?
Solved

Strange Virus Problem

Posted on 2010-03-24
12
Medium Priority
?
952 Views
Last Modified: 2013-11-08
I believe my client has the Conficker/Downadup virus.  I have tried everything to remove it.  His Windows updates weren't working for a very long time so he never received the patch to fix the vulnerability.  It appears to be causing problems at the DNS level.  Whenever I try to go to an anti-virus vendor's web site or Microsoft site it either doesn't display the page or redirects the browser to an advertisement.

Here is what I have done and the results:
+Turned of System Restore
+Ran tool to clean all temp files
+Run combofix in Safe Mode - removed some things - still infected
+Ran Hi-Jack This  in Safe Mode - removed some things - still infected
+Ran Malware Bytes in SM - removed some things - still infected
+Ran Spy Bot  in SM - removed some things - still infected
+Pulled the hard drive and scanned it from another computer using Cureit - removed some things - still infected
+Re-installed the hard drive and ran Cureit in Safe Mode - removed some things - still infected
+Ran AVG in Safe Mode - removed some things - still infected
+Installed XP SP3
+Ran Avenger ( http://swandog46.geekstogo.com/ ) - Nothing found
+Found this web site: http://www.joestewart.org/cfeyechart.html and identified the virus as Conficker B based on the result
+Downloaded and ran the F-Secure Downadup removal tool ( http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml ) in normal mode - Found no infection
+Followed the suggestions for removal from Microsoft ( http://support.microsoft.com/kb/962007 )
    +Ran the Microsoft Malicious Software Removal Tool (both a quick scan and full scan) in normal mode - Found no infection
    +Followed the steps from the above Microsoft page for manual removal.  Got to step 8/9/10 and could not find any service there with any random characters or anything that looked out of place.
+Ran the Norton downadup removal tool ( http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99 ) in normal mode - no infection found.

That is where I am at now.  I can't find any anti-virus tool that will find this virus and remove it.  Anyone have any ideas????
0
Comment
Question by:bdhtechnology
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 7

Expert Comment

by:frankky
ID: 28446834
Huh!

Have you checked host and lmhost files, that might be where you're getting your redirect from...
0
 
LVL 7

Assisted Solution

by:frankky
frankky earned 600 total points
ID: 28447374
If this doesn't solve it, I'd give a go to avast, try performing a boot-time scan of the computer.
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 28447830
Yes I did check the host and lmhost files, all were the default files so were fine.

I may be able to try the Avast option later.  It is a business computer that they can't be without for very long, so it makes running scans that much harder.  I would probably have to run Avast over night or something.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 11

Expert Comment

by:xtreminator
ID: 28448551
+Downloaded and ran the F-Secure Downadup removal tool ( http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml ) in normal mode - Found no infection


you need to run this tool in safe mode with out networking in command prompt.
use this command 
f-downadup.exe --disinfect.


check in safe mode if system was infected or not.


0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1400 total points
ID: 28448969
ComboFix, MBAM, Hijackthis should be run in normal mode unless the pc can't boot normally.
Can we look at the ComboFix log please?
Also try running Gmer and show us the log.
Might also run these tools below:

1.  Please download GooredFix from one of the locations below and save it to your Desktop
Mirror #1 http://jpshortstuff.247fixes.com/GooredFix.exe
Mirror #2 http://downloads.securitycadets.com/GooredFix.exe 
Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
It doesn't take long to run, once it is finished move onto the next step
 

2.  Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip 
Make sure all other windows are closed and to let it run uninterrupted.
Extract the file and run it.
Reboot your machine and see if the infection is gone
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 28502054
Combofix log:
ComboFix 10-03-21.05 - Administrator 03/22/2010  15:00:23.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1022.803 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\63015924
c:\documents and settings\All Users\Application Data\63015924\63015924.exe
c:\documents and settings\All Users\Application Data\69204324
c:\documents and settings\All Users\Application Data\69204324\69204324.exe
c:\documents and settings\All Users\Application Data\90644932
c:\documents and settings\All Users\Application Data\90644932\90644932.exe
c:\documents and settings\Owner\Desktop\Security Tool.lnk
c:\documents and settings\Owner\Local Settings\Application Data\010112010146111103.xxe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269264489.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269265425.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269267067.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269267379.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269267985.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269273914.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269274224.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269282962.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269283268.exe
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
c:\program files\Anti-Virus Professional
c:\program files\Anti-Virus Professional\noadware4_060409.na
c:\program files\PersSecurity
c:\program files\PersSecurity\psecurity.exe
c:\recycler\S-1-5-21-343818398-1563985344-839522115-1003
c:\recycler\S-1-5-21-4072725858-330582721-3163774157-1003
c:\windows\bill104.exe
c:\windows\bk23567.dat
c:\windows\fdgg34353edfgdfdf
c:\windows\lgo
c:\windows\ligh
c:\windows\system\oeminfo.ini
c:\windows\system32\Ijl11.dll

.
(((((((((((((((((((((((((   Files Created from 2010-02-22 to 2010-03-22  )))))))))))))))))))))))))))))))
.

2010-03-22 19:54 . 2010-03-22 19:54	--------	d-sh--w-	c:\documents and settings\Administrator\IECompatCache
2010-03-22 19:54 . 2010-03-22 19:54	--------	d-sh--w-	c:\documents and settings\Administrator\PrivacIE
2010-03-22 13:14 . 2010-03-22 13:14	--------	d-----w-	c:\program files\Common Files\PersSecurityUninstall
2010-03-13 14:45 . 2010-03-13 14:45	360584	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-13 14:45 . 2010-03-13 14:45	333192	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-13 14:45 . 2010-03-13 14:45	28424	----a-w-	c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-13 14:44 . 2010-03-13 14:44	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-03-12 01:56 . 2010-03-12 01:56	--------	d-----w-	c:\program files\Common Files\Java
2010-03-12 01:56 . 2010-03-12 01:56	503808	----a-w-	c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d1a1fc5-n\msvcp71.dll
2010-03-12 01:56 . 2010-03-12 01:56	499712	----a-w-	c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d1a1fc5-n\jmc.dll
2010-03-12 01:56 . 2010-03-12 01:56	348160	----a-w-	c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d1a1fc5-n\msvcr71.dll
2010-03-12 01:56 . 2010-03-12 01:56	61440	----a-w-	c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4b7096ac-n\decora-sse.dll
2010-03-12 01:56 . 2010-03-12 01:56	12800	----a-w-	c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4b7096ac-n\decora-d3d.dll
2010-03-10 14:41 . 2010-03-10 14:39	98136	----a-w-	c:\windows\gzip.exe
2010-03-10 14:39 . 2010-03-10 14:39	--------	d-----w-	c:\program files\Intuit

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 13:14 . 2010-03-22 13:14	355840	----a-w-	c:\windows\system32\win32extension.dll.tmp
2010-03-13 14:44 . 2009-06-26 21:13	242696	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-03-13 14:44 . 2009-06-26 21:13	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 14:44 . 2009-06-26 21:13	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-03-12 01:56 . 2009-05-14 23:31	--------	d-----w-	c:\program files\Java
2010-03-10 14:43 . 2010-03-10 14:43	2232	----a-w-	c:\windows\java\Packages\Data\F1Z7PV5N.DAT
2010-03-10 14:43 . 2010-03-10 14:43	155995	----a-w-	c:\windows\java\Packages\0E09FD33.ZIP
2010-03-10 14:43 . 2010-03-10 14:43	2678	----a-w-	c:\windows\java\Packages\Data\AUBLBR3J.DAT
2010-03-10 14:42 . 2010-03-10 14:42	2678	----a-w-	c:\windows\java\Packages\Data\A0RHBVTN.DAT
2010-03-10 14:42 . 2010-03-10 14:42	2678	----a-w-	c:\windows\java\Packages\Data\QGSCYZHN.DAT
2010-03-10 14:42 . 2010-03-10 14:42	2678	----a-w-	c:\windows\java\Packages\Data\BR3RDFHF.DAT
2010-03-10 14:42 . 2010-03-10 14:42	2678	----a-w-	c:\windows\java\Packages\Data\0Q3LZ5V7.DAT
2010-03-10 09:04 . 2008-06-26 22:52	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-16 20:52 . 2010-02-16 20:52	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-02-05 03:09 . 2008-10-19 18:10	--------	d-----w-	c:\program files\Google
2010-01-06 20:52 . 2009-08-11 19:52	80280	----a-w-	c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 23:40 . 2007-05-02 18:40	80280	----a-w-	c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:14 . 2006-02-28 12:00	352640	----a-w-	c:\windows\system32\drivers\srv.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"MPG_Monitor"="c:\program files\Mitchell1\MPG\MPG_Extract\MPG_monitor.exe" [2006-08-14 438272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CDPforFilesSrv.lnk - c:\program files\Tivoli\CDP_for_Files\FilePathSrv.exe [2009-7-30 542271]
DPR Manager.lnk - c:\program files\Mitchell 1\DPR Client Manager\DPRClientManagerTray.exe [2009-10-5 1696768]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 14:44	12464	----a-w-	c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50	155648	----a-w-	c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01	32768	----a-w-	c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-14 09:21	16270848	----a-r-	c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
2006-07-10 18:33	176128	----a-r-	c:\windows\system32\S3Trayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mitchell1\\MPG\\MPG_Extract\\mpg_monitor.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:MyOKOPort

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/26/2009 4:13 PM 242696]
R1 ql600oko;Avi Event Class iSCSI;c:\windows\system32\drivers\mrxoko.sys [10/12/2008 11:01 PM 32768]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/26/2009 4:13 PM 216200]
S1 FilePath;VitalFile;c:\windows\system32\drivers\Fp.sys [5/28/2008 6:27 PM 316049]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 9:44 AM 308064]
S2 FilePathsrv;CDPforFilesSrv;c:\windows\system32\FilePathSrv.exe [5/28/2008 6:27 PM 542271]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 10:09 PM 135664]
S2 swoko;DHCP extensions Kernel Driver VMware;c:\windows\system32\svchost.exe -k termsvc [2/28/2006 7:00 AM 14336]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [4/9/2008 6:10 PM 24576]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
termsvc	REG_MULTI_SZ   	swoko
.
Contents of the 'Scheduled Tasks' folder

2010-03-22 c:\windows\Tasks\DataAcquisition.job
- c:\program files\Mitchell 1\CRM\Data Acquisition\DataAcquisitionRemote.exe [2009-07-22 17:02]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 03:09]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 03:09]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2388131890-3471916106-3631987943-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 16:03]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2388131890-3471916106-3631987943-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 16:03]

2010-03-22 c:\windows\Tasks\User_Feed_Synchronization-{C272E74C-9A09-4E12-9048-25DCBC7E067A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {395E58B9-090C-461A-8F27-087D1C727945} - hxxp://webconf.mitchell1.com/joinie.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Administrator\Desktop\HijackThis.exe
AddRemove-OnDemand5 Manager Workstation - c:\mitchell1\Manager\Series1\RebootWiz



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 15:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2388131890-3471916106-3631987943-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,aa,0b,37,4f,95,a5,4d,b8,12,aa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,aa,0b,37,4f,95,a5,4d,b8,12,aa,\
.
Completion time: 2010-03-22  15:07:14
ComboFix-quarantined-files.txt  2010-03-22 20:07

Pre-Run: 52,370,395,136 bytes free
Post-Run: 52,400,910,336 bytes free

- - End Of File - - A7AC1D7132A34AEBE04259BE6FDF8D53

Open in new window

0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 28502518
Ran GooredFix, didn't find anything:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 21:34 on 24/03/2010 (Owner)
Firefox version [Unable to determine]

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:06 15/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [23:31 14/05/2009]

---------- Old Logs ----------
GooredFix[02.32.11_25-03-2010].txt

-=E.O.F=-


Ran tdskiller, which didn't find anything either:

TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.2.8.1 Mar 22 2010 10:43:04

Scanning        Services ...

Scanning        Kernel memory ...

Completed

Results:
Memory objects infected / cured / cured on reboot:      0 / 0 / 0
Registry objects infected / cured / cured on reboot:    0 / 0 / 0
File objects infected / cured / cured on reboot:        0 / 0 / 0
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 28505221
Also ran F-Secure Downadup removal tool in safe mode (w/o networking) and it didn't find anything either.

The computer does behave properly in safe mode, as in I can get to all the sites that I can't get to in normal mode.  It also doesn't redirect any searches in safe mode.  So it has to be something running, though what I can't figure out.  
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 28505249
Attached is the output from Gmer
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-24 22:19:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pgwyyaod.sys


---- System - GMER 1.0.15 ----

Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)  ZwCreateProcessEx [0xF40B34FE]
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)  ZwCreateSection [0xF40B3322]
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)  ZwLoadDriver [0xF40B345C]
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)  NtCreateSection
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)  ObInsertObject
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)  ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                 aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                 fp.sys (CDP Filesystem Filter Driver/IBM Corporation)
AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device          \FileSystem\Fastfat \Fat                                                               aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice  \FileSystem\Fastfat \Fat                                                               fp.sys (CDP Filesystem Filter Driver/IBM Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                               fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                               aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                               aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                               avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                               mrxoko.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                              aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                              avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                              mrxoko.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                                              aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                              avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                              mrxoko.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                            avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                            mrxoko.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                            aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Open in new window

0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 28505895
Holy crap it's working.  When I ran GMER it scanned the mrxoko,sys file and Avast saw it and removed it at that time.  After a reboot everything seems to be working ok.  Thanks to everyone for all the help!
0
 
LVL 7

Expert Comment

by:frankky
ID: 28508028
Glad to hear we could be of assistance!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 28660901
We could've used ComboFix script function to remove it, as all the entries relating to that koobface "mrxoko" are showing in the ComboFix log.
Glad to know it's now resolved.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question