Firstly i noticed the redirection of google results to a site called 95p.com, so i’ve thinked that it is some kind of virus. Scanned with bunch of antivirus programs (kaspersky, bitdefender(wich doesn’t detect the virus),nortonAntivirus). MBM did found some infected files and deleted them.
Now it seems that it remained only one file from the original “bundle” : consrv.dll wich it’s created somehow over and over again if you manage to delete it (if you normally try to delete it, windows says that it’s opened by csrss.exe).
The registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Sub Systems\windows has been modified by kaspersky back to the original state (winsrv instead of consrv), so consrv.dll isn’t started from this location anymore
I’ve attached the missing logs in the first post and mbm logs here (before/after cleaning)
Drweb does not find anything infected on the express scan, so i think this virus version wasn’t added to it’s virus database
There is at the moment only one tool that can repair this from within windows
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
consrv.dll is still in use, so maybe i need to reboot?
I’m a little bit afraid to reboot because this morning windows entered into a rebooting cycle and i needed to do a sistem restore…
anyway
I’ve made some further investigations. I’ve found some suspect files in c:\Windows\assembly\tmp (via total commander because windows is showing a custom view for this folder): loader.tlb and {1B372133-BFFA-4dba-9CCF-5474BED6A9F6}. google search reveals that the last one is linked to zeroaccess.
I’ve done a search in the sistem for .tlb files. I’ve found in C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp and in C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp the following file : {E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb
Since mbm has found the file {E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb as rootkit.zeroaccess, i think that {E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb is somehow suspect, because of the name and the creation date.
[]Double click Dr Web
[]IMGBurn will open
[*]Burn the ISO to a cd
[]Reboot the infected computer with the CD in the drive
[]Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
[*]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
[]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
[]Once completed reboot to normal windows
[*]No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist
essexboy, thank you for your help.
I’ve tried Dr Web Live CD, but it starts only in console mode(throws some error when trying to start in graphics mode) .It does not have the possibility to change the scan mode, so it scans every file on the hard drive, and beside this, it does it very slow … i’ve waited about 20 minutes and stopped it when it started to scan even the files inside .iso files… i’ll give it a try tomorrow but i’m not expecting miracles because the windows version of dr web diddn’t even detect consrv.dll as malware…
thank you again
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan
Well, fix button is disabled. I’m a little bit afraid do click on fixmbr because i don’t know what’s gonna do to the mbr, what if it’s fixing it +wrong+ ?
Please downloadThe Avenger by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Files to delete:
C:\Windows\SysNative\consrv.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Now, open the avenger folder and start The Avenger program by clicking on its icon.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.
The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.