bdhtechnology
asked on
Strange Virus Problem
I believe my client has the Conficker/Downadup virus. I have tried everything to remove it. His Windows updates weren't working for a very long time so he never received the patch to fix the vulnerability. It appears to be causing problems at the DNS level. Whenever I try to go to an anti-virus vendor's web site or Microsoft site it either doesn't display the page or redirects the browser to an advertisement.
Here is what I have done and the results:
+Turned of System Restore
+Ran tool to clean all temp files
+Run combofix in Safe Mode - removed some things - still infected
+Ran Hi-Jack This in Safe Mode - removed some things - still infected
+Ran Malware Bytes in SM - removed some things - still infected
+Ran Spy Bot in SM - removed some things - still infected
+Pulled the hard drive and scanned it from another computer using Cureit - removed some things - still infected
+Re-installed the hard drive and ran Cureit in Safe Mode - removed some things - still infected
+Ran AVG in Safe Mode - removed some things - still infected
+Installed XP SP3
+Ran Avenger ( http://swandog46.geekstogo.com/ ) - Nothing found
+Found this web site: http://www.joestewart.org/cfeyechart.html and identified the virus as Conficker B based on the result
+Downloaded and ran the F-Secure Downadup removal tool ( http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml ) in normal mode - Found no infection
+Followed the suggestions for removal from Microsoft ( http://support.microsoft.com/kb/962007 )
+Ran the Microsoft Malicious Software Removal Tool (both a quick scan and full scan) in normal mode - Found no infection
+Followed the steps from the above Microsoft page for manual removal. Got to step 8/9/10 and could not find any service there with any random characters or anything that looked out of place.
+Ran the Norton downadup removal tool ( http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99 ) in normal mode - no infection found.
That is where I am at now. I can't find any anti-virus tool that will find this virus and remove it. Anyone have any ideas????
Here is what I have done and the results:
+Turned of System Restore
+Ran tool to clean all temp files
+Run combofix in Safe Mode - removed some things - still infected
+Ran Hi-Jack This in Safe Mode - removed some things - still infected
+Ran Malware Bytes in SM - removed some things - still infected
+Ran Spy Bot in SM - removed some things - still infected
+Pulled the hard drive and scanned it from another computer using Cureit - removed some things - still infected
+Re-installed the hard drive and ran Cureit in Safe Mode - removed some things - still infected
+Ran AVG in Safe Mode - removed some things - still infected
+Installed XP SP3
+Ran Avenger ( http://swandog46.geekstogo.com/ ) - Nothing found
+Found this web site: http://www.joestewart.org/cfeyechart.html and identified the virus as Conficker B based on the result
+Downloaded and ran the F-Secure Downadup removal tool ( http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml ) in normal mode - Found no infection
+Followed the suggestions for removal from Microsoft ( http://support.microsoft.com/kb/962007 )
+Ran the Microsoft Malicious Software Removal Tool (both a quick scan and full scan) in normal mode - Found no infection
+Followed the steps from the above Microsoft page for manual removal. Got to step 8/9/10 and could not find any service there with any random characters or anything that looked out of place.
+Ran the Norton downadup removal tool ( http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99 ) in normal mode - no infection found.
That is where I am at now. I can't find any anti-virus tool that will find this virus and remove it. Anyone have any ideas????
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes I did check the host and lmhost files, all were the default files so were fine.
I may be able to try the Avast option later. It is a business computer that they can't be without for very long, so it makes running scans that much harder. I would probably have to run Avast over night or something.
I may be able to try the Avast option later. It is a business computer that they can't be without for very long, so it makes running scans that much harder. I would probably have to run Avast over night or something.
+Downloaded and ran the F-Secure Downadup removal tool ( http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml ) in normal mode - Found no infection
you need to run this tool in safe mode with out networking in command prompt.
use this command
f-downadup.exe --disinfect.
check in safe mode if system was infected or not.
you need to run this tool in safe mode with out networking in command prompt.
use this command
f-downadup.exe --disinfect.
check in safe mode if system was infected or not.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Combofix log:
ComboFix 10-03-21.05 - Administrator 03/22/2010 15:00:23.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.803 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\63015924
c:\documents and settings\All Users\Application Data\63015924\63015924.exe
c:\documents and settings\All Users\Application Data\69204324
c:\documents and settings\All Users\Application Data\69204324\69204324.exe
c:\documents and settings\All Users\Application Data\90644932
c:\documents and settings\All Users\Application Data\90644932\90644932.exe
c:\documents and settings\Owner\Desktop\Security Tool.lnk
c:\documents and settings\Owner\Local Settings\Application Data\010112010146111103.xxe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269264489.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269265425.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269267067.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269267379.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269267985.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269273914.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269274224.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269282962.exe
c:\documents and settings\Owner\Local Settings\Application Data\rdr_1269283268.exe
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
c:\program files\Anti-Virus Professional
c:\program files\Anti-Virus Professional\noadware4_060409.na
c:\program files\PersSecurity
c:\program files\PersSecurity\psecurity.exe
c:\recycler\S-1-5-21-343818398-1563985344-839522115-1003
c:\recycler\S-1-5-21-4072725858-330582721-3163774157-1003
c:\windows\bill104.exe
c:\windows\bk23567.dat
c:\windows\fdgg34353edfgdfdf
c:\windows\lgo
c:\windows\ligh
c:\windows\system\oeminfo.ini
c:\windows\system32\Ijl11.dll
.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.
2010-03-22 19:54 . 2010-03-22 19:54 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-03-22 19:54 . 2010-03-22 19:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-22 13:14 . 2010-03-22 13:14 -------- d-----w- c:\program files\Common Files\PersSecurityUninstall
2010-03-13 14:45 . 2010-03-13 14:45 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-13 14:45 . 2010-03-13 14:45 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-13 14:45 . 2010-03-13 14:45 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-13 14:44 . 2010-03-13 14:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 01:56 . 2010-03-12 01:56 -------- d-----w- c:\program files\Common Files\Java
2010-03-12 01:56 . 2010-03-12 01:56 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d1a1fc5-n\msvcp71.dll
2010-03-12 01:56 . 2010-03-12 01:56 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d1a1fc5-n\jmc.dll
2010-03-12 01:56 . 2010-03-12 01:56 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d1a1fc5-n\msvcr71.dll
2010-03-12 01:56 . 2010-03-12 01:56 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4b7096ac-n\decora-sse.dll
2010-03-12 01:56 . 2010-03-12 01:56 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4b7096ac-n\decora-d3d.dll
2010-03-10 14:41 . 2010-03-10 14:39 98136 ----a-w- c:\windows\gzip.exe
2010-03-10 14:39 . 2010-03-10 14:39 -------- d-----w- c:\program files\Intuit
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 13:14 . 2010-03-22 13:14 355840 ----a-w- c:\windows\system32\win32extension.dll.tmp
2010-03-13 14:44 . 2009-06-26 21:13 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 14:44 . 2009-06-26 21:13 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 14:44 . 2009-06-26 21:13 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 01:56 . 2009-05-14 23:31 -------- d-----w- c:\program files\Java
2010-03-10 14:43 . 2010-03-10 14:43 2232 ----a-w- c:\windows\java\Packages\Data\F1Z7PV5N.DAT
2010-03-10 14:43 . 2010-03-10 14:43 155995 ----a-w- c:\windows\java\Packages\0E09FD33.ZIP
2010-03-10 14:43 . 2010-03-10 14:43 2678 ----a-w- c:\windows\java\Packages\Data\AUBLBR3J.DAT
2010-03-10 14:42 . 2010-03-10 14:42 2678 ----a-w- c:\windows\java\Packages\Data\A0RHBVTN.DAT
2010-03-10 14:42 . 2010-03-10 14:42 2678 ----a-w- c:\windows\java\Packages\Data\QGSCYZHN.DAT
2010-03-10 14:42 . 2010-03-10 14:42 2678 ----a-w- c:\windows\java\Packages\Data\BR3RDFHF.DAT
2010-03-10 14:42 . 2010-03-10 14:42 2678 ----a-w- c:\windows\java\Packages\Data\0Q3LZ5V7.DAT
2010-03-10 09:04 . 2008-06-26 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-16 20:52 . 2010-02-16 20:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-05 03:09 . 2008-10-19 18:10 -------- d-----w- c:\program files\Google
2010-01-06 20:52 . 2009-08-11 19:52 80280 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 23:40 . 2007-05-02 18:40 80280 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:14 . 2006-02-28 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"MPG_Monitor"="c:\program files\Mitchell1\MPG\MPG_Extract\MPG_monitor.exe" [2006-08-14 438272]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CDPforFilesSrv.lnk - c:\program files\Tivoli\CDP_for_Files\FilePathSrv.exe [2009-7-30 542271]
DPR Manager.lnk - c:\program files\Mitchell 1\DPR Client Manager\DPRClientManagerTray.exe [2009-10-5 1696768]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 14:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-14 09:21 16270848 ----a-r- c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
2006-07-10 18:33 176128 ----a-r- c:\windows\system32\S3Trayp.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mitchell1\\MPG\\MPG_Extract\\mpg_monitor.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:MyOKOPort
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/26/2009 4:13 PM 242696]
R1 ql600oko;Avi Event Class iSCSI;c:\windows\system32\drivers\mrxoko.sys [10/12/2008 11:01 PM 32768]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/26/2009 4:13 PM 216200]
S1 FilePath;VitalFile;c:\windows\system32\drivers\Fp.sys [5/28/2008 6:27 PM 316049]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 9:44 AM 308064]
S2 FilePathsrv;CDPforFilesSrv;c:\windows\system32\FilePathSrv.exe [5/28/2008 6:27 PM 542271]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 10:09 PM 135664]
S2 swoko;DHCP extensions Kernel Driver VMware;c:\windows\system32\svchost.exe -k termsvc [2/28/2006 7:00 AM 14336]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [4/9/2008 6:10 PM 24576]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
termsvc REG_MULTI_SZ swoko
.
Contents of the 'Scheduled Tasks' folder
2010-03-22 c:\windows\Tasks\DataAcquisition.job
- c:\program files\Mitchell 1\CRM\Data Acquisition\DataAcquisitionRemote.exe [2009-07-22 17:02]
2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 03:09]
2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 03:09]
2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2388131890-3471916106-3631987943-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 16:03]
2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2388131890-3471916106-3631987943-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 16:03]
2010-03-22 c:\windows\Tasks\User_Feed_Synchronization-{C272E74C-9A09-4E12-9048-25DCBC7E067A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {395E58B9-090C-461A-8F27-087D1C727945} - hxxp://webconf.mitchell1.com/joinie.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-HijackThis - c:\documents and settings\Administrator\Desktop\HijackThis.exe
AddRemove-OnDemand5 Manager Workstation - c:\mitchell1\Manager\Series1\RebootWiz
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 15:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2388131890-3471916106-3631987943-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,aa,0b,37,4f,95,a5,4d,b8,12,aa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,aa,0b,37,4f,95,a5,4d,b8,12,aa,\
.
Completion time: 2010-03-22 15:07:14
ComboFix-quarantined-files.txt 2010-03-22 20:07
Pre-Run: 52,370,395,136 bytes free
Post-Run: 52,400,910,336 bytes free
- - End Of File - - A7AC1D7132A34AEBE04259BE6FDF8D53
ASKER
Ran GooredFix, didn't find anything:
GooredFix by jpshortstuff (08.01.10.1)
Log created at 21:34 on 24/03/2010 (Owner)
Firefox version [Unable to determine]
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
(none)
[HKEY_LOCAL_MACHINE\Softwa re\Mozilla \Firefox\E xtensions]
"{20a82645-c095-46ed-80e3- 0882576053 4b}"="C:\W INDOWS\Mic rosoft.NET \Framework \v3.5\Wind ows Presentation Foundation\DotNetAssistant Extension\ " [08:06 15/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy \jqs\ff" [23:31 14/05/2009]
---------- Old Logs ----------
GooredFix[02.32.11_25-03-2 010].txt
-=E.O.F=-
Ran tdskiller, which didn't find anything either:
TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.2.8.1 Mar 22 2010 10:43:04
Scanning Services ...
Scanning Kernel memory ...
Completed
Results:
Memory objects infected / cured / cured on reboot: 0 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 0 / 0 / 0
GooredFix by jpshortstuff (08.01.10.1)
Log created at 21:34 on 24/03/2010 (Owner)
Firefox version [Unable to determine]
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
(none)
[HKEY_LOCAL_MACHINE\Softwa
"{20a82645-c095-46ed-80e3-
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy
---------- Old Logs ----------
GooredFix[02.32.11_25-03-2
-=E.O.F=-
Ran tdskiller, which didn't find anything either:
TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.2.8.1 Mar 22 2010 10:43:04
Scanning Services ...
Scanning Kernel memory ...
Completed
Results:
Memory objects infected / cured / cured on reboot: 0 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 0 / 0 / 0
ASKER
Also ran F-Secure Downadup removal tool in safe mode (w/o networking) and it didn't find anything either.
The computer does behave properly in safe mode, as in I can get to all the sites that I can't get to in normal mode. It also doesn't redirect any searches in safe mode. So it has to be something running, though what I can't figure out.
The computer does behave properly in safe mode, as in I can get to all the sites that I can't get to in normal mode. It also doesn't redirect any searches in safe mode. So it has to be something running, though what I can't figure out.
ASKER
Attached is the output from Gmer
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-24 22:19:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pgwyyaod.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF40B34FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF40B3322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF40B345C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs fp.sys (CDP Filesystem Filter Driver/IBM Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fp.sys (CDP Filesystem Filter Driver/IBM Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip mrxoko.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp mrxoko.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp mrxoko.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp mrxoko.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- EOF - GMER 1.0.15 ----
ASKER
Holy crap it's working. When I ran GMER it scanned the mrxoko,sys file and Avast saw it and removed it at that time. After a reboot everything seems to be working ok. Thanks to everyone for all the help!
Glad to hear we could be of assistance!
We could've used ComboFix script function to remove it, as all the entries relating to that koobface "mrxoko" are showing in the ComboFix log.
Glad to know it's now resolved.
Glad to know it's now resolved.
Have you checked host and lmhost files, that might be where you're getting your redirect from...