WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!
Strange Virus Problem
I believe my client has the Conficker/Downadup virus. I have tried everything to remove it. His Windows updates weren't working for a very long time so he never received the patch to fix the vulnerability. It appears to be causing problems at the DNS level. Whenever I try to go to an anti-virus vendor's web site or Microsoft site it either doesn't display the page or redirects the browser to an advertisement.
Here is what I have done and the results:
+Turned of System Restore
+Ran tool to clean all temp files
+Run combofix in Safe Mode - removed some things - still infected
+Ran Hi-Jack This in Safe Mode - removed some things - still infected
+Ran Malware Bytes in SM - removed some things - still infected
+Ran Spy Bot in SM - removed some things - still infected
+Pulled the hard drive and scanned it from another computer using Cureit - removed some things - still infected
+Re-installed the hard drive and ran Cureit in Safe Mode - removed some things - still infected
+Ran AVG in Safe Mode - removed some things - still infected
+Installed XP SP3
+Ran Avenger ( http://swandog46.geekstogo.com/ ) - Nothing found
+Found this web site: http://www.joestewart.org/cfeyechart.html and identified the virus as Conficker B based on the result
+Downloaded and ran the F-Secure Downadup removal tool ( http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml ) in normal mode - Found no infection
+Followed the suggestions for removal from Microsoft ( http://support.microsoft.com/kb/962007 )
+Ran the Microsoft Malicious Software Removal Tool (both a quick scan and full scan) in normal mode - Found no infection
+Followed the steps from the above Microsoft page for manual removal. Got to step 8/9/10 and could not find any service there with any random characters or anything that looked out of place.
+Ran the Norton downadup removal tool ( http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99 ) in normal mode - no infection found.
That is where I am at now. I can't find any anti-virus tool that will find this virus and remove it. Anyone have any ideas????
Here is what I have done and the results:
+Turned of System Restore
+Ran tool to clean all temp files
+Run combofix in Safe Mode - removed some things - still infected
+Ran Hi-Jack This in Safe Mode - removed some things - still infected
+Ran Malware Bytes in SM - removed some things - still infected
+Ran Spy Bot in SM - removed some things - still infected
+Pulled the hard drive and scanned it from another computer using Cureit - removed some things - still infected
+Re-installed the hard drive and ran Cureit in Safe Mode - removed some things - still infected
+Ran AVG in Safe Mode - removed some things - still infected
+Installed XP SP3
+Ran Avenger ( http://swandog46.geekstogo.com/ ) - Nothing found
+Found this web site: http://www.joestewart.org/cfeyechart.html and identified the virus as Conficker B based on the result
+Downloaded and ran the F-Secure Downadup removal tool ( http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml ) in normal mode - Found no infection
+Followed the suggestions for removal from Microsoft ( http://support.microsoft.com/kb/962007 )
+Ran the Microsoft Malicious Software Removal Tool (both a quick scan and full scan) in normal mode - Found no infection
+Followed the steps from the above Microsoft page for manual removal. Got to step 8/9/10 and could not find any service there with any random characters or anything that looked out of place.
+Ran the Norton downadup removal tool ( http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99 ) in normal mode - no infection found.
That is where I am at now. I can't find any anti-virus tool that will find this virus and remove it. Anyone have any ideas????
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Yes I did check the host and lmhost files, all were the default files so were fine.
I may be able to try the Avast option later. It is a business computer that they can't be without for very long, so it makes running scans that much harder. I would probably have to run Avast over night or something.
I may be able to try the Avast option later. It is a business computer that they can't be without for very long, so it makes running scans that much harder. I would probably have to run Avast over night or something.
+Downloaded and ran the F-Secure Downadup removal tool ( http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml ) in normal mode - Found no infection
you need to run this tool in safe mode with out networking in command prompt.
use this command
f-downadup.exe --disinfect.
check in safe mode if system was infected or not.
you need to run this tool in safe mode with out networking in command prompt.
use this command
f-downadup.exe --disinfect.
check in safe mode if system was infected or not.
ComboFix, MBAM, Hijackthis should be run in normal mode unless the pc can't boot normally.
Can we look at the ComboFix log please?
Also try running Gmer and show us the log.
Might also run these tools below:
1. Please download GooredFix from one of the locations below and save it to your Desktop
Mirror #1 http://jpshortstuff.247fixes.com/GooredFix.exe
Mirror #2 http://downloads.securitycadets.com/GooredFix.exe
Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
It doesn't take long to run, once it is finished move onto the next step
2. Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Make sure all other windows are closed and to let it run uninterrupted.
Extract the file and run it.
Reboot your machine and see if the infection is gone
Can we look at the ComboFix log please?
Also try running Gmer and show us the log.
Might also run these tools below:
1. Please download GooredFix from one of the locations below and save it to your Desktop
Mirror #1 http://jpshortstuff.247fixes.com/GooredFix.exe
Mirror #2 http://downloads.securitycadets.com/GooredFix.exe
Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
It doesn't take long to run, once it is finished move onto the next step
2. Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Make sure all other windows are closed and to let it run uninterrupted.
Extract the file and run it.
Reboot your machine and see if the infection is gone
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Combofix log:
ComboFix 10-03-21.05 - Administrator 03/22/2010 15:00:23.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.803 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\63015924
c:\documents and settings\All Users\Application Data\63015924\63015924.exe
c:\documents and settings\All Users\Application Data\69204324
c:\documents and settings\All Users\Application Data\69204324\69204324.exe
c:\documents and settings\All Users\Application Data\90644932
c:\documents and settings\All Users\Application Data\90644932\90644932.exe
c:\documents and settings\Owner\Desktop\Security Tool.lnk
c:\documents and settings\Owner\Local Settings\Application Data\010112010146111103.xxe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269264489.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269265425.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269267067.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269267379.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269267985.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269273914.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269274224.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269282962.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269283268.exe
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
c:\program files\Anti-Virus Professional
c:\program files\Anti-Virus Professional\noadware4_060409.na
c:\program files\PersSecurity
c:\program files\PersSecurity\psecurity.exe
c:\recycler\S-1-5-21-343818398-1563985344-839522115-1003
c:\recycler\S-1-5-21-4072725858-330582721-3163774157-1003
c:\windows\bill104.exe
c:\windows\bk23567.dat
c:\windows\fdgg34353edfgdfdf
c:\windows\lgo
c:\windows\ligh
c:\windows\system\oeminfo.ini
c:\windows\system32\Ijl11.dll
.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.
2010-03-22 19:54 . 2010-03-22 19:54 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-03-22 19:54 . 2010-03-22 19:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-22 13:14 . 2010-03-22 13:14 -------- d-----w- c:\program files\Common Files\PersSecurityUninstall
2010-03-13 14:45 . 2010-03-13 14:45 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-13 14:45 . 2010-03-13 14:45 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-13 14:45 . 2010-03-13 14:45 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-13 14:44 . 2010-03-13 14:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 01:56 . 2010-03-12 01:56 -------- d-----w- c:\program files\Common Files\Java
2010-03-12 01:56 . 2010-03-12 01:56 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d1a1fc5-n\msvcp71.dll
2010-03-12 01:56 . 2010-03-12 01:56 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d1a1fc5-n\jmc.dll
2010-03-12 01:56 . 2010-03-12 01:56 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d1a1fc5-n\msvcr71.dll
2010-03-12 01:56 . 2010-03-12 01:56 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4b7096ac-n\decora-sse.dll
2010-03-12 01:56 . 2010-03-12 01:56 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4b7096ac-n\decora-d3d.dll
2010-03-10 14:41 . 2010-03-10 14:39 98136 ----a-w- c:\windows\gzip.exe
2010-03-10 14:39 . 2010-03-10 14:39 -------- d-----w- c:\program files\Intuit
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 13:14 . 2010-03-22 13:14 355840 ----a-w- c:\windows\system32\win32extension.dll.tmp
2010-03-13 14:44 . 2009-06-26 21:13 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 14:44 . 2009-06-26 21:13 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 14:44 . 2009-06-26 21:13 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 01:56 . 2009-05-14 23:31 -------- d-----w- c:\program files\Java
2010-03-10 14:43 . 2010-03-10 14:43 2232 ----a-w- c:\windows\java\Packages\Data\F1Z7PV5N.DAT
2010-03-10 14:43 . 2010-03-10 14:43 155995 ----a-w- c:\windows\java\Packages\0E09FD33.ZIP
2010-03-10 14:43 . 2010-03-10 14:43 2678 ----a-w- c:\windows\java\Packages\Data\AUBLBR3J.DAT
2010-03-10 14:42 . 2010-03-10 14:42 2678 ----a-w- c:\windows\java\Packages\Data\A0RHBVTN.DAT
2010-03-10 14:42 . 2010-03-10 14:42 2678 ----a-w- c:\windows\java\Packages\Data\QGSCYZHN.DAT
2010-03-10 14:42 . 2010-03-10 14:42 2678 ----a-w- c:\windows\java\Packages\Data\BR3RDFHF.DAT
2010-03-10 14:42 . 2010-03-10 14:42 2678 ----a-w- c:\windows\java\Packages\Data\0Q3LZ5V7.DAT
2010-03-10 09:04 . 2008-06-26 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-16 20:52 . 2010-02-16 20:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-05 03:09 . 2008-10-19 18:10 -------- d-----w- c:\program files\Google
2010-01-06 20:52 . 2009-08-11 19:52 80280 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 23:40 . 2007-05-02 18:40 80280 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:14 . 2006-02-28 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"MPG_Monitor"="c:\program files\Mitchell1\MPG\MPG_Extract\MPG_monitor.exe" [2006-08-14 438272]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CDPforFilesSrv.lnk - c:\program files\Tivoli\CDP_for_Files\FilePathSrv.exe [2009-7-30 542271]
DPR Manager.lnk - c:\program files\Mitchell 1\DPR Client Manager\DPRClientManagerTray.exe [2009-10-5 1696768]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 14:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-14 09:21 16270848 ----a-r- c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
2006-07-10 18:33 176128 ----a-r- c:\windows\system32\S3Trayp.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mitchell1\\MPG\\MPG_Extract\\mpg_monitor.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:MyOKOPort
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/26/2009 4:13 PM 242696]
R1 ql600oko;Avi Event Class iSCSI;c:\windows\system32\drivers\mrxoko.sys [10/12/2008 11:01 PM 32768]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/26/2009 4:13 PM 216200]
S1 FilePath;VitalFile;c:\windows\system32\drivers\Fp.sys [5/28/2008 6:27 PM 316049]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 9:44 AM 308064]
S2 FilePathsrv;CDPforFilesSrv;c:\windows\system32\FilePathSrv.exe [5/28/2008 6:27 PM 542271]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 10:09 PM 135664]
S2 swoko;DHCP extensions Kernel Driver VMware;c:\windows\system32\svchost.exe -k termsvc [2/28/2006 7:00 AM 14336]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [4/9/2008 6:10 PM 24576]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
termsvc REG_MULTI_SZ swoko
.
Contents of the 'Scheduled Tasks' folder
2010-03-22 c:\windows\Tasks\DataAcquisition.job
- c:\program files\Mitchell 1\CRM\Data Acquisition\DataAcquisitionRemote.exe [2009-07-22 17:02]
2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 03:09]
2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 03:09]
2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2388131890-3471916106-3631987943-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 16:03]
2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2388131890-3471916106-3631987943-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 16:03]
2010-03-22 c:\windows\Tasks\User_Feed_Synchronization-{C272E74C-9A09-4E12-9048-25DCBC7E067A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {395E58B9-090C-461A-8F27-087D1C727945} - hxxp://webconf.mitchell1.com/joinie.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-HijackThis - c:\documents and settings\Administrator\Desktop\HijackThis.exe
AddRemove-OnDemand5 Manager Workstation - c:\mitchell1\Manager\Series1\RebootWiz
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 15:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2388131890-3471916106-3631987943-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,aa,0b,37,4f,95,a5,4d,b8,12,aa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,aa,0b,37,4f,95,a5,4d,b8,12,aa,\
.
Completion time: 2010-03-22 15:07:14
ComboFix-quarantined-files.txt 2010-03-22 20:07
Pre-Run: 52,370,395,136 bytes free
Post-Run: 52,400,910,336 bytes free
- - End Of File - - A7AC1D7132A34AEBE04259BE6FDF8D53
Ran GooredFix, didn't find anything:
GooredFix by jpshortstuff (08.01.10.1)
Log created at 21:34 on 24/03/2010 (Owner)
Firefox version [Unable to determine]
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
(none)
[HKEY_LOCAL_MACHINE\Softwa
"{20a82645-c095-46ed-80e3-
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy
---------- Old Logs ----------
GooredFix[02.32.11_25-03-2
-=E.O.F=-
Ran tdskiller, which didn't find anything either:
TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.2.8.1 Mar 22 2010 10:43:04
Scanning Services ...
Scanning Kernel memory ...
Completed
Results:
Memory objects infected / cured / cured on reboot: 0 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 0 / 0 / 0
GooredFix by jpshortstuff (08.01.10.1)
Log created at 21:34 on 24/03/2010 (Owner)
Firefox version [Unable to determine]
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
(none)
[HKEY_LOCAL_MACHINE\Softwa
"{20a82645-c095-46ed-80e3-
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy
---------- Old Logs ----------
GooredFix[02.32.11_25-03-2
-=E.O.F=-
Ran tdskiller, which didn't find anything either:
TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.2.8.1 Mar 22 2010 10:43:04
Scanning Services ...
Scanning Kernel memory ...
Completed
Results:
Memory objects infected / cured / cured on reboot: 0 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 0 / 0 / 0
Also ran F-Secure Downadup removal tool in safe mode (w/o networking) and it didn't find anything either.
The computer does behave properly in safe mode, as in I can get to all the sites that I can't get to in normal mode. It also doesn't redirect any searches in safe mode. So it has to be something running, though what I can't figure out.
The computer does behave properly in safe mode, as in I can get to all the sites that I can't get to in normal mode. It also doesn't redirect any searches in safe mode. So it has to be something running, though what I can't figure out.
Attached is the output from Gmer
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-24 22:19:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pgwyyaod.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF40B34FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF40B3322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF40B345C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs fp.sys (CDP Filesystem Filter Driver/IBM Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fp.sys (CDP Filesystem Filter Driver/IBM Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip mrxoko.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp mrxoko.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp mrxoko.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp mrxoko.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- EOF - GMER 1.0.15 ----
Holy crap it's working. When I ran GMER it scanned the mrxoko,sys file and Avast saw it and removed it at that time. After a reboot everything seems to be working ok. Thanks to everyone for all the help!
We could've used ComboFix script function to remove it, as all the entries relating to that koobface "mrxoko" are showing in the ComboFix log.
Glad to know it's now resolved.
Glad to know it's now resolved.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Have you checked host and lmhost files, that might be where you're getting your redirect from...