consrv.dll + 95p.com

Firstly i noticed the redirection of google results to a site called 95p.com, so i’ve thinked that it is some kind of virus. Scanned with bunch of antivirus programs (kaspersky, bitdefender(wich doesn’t detect the virus),nortonAntivirus). MBM did found some infected files and deleted them.

Now it seems that it remained only one file from the original “bundle” : consrv.dll wich it’s created somehow over and over again if you manage to delete it (if you normally try to delete it, windows says that it’s opened by csrss.exe).

The registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Sub Systems\windows has been modified by kaspersky back to the original state (winsrv instead of consrv), so consrv.dll isn’t started from this location anymore

virustotal.com says : Compilation timedatestamp…: 2012-01-10 17:20:34 so i think it’s a new Zeroaccess virus version : https://www.virustotal.com/file/c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1/analysis/1326785029/

Now it seems that it remained only one file from the original "bundle" : consrv.dl
do not delet it.....wait for Essexboy to arrive

also, attach your Malwarebytes log, and aswMBR

I’ve attached the missing logs in the first post and mbm logs here (before/after cleaning)
Drweb does not find anything infected on the express scan, so i think this virus version wasn’t added to it’s virus database

There is at the moment only one tool that can repair this from within windows

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

hi, combofix log attached

User32 failed the sig check so lets replace them

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
FCopy:: c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll|c:\windows\system32\user32.dll c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll|c:\windows\SysWOW64\user32.dll
Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Done that, log attached. It seems that user32 no longer fails the sig check

Are you still getting the alerts ?

consrv.dll is still in use, so maybe i need to reboot?
I’m a little bit afraid to reboot because this morning windows entered into a rebooting cycle and i needed to do a sistem restore…

anyway
I’ve made some further investigations. I’ve found some suspect files in c:\Windows\assembly\tmp (via total commander because windows is showing a custom view for this folder):
loader.tlb and {1B372133-BFFA-4dba-9CCF-5474BED6A9F6}. google search reveals that the last one is linked to zeroaccess.

I’ve done a search in the sistem for .tlb files. I’ve found in C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp and in C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp the following file : {E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb
Since mbm has found the file {E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb as rootkit.zeroaccess, i think that {E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb is somehow suspect, because of the name and the creation date.

consrv.dll is still in use, so maybe i need to reboot?
often there is a hang in the system after running combofix....and rebooting twice usually fix that

rebooted ok. consrv.dll still in use by csrss.exe.
:-X

OK time for working outside of windows using a linux boot disc

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn

[]Double click Dr Web
[
]IMGBurn will open
[*]Burn the ISO to a cd

[]Reboot the infected computer with the CD in the drive
[
]Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
[*]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif

[*]Use arrow keys to select DrWeb-LiveCD (Default)

[*]When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif

[]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
[
]Once completed reboot to normal windows
[*]No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

essexboy, thank you for your help.
I’ve tried Dr Web Live CD, but it starts only in console mode(throws some error when trying to start in graphics mode) .It does not have the possibility to change the scan mode, so it scans every file on the hard drive, and beside this, it does it very slow … i’ve waited about 20 minutes and stopped it when it started to scan even the files inside .iso files… i’ll give it a try tomorrow but i’m not expecting miracles because the windows version of dr web diddn’t even detect consrv.dll as malware…
thank you again

OK lets try something completely different

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL @Alternate Data Stream - 60 bytes -> C:\Users\user2\Documents\.DS_Store:AFP_AfpInfo @Alternate Data Stream - 60 bytes -> C:\Users\user2\Desktop\.DS_Store:AFP_AfpInfo @Alternate Data Stream - 60 bytes -> C:\Users\user2\.DS_Store:AFP_AfpInfo @Alternate Data Stream - 60 bytes -> C:\.TemporaryItems:AFP_AfpInfo

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

THEN

Run OTL with the following script in the custom scans and fixes box, then press run scan

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
csrss.*
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
CREATERESTOREPOINT

ds_store files are created by mac osx so no threat here…
After the two steps, consrv is still there, still in use by csrss.

The consrv.dll md5 is wrong so what I will do is move it to quarantine. I would then like another run with aswMBR

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. [2009/07/14 03:39:46 | 000,030,208 | ---- | M] () MD5=1149C1BD71248A9D170E4568FB08DF30 -- C:\Windows\SysNative\consrv.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

consrv.dll is back in system32 :-X

OK lets try GMER’s new automated fix…

Re-run aswMBR and on completion of the scan press the fix button and reboot

Well, fix button is disabled. I’m a little bit afraid do click on fixmbr because i don’t know what’s gonna do to the mbr, what if it’s fixing it +wrong+ ?

No do not do the fixmbr

The final big hammer

  1. Please download The Avenger by Swandog46 to your Desktop.

[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop

  1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Files to delete:
C:\Windows\SysNative\consrv.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerico.gif

[*]Accept the disclaimer

http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerdisclaimer.gif

[*] Right click on the window under Input script here:, and select Paste.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerfront.gif

[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute

[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

  1. Please copy/paste the content of c:\avenger.txt into your reply.