Hi,
following to this topyc http://forum.avast.com/index.php?topic=53253.0
I have attached the logs files
HELPPPPPPp!!!
essexboy is notified… he is usually in here around 08:00pm - 11:59pm UK time
please also attach the aswMBR log and Malwarebytes log 
thanks
Hi what problems do you have ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL FF - prefs.js..browser.search.defaultenginename: "Web Search" FF - prefs.js..browser.search.order.1: "Web Search" FF - prefs.js..browser.search.selectedEngine: "Web Search" O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll () O2 - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~2\WI3C8A~1\Datamngr\BROWSE~1.DLL (Bandoo Media, inc) O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll () O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll (Bandoo Media, inc) O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll (Bandoo Media, inc) O20 - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll (Bandoo Media, inc) O20 - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll (Bandoo Media, inc):Files
ipconfig /flushdns /c
C:\PROGRA~2\WI3C8A~1:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
The problem is that avast report as follow:
800000cb.@ c:\windows\assembly\tmp\U win32:Malware-gen
and Malwarebytes report:
12:22:28 Lorenzo IP-BLOCK 193.105.135.219 (Type: outgoing, Port: 50141, Process: csrss.exe)
Thanks
Please find also attached OTL log file after “RUN FIX” and “QUICK SCAN” OTL command
Process: csrss.execan you upload this to www.virustotal.com when you have the result, copy the url in the address bar and post it here for us to see
thanks
Lorenzo
According to your VT results you uploaded otl2.txt, not the csrss.exe file Pondus is suggesting.
Dave is right, uploading the OTL scan result won’t help.
auch!! Sorry…but that’s very strange… in the URL http://www.virustotal.com/ I try to upload the csrss.exe file using the virustotal mask but if I use the choose button I can’t find the csrss.exe in my c:\window\system32… but… if I open the folder manually…here you are!! so I’ve copied the file in a desktop folder and submitted by virustotal web page. this is the result
Why this problem ???
INFO: using IEXPLORER the web page works! In the previous analysis I’ve tried with CHROME and FIREFOX
the “IE” result
I’ve tried to search by myself and I found this post:
http://forums.malwarebytes.org/index.php?showtopic=86064
and try again with virustotal:
As you now have posted 4 different VT results with variational MD5’s…
I suggest to wait for essexboy and follow his instructions.
I have now adjusted my scans to take into account this new bit of malware ;D
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com//406 [2011/09/01 10:18:39 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\Lorenzo\AppData\Roaming\mozilla\Firefox\Profiles\cvhdmz3e.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7} O2:64bit: - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - File not found [2011/09/02 16:48:00 | 000,027,136 | ---- | C] () -- C:\Users\Lorenzo\Desktop\800000cb.@:Files
ipconfig /flushdns /c
c:\windows\assembly\tmp:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Thanks…
Lorenzo
one question more… must I delete the CONSRV.DLL file… on scanning this file with virustotal it found as follow http://www.virustotal.com/file-scan/report.html?id=8a6d6406969a8e332a8088e75b8c8cd4ea37277be4e03ee3d7dfbd73cdc5fa3a-1315382289
Thanks for all
Yep that should go. How is the computer behaving now
Before you remove it, since avast doesn’t detect it in your VT results, add it to the avast chest and send to avast.
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location.
Everything now seems to be ok…
T H A N K S !!!
Lorenzo
PS. CONSRV.DLL now deleted
Hopefully you sent it to avast to help improve detections before deletion ;D