I found a rootkit on my system using gmer and came here looking for solutions, since deleting the service through gmer isn't enough to fix it.
The following thread described a problem very similar to mine, so I followed the initial steps as described in that thread for running JumpStart, Malwarebytes' Anti-Malware, and Combofix.
Other thread with similar problem
Below are the Anti-Malware and ComboFix logs. Am I on the right track? Anybody able to guide me to the next step?
Thank you in advance for any help you might be able to give me. -- Bill
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
12/21/2008 11:22:10 AM
mbam-log-2008-12-21 (11-22-10).txt
Scan type: Quick Scan
Objects scanned: 51922
Time elapsed: 7 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ComboFix 08-12-20.05 - Bill 2008-12-21 11:33:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.885 [GMT -5:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Legacy_TDSSSERV.SYS
-------\Service_Iprip
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.
2008-12-21 10:34 . 2008-12-21 10:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-21 10:34 . 2008-12-21 10:34 <DIR> d-------- c:\documents and settings\Bill\Application Data\Malwarebytes
2008-12-21 10:34 . 2008-12-21 10:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-21 10:34 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 10:34 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 14:51 . 2008-12-21 11:26 <DIR> d-------- c:\documents and settings\Bill\Application Data\U3
2008-12-17 23:09 . 2008-12-13 01:40 3,593,216 --a------ c:\windows\system32\SET6A.tmp
2008-12-05 08:13 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-23 17:32 . 2008-11-23 20:03 <DIR> d-------- c:\windows\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 20:47 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-18 22:36 --------- d-----w c:\documents and settings\Bill\Application Data\SlimBrowser
2008-12-18 14:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-18 04:11 2,621,440 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-12-15 23:11 --------- d-----w c:\program files\SlimBrowser
2008-12-11 21:08 11,336,462 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-11 20:46 1,979,392 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-12-05 20:43 --------- d-----w c:\documents and settings\Bill\Application Data\GrabIt
2008-12-03 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-11-20 22:50 --------- d-----w c:\program files\Java
2008-11-17 15:38 118,784 ----a-w c:\windows\SeaMonkeyUninstall.exe
2008-11-17 15:38 118,784 ----a-w c:\windows\GREUninstall.exe
2008-11-11 02:14 --------- d-----w c:\documents and settings\Bill\Application Data\FileZilla
2008-11-08 15:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-02 20:18 --------- d-----w c:\program files\HP
2008-11-02 20:18 --------- d-----w c:\program files\Hewlett-Packard
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 11:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-09-21 22:04 1,735,680 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-09-03 12:46 27,064 ----a-w c:\documents and settings\Bill\Application Data\GDIPFONTCACHEV1.DAT
2008-08-30 12:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 172032]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Gatorlink VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-01-20 6144]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
S3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;c:\windows\system32\DRIVERS\vnetusbl.sys [2004-03-09 108032]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\DRIVERS\netusbxp.sys [2002-02-20 72576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{beb0fecc-37aa-11dd-94e0-00065bc10f87}]
\Shell\AutoRun\command - g:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - g:\system\viewer\FlipVideoforPC.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\unwz3ia3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 11:38:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\devldr32.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
.
**************************************************************************
.
Completion time: 2008-12-21 11:44:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 16:44:12
Pre-Run: 11,349,200,896 bytes free
Post-Run: 11,308,326,912 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
153 --- E O F --- 2008-12-11 13:49:51