A few days ago I noticed I was getting Google link redirects and extra pages loading with starting Firefox. I figured it was the standard Google redirect, ran what I used last time to get rid of it to no avail. After running a full scan with Avast, AVG, Kaspersky and MS essentials, MS found consrv.dll. I’ve tried to remove it and change the associated registry keys which result in no boot and windows unable to repair so I’m forced to restore to an infected restore. When running a full scan with Avast a few Java related items pop up and are cleared, but reappear upon reboot. Also, when starting most programs that access the internet Avast stops a DNS reloader from happening. MS labels consrv as x64/Sirefef.B. Lastly, windows firewall is disabled, security center service does not exist and action center reports Avast is turned off. Any help or advice is appreciated.

After running a full scan with Avast, AVG, Kaspersky and MS essentials,

follow this guide and attach the logs http://forum.avast.com/index.php?topic=53253.0

how to attach: lower left corner > additional options > attach…
if logs are to big upload to www.mediafire.com and post the download link here

No I am not running them all concurrently, I’ve tried many options over the past two days. Following the list now, will reply when finished.

Essexboy is notified and will look at the logs when posted

Attached are logs from Malwarebytes and OTL, aswMBR fails to complete without crashing and automatic reboot.

Hi lets start to clean you up

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D7 C9 E6 0F 64 03 56 4C B9 32 C8 26 72 61 64 64 [binary data] IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D7 C9 E6 0F 64 03 56 4C B9 32 C8 26 72 61 64 64 [binary data] IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D7 C9 E6 0F 64 03 56 4C B9 32 C8 26 72 61 64 64 [binary data] IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D7 C9 E6 0F 64 03 56 4C B9 32 C8 26 72 61 64 64 [binary data] IE - HKU\S-1-5-21-1669929063-1349940690-344728108-1001\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D7 C9 E6 0F 64 03 56 4C B9 32 C8 26 72 61 64 64 [binary data] O3 - HKU\S-1-5-21-1669929063-1349940690-344728108-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. [2011/10/15 03:07:23 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\runouce.exe [2011/10/15 03:07:23 | 000,000,000 | ---D | C] -- C:\Windows\rundll16.exe [2011/10/15 03:07:23 | 000,000,000 | ---D | C] -- C:\Windows\RUNDL132.EXE [2011/10/15 03:07:23 | 000,000,000 | ---D | C] -- C:\Windows\logo1_.exe [2011/10/15 03:07:23 | 000,000,000 | ---D | C] -- C:\Windows\logo_1.exe

:Reg
[HKU.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-1669929063-1349940690-344728108-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

.
THEN
.
Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Attached are the logs from OTL, combofix ran but during reboot the system froze with only a cursor on black background visable. After waiting 15minutes with no HDD activity I performed a manual reboot, system started fine and combofix resumed, however Avast reactivated and delayed combofix from running which froze on the preparing log file section. After another 15min of no activity I closed combofix no log was generated. Thus far no warnings from either malwarebytes or avast.

After running a scan with Avast \windows\assembly\tmp\kwrd.dll was detected, Win32:Malware-gen.

OK essexboy will be in bed now, just after 1:40am in the UK, he will be back on the forums later this evening.

When avast alerted, did you have it send it to the chest (if not I would say do so) ?

That’s me for the night too, my bed is calling.

I did have it send to chest, thanks for help. Sleep well!

It is still present - please ensure that Avast does not block combofix in any way, so disable all shields until you say start again

Please re-run combofix, allow it to update if it asks

Re-ran combofix, with no hickups. Attached are the generated log(s), had to break it into two to be able to attach.

second part

I think you are on the time zone ping pong game right now as essexboy if off-line right now 11:45pm UK time, so it may be tomorrow evening after work before he is back.

Not in a huge rush so long as it gets cleaned. Avast and Malwarebytes have stopped reporting violations so, so far so good.

OK Combofix took out the majority on the first run, then just removed the empty folder on the second… The log was rather large as Combofix took a snapshot

What problems are you experiencing now ?

Currently the only issue is intermittent notifications of windows security center service not starting. Otherwise there have been no further warnings from either Avast or Malwarebytes.

OK lets check the file veracity

Go to Start > All Programs > Accessories
Right click Command prompt and select run as administrator
In the black box type sfc /scannow
You may need to reboot on completion

No integrity violations.

Is the security centre running now ?

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.