Tech Support Forum - View Single Post

DM1301 · 08-17-2005, 01:46 PM

Hello All,

I'm currently dealing with the Troj_rootkit.E virus. I'm running windows 2000 server with mirrored hard drives. I've tried running numerious antivirus programs like office scan, ewido, av-cls (trend and McAfee), cleanup, etc... I've also have gone in and deleted registry files trying to get rid of the "rdriv" files. I've also read a lot of threads on how to get rid of this virus but none of those solutions seem to work. I've included the hijack this file below. Any help would be appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:31 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
F:\INETPUB\MAILROOT\BIN\XMail.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\mqsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\BacsTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://209.239.242.217/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://delta-server/officescan/Clien...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://delta-server/officescan/clien...l/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://delta-server/officescan/clientinstall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://delta-server/officescan/clien...RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124148141859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/acc...n/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3143A686-7C06-4E13-9C0E-4C877CEDF40E}: NameServer = 207.178.128.20,207.178.128.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{668CBD1E-5F8D-416C-87EE-4CE26954F542}: NameServer = 207.178.128.20,207.178.128.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deltamicrowave.com
O23 - Service: Cerberus FTP Server - Grant Averett - C:\Program Files\Cerberus\Cerberus.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: SMTP Server (mssmtp) - Unknown owner - c:\Progra~1\Microsoft.NET\Common\Binn\smtpsrv.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINNT\svehost32.exe
O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINNT\system32\rsvterm.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: XMail Server (XMail) - Unknown owner - F:\INETPUB\MAILROOT\BIN\XMail.exe

08-17-2005, 01:46 PM	#1 (permalink)
DM1301 Registered User Join Date: Aug 2005 Posts: 5 OS: Win 2000 server	Troj_rootkit.e virus Hello All, I'm currently dealing with the Troj_rootkit.E virus. I'm running windows 2000 server with mirrored hard drives. I've tried running numerious antivirus programs like office scan, ewido, av-cls (trend and McAfee), cleanup, etc... I've also have gone in and deleted registry files trying to get rid of the "rdriv" files. I've also read a lot of threads on how to get rid of this virus but none of those solutions seem to work. I've included the hijack this file below. Any help would be appreciated. Thanks. Logfile of HijackThis v1.99.1 Scan saved at 12:40:31 PM, on 8/17/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\mysql\bin\mysqld-nt.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\snmptrap.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe F:\INETPUB\MAILROOT\BIN\XMail.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\msdtc.exe C:\WINNT\System32\mqsvc.exe C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\BacsTray.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Administrator\Desktop\hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://209.239.242.217/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [bacstray] BacsTray.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://delta-server/officescan/Clien...l/WinNTChk.cab O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://delta-server/officescan/clien...l/setupini.cab O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://delta-server/officescan/clientinstall/setup.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://delta-server/officescan/clien...RemoveCtrl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124148141859 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/acc...n/IbmEgath.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deltamicrowave.com O17 - HKLM\System\CCS\Services\Tcpip\..\{3143A686-7C06-4E13-9C0E-4C877CEDF40E}: NameServer = 207.178.128.20,207.178.128.21 O17 - HKLM\System\CCS\Services\Tcpip\..\{668CBD1E-5F8D-416C-87EE-4CE26954F542}: NameServer = 207.178.128.20,207.178.128.21 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deltamicrowave.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deltamicrowave.com O23 - Service: Cerberus FTP Server - Grant Averett - C:\Program Files\Cerberus\Cerberus.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing) O23 - Service: SMTP Server (mssmtp) - Unknown owner - c:\Progra~1\Microsoft.NET\Common\Binn\smtpsrv.exe (file missing) O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing) O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINNT\svehost32.exe O23 - Service: TCP System Driver (tcpsys) - Unknown owner - C:\WINNT\system32\rsvterm.exe (file missing) O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: XMail Server (XMail) - Unknown owner - F:\INETPUB\MAILROOT\BIN\XMail.exe