Another consrv.dll Victim Needing Help

Greetings All,

I’ve been working with a friend’s Asus laptop that was infected with a fake security program.

I have been able to get Avast Internet Security (AIS) running and have removed and deleted;

(1) isecurity.exe (Fake Security App)

(2) $REEEP7L.exe described as MSIL:Dropper

and

(3) other various temp, or infected files.

I’ve had some of the same problems as others here. Trying to repair, or move consrv.dll
which causes a boot problem which needs to be repaired before troubleshooting can be resumed.

A current scan with AIS shows that only 4 files remain that need some type of “Action”.

(1)C:.…\consrv.dll High Threat: Win32:Siref-HO (Rtk)
(2)C:.…\consrv.dll High Threat: Win32:Siref-HO (Rtk)
(3)C:.…\RLO2j3.com High Threat: Win32:FakeAlert-BVT (Trj)
(4)C:.…\consrv.dll High Threat: Win32:Siref-HO (Rtk)

I believe it is time to try and run OTL and aswMBR, but I will definitely need some guidance.

The laptop’s OS Windows 7 SP1, 64 bit.

Thanks for any help.
Al

I believe it is time to try and run OTL and aswMBR, but I will definitely need some guidance.
you find the guide here http://forum.avast.com/index.php?topic=53253.0

attach the logs: lower left corner > additional options > attach

Monitoring

Thanks for link.

Results for MalwareBytes scan and repair.

OTL is on my Desktop. 8)

++++++++
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.02.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Jwoww :: J-PC [administrator]

2/2/2012 1:55:30 PM
mbam-log-2012-02-02 (13-55-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215061
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\System32\RLO2j3.com (Trojan.Krypt) → Quarantined and deleted successfully.
C:\Windows\SysWOW64\RLO2j3.com (Trojan.Krypt) → Quarantined and deleted successfully.
C:\Users\Jwoww\Downloads\FLVPlayerSetup.exe (Adware.Agent) → Quarantined and deleted successfully.

(end)

OTL.txt attatched.

Extras.txt attached.

Note:Both files were too large in total to place both in one reply.

Should I wait for a reply to run aswMBR?

Should I wait for a reply to run aswMBR?
nope...run and attach log

Essexboy is logged out now. but will be back tomorrow. He is usually in here around 08:00pm - 11:59pm UK time

Completed aswMBR scan, and the log file is attached.

Should I “Fix”, or wait for a reply?

Or,should I just wait for Essexboy’s reply tomorrow?

THX
Al

Should I "Fix", or wait for a reply?
you wait for Essexboy....so this is done properly ;)

OBS…that is the longest aswMBR logg i have seen

I thought I might have to split the log in two in order to attach. ;D

THX again.
Al

aswMBR gets better every time

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-72642340-1585939968-2348190475-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local [2011/11/18 23:19:20 | 000,000,000 | ---D | M] (StartNow Toolbar) -- C:\Users\Jwoww\AppData\Roaming\Mozilla\Firefox\Profiles\21lng6lc.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F} O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll () O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found. O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll () O4 - HKLM..\Run: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe" File not found [2011/12/24 04:50:50 | 000,000,112 | ---- | C] () -- C:\ProgramData\k3yIM1c.dat

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\StartNow Toolbar
C:\Windows\tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Re-Run aswMBR

Click Scan

On completion of the scan
Click the Fix Button

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBR_Zero.png

Save the log as before and post in your next reply

Essexboy,

I started OTL 25 minutes ago (12:25 pm PST) and I got an alert box that read “Cannot create file C:\Windows\System32\drivers\etc\Hosts.” I clicked “OK” and OTL has the message at the bottom that says “Resetting HOSTS file. DO NOT INTERRUPT…” and it has had that message for over 12 minutes.

OTL may be stuck.

OK close it out and manually reboot please - do you have spybot

Yes Spybot is installed on machine. I can remove if needed.

It is protecting the HOST file and it does need resetting.

So if you could uninstall when we do the final sweep OTL run

Spybot is uninstalled, and machine rebooted.

Waiting to restart OTL.

OK you will notice the biggest difference when aswMBR has done its thing

Don’t we need to re-run OTL with your script first before running aswMBR?

When you ran the OTL fix resetting hosts is the last element - so it did the other removals

So go straight to aswMBR fix run now please

The new scan with aswMBR indicated some removals had not been accomplished with OTL.

A 2nd scan with aswMBR and “FIX” appears to have quarantined all infected files.

The “fixed” aswMBR log file is attached.

Waiting for further instructions. :slight_smile: