Files\HP\NCU\cpqteam.exe”
O4 - HKLM..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM..\Run: [WinVNC] “C:\Program Files\UltraVNC\WinVNC.exe” -servicehelper
O4 - HKLM..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\PCM.exe
O4 - HKUS\S-1-5-19..\Run: [internat.exe] internat.exe (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [internat.exe] internat.exe (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [internat.exe] internat.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [internat.exe] internat.exe (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘Default user’)
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Freedom Archive Manager.lnk = C:\Program Files\Dictaphone\Freedom\ArchiveManager.exe (User ‘proteus’)
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Proteus Email Engine.lnk = E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE (User ‘proteus’)
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: Proteus Program Launcher.lnk = E:\Program Files\Proteus v5\Programs\P4Loader.exe (User ‘proteus’)
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 Startup: RealTime Monitor.lnk = E:\Program Files\Proteus v5\Programs\c3RealTime.exe (User ‘proteus’)
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Freedom Archive Manager.lnk = C:\Program Files\Dictaphone\Freedom\ArchiveManager.exe (User ‘proteus’)
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Proteus Email Engine.lnk = E:\Program Files\Proteus v5\Programs\PROTEUSSMTPENGINE.EXE (User ‘proteus’)
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: Proteus Program Launcher.lnk = E:\Program Files\Proteus v5\Programs\P4Loader.exe (User ‘proteus’)
O4 - S-1-5-21-1925261247-738753776-1233803906-4485 User Startup: RealTime Monitor.lnk = E:\Program Files\Proteus v5\Programs\c3RealTime.exe (User ‘proteus’)
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://fileserver/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
O16 - DPF: {E0FC6C46-CE20-4413-A319-1917CDF41382} (hp ProLiant VCRM Upload Control) - https://XXXXXXXXX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DomainName
O17 - HKLM\Software..\Telephony: DomainName = DomainName
O17 - HKLM\System\CCS\Services\Tcpip..{0EBF3AE3-73DC-4DB6-8B5F-40CE170CAE7D}: NameServer = IP’s
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Domain
O17 - HKLM\System\CS1\Services\Tcpip..{0EBF3AE3-73DC-4DB6-8B5F-40CE170CAE7D}: NameServer = IP’s
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\bin\hpapp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - c:\centenn.ial\audit\xferwan.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINNT\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINNT\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: MBS Agent (EVault InfoStage Agent) - Unknown owner - C:\Program Files\MBS\Agent\VVAgent.exe
O23 - Service: MBS BUAgent (EVault InfoStage BUAgent) - Unknown owner - C:\Program Files\MBS\Agent\buagent.exe
O23 - Service: FreedomEventService - Dictaphone Corporation - C:\Program Files\Dictaphone\Freedom\FreedomEventService.exe
O23 - Service: NetOp Helper ver. 7.65 (2004058) (NetOp Host for NT Service) - Danware Data A/S - e:\Program Files\Proteus v5\Remote Diagnostics\HOST\NHOSTSVC.EXE
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: PRTG 7 Probe Service (PRTG7ProbeService) - Paessler AG - C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
O23 - Service: RclService - EMCO http://www.emco.is - C:\WINNT\system32\RclServer.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe


End of file - 10948 bytes


An analysis of your HJT log shows no known problems nor are there any problems on the start-up list.


Thanks for the reply.

After almost a day of trying to find the problem through luck, trial and error and some serious googling, we found the virus to be the following:

http://support.microsoft.com/kb/962007

We have since started the process of getting rid of the damn thing, so hopefully we should have nailed this thing dead!

It’s annoying that Avast and Microsoft name things differently, but hey ho.

Conficker???

Man, you should keep your servers up to date. Try WSUS!

http://technet.microsoft.com/en-us/wsus/default.aspx