consrv.dll and desktop.ini files have variants of sirefef - PLEASE HELP!

I’d been having all sorts of problems with my Win7 64bit laptop, including search being hijacked, and had run Malawarebytes Anti-Malware, which kept finding and removing stuff, but some of it kept coming back. I then downloaded and installed avast and let it do the scan on boot.

It found a bunch of stuff which I told it to delete, but when it came to the files in the windows folder (consrv.dll and desktop.ini) the warning of “Are you sure you want to delete files in the windows folder?” made me think twice and I told it to do nothing for those files (they couldn’t be repaired). Having done some searches, I’m sure glad I didn’t delete them as it sounds like my OS wouldn’t boot then!

I then launched Windows and updated my mbam and re-ran it - it now found nothing. I re-ran avast from within windows and once again and obviously it found the same problems with desktop.ini and consrv.dll:

Windows\Assembly\GAC_32\Desktop.ini
Infected by Win32:sirefef-FQ [Drp]

Windows\Assembly\GAC_64\Desktop.ini
Infected by Win64:sirefef-C [Drp]

Windows\System32\consrv.dll|>[Embedded_I#1ac7]
infected by Win64:sirefef-C [Drp]

Windows\System32\consrv.dll|>[Embedded_I#2ac7]
infected by Win64:sirefef-FQ [Drp]

Windows\System32\consrv.dll|>[Embedded_I#46ff]
infected by Win64:sirefef-D [Drp]

Windows\System32\consrv.dll
infected by Win64:sirefef-C[Drp]

I launched my browser and was pleased to see that my search is no longer hijacked, however I’m not comfortable having any remnants of any form of malware on my PC, especially those rated high severity, and searches in this forum tend to result in answers that are specific to that person’s system alone, so I figured I’d start my own thread…

pre and post running avant mbam logs attached

I hope someone can please help me!!!

Thanks in advance!
magichappens

p.s.
Here is what Avast found and deleted:

C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.8\8\db32fc8-640cdbf7|>Final.class
Infected by Java:CVE-2011-3554-AB [Expl]

C:\Windows\assembly\temp\U\00000002.@|>[Embedded_R#00290]
Infected by PUP:Win32:Agent-ANSR [PUP]

C:\Windows\assembly\temp\U\00000002.@
Infected by PUP:Win32:Agent-ANSR [PUP]

C:\Windows\assembly\temp\U\80000004.@
Infected by Win64f:ZAccess-A [Trj]

Follow this guide and attach all logs
http://forum.avast.com/index.php?topic=53253.0

the Malwarebytes logs you posted looks like chinese…you must save them as ANSI so we can read them

thank you, Pondus. I will follow that guide and then attach all logs. In the meantime, here are the ansi versions of the mbam logs…

Hi there two programmes to run

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

This is 99% the new version of Zeroaccess. I remember I had also problems with that desktop.ini.
This would be the fourth case ?

@magichappens, check in Control Panel/Administrative Tools/Services if you have the following service running : Safety Settings Service.

@essexboy, could this be the dropper?
C:\Users\me\AppData\LocalLow\Sun\Java\Deployment\cache\6.8\8\db32fc8-640cdbf7|>Final.class
Infected by Java:CVE-2011-3554-AB

No desktop ini is common on all variants… But I now know where to look in the net services and both OTL and Combofix show them ;D

Yes, desktop.ini is common, but the resurection of consrv.dll is unique to the new version. And if the dropper is that java class from java cache, maybe we can find more about this new version. I am 100% sure that i got infected not from my usb flash disk(i checked it and id doesn’t have any autorun on it) but from an malicious web site.

It may well be but I do not yet have a dropper as the majority self delete

Thanks for the customized suggestion, essexboy! While you were posting that, I’d been running OTL using the custom settings from the thread pondus had pointed me to… I’ve attached the log files from them, but I am going to re-run OTL using the custom settings you provided and will then respond with the logs from that.

of possible interest to both essexboy and driverx, I am 95% sure that I got this from visiting a particular website (using Firefox)…

Again, the attachments provided were from when I’d run OTL using the settings from the originally suggested thread, NOT the ones you just provided essexboy - those will be coming shortly.

Thanks SO much for the help!!! it is greatly appreciated :slight_smile:

If you have not yet started could you go straight to aswMBR please as this is the old variant

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2011/12/24 03:33:02 | 000,000,000 | ---- | C] () -- C:\ProgramData\CDm3Yk86.dat [2011/12/13 13:32:21 | 000,009,312 | -HS- | C] () -- C:\Users\kickasso\AppData\Local\k4sy65m2tj2bbm [2011/12/13 13:32:21 | 000,009,312 | -HS- | C] () -- C:\ProgramData\k4sy65m2tj2bbm

:Files
ipconfig /flushdns /c
C:\Windows\tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

This also doesn’t look good :
SRV - [2010/12/07 12:05:25 | 000,833,342 | ---- | M] ( ) [Auto | Stopped] – C:\Windows\SysWOW64\regw2.exe – (FLEXnet Licensing Manager)

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FFakeFlexnet.A&ThreatID=-2147325165

TrojanDropper:Win32/FakeFlexnet.A drops a copy of itself as "%windir%\System32\regw2.exe"

http://www.systemlookup.com/O23/5782-regw2_exe.html

Well, I searched and didn’t find any adobe product installed on 2010/12/07.
And I don’t understand why it is listed, as it’s creation date is in 2010, not 2012

EssexBoy,
Thankd again for the help. I’m A little confused… Were you basically saying that the OTL logs I provided were all you needed, so I should just go straight to aswMBR instead of re-running OTL using the custom scan info you had previously provided? if so, attached is the aswMBR log.

ALSO, was I then supposed to run OTL but this time with the custom fix parameters you provided as soon as aswMBR finished or wait until you looked at the aswMBR log?? (i haven’t done this step yet and am awaiting confirmation from you that that’s jow I should proceed)

Sorry…this has been a long project trying to get this computer cleaned up, and it’s overwhelming - I’m usually the one friends ask to help with this kind of stuff, but I’ve never come across something this tough before…

again, thanks to all for the assistance!!

Aye that was a bit confusing as I was trying to get it all in before I went offline - sorry

Re-run aswMBR

On completion of the scan press the FIX button and reboot

Posting the generated log

Ok, I’ve done this. What now? Am I to use those custom scan fixes with OTL? I also do not know what to do with the generated log you posted… I’m starting to feel so dumb! Hope this isn’t too trying on your patience…

Much thanks for your help!!!

Also, the only threat that aswMBR detected was in the consrv.dll, which it seems to have fixed. An avast! scan shows both desktop.ini files to still be infected FWIW

No not a problem

Could you re-run OTL and I will craft a fix to remove the final bits as well. Use the scan script as before

OK, I ran OTL again with the same parameters as the firdt time. The log is attached. was there also supposed to be an extra.txt file because I ran OTL several times, but none was generated…

Thanks sooo much for your help!

You will only get the extras first time unless otherwise requested

Once this has run can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-3774729464-1119226116-4254079436-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421; [2011/12/24 03:33:02 | 000,000,000 | ---- | C] () -- C:\ProgramData\CDm3Yk86.dat [2011/12/13 13:32:21 | 000,009,312 | -HS- | C] () -- C:\Users\kickasso\AppData\Local\k4sy65m2tj2bbm [2011/12/13 13:32:21 | 000,009,312 | -HS- | C] () -- C:\ProgramData\k4sy65m2tj2bbm

:Files
ipconfig /flushdns /c
C:\Windows\tasks\At*.job
netsh int ip reset c:\resetlog.txt /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.