Consrv.dll, cant find the dropper

hey guys ive recently become infected with this evil virus, ive managed isolate it, but avast is blocking it every 10mins or so. which leads me to believe the dropper still exists…

thanks for future help :slight_smile:

all the best from the uk

Hi BigmaccyD, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

You have combofix on your computer so we will use it but will run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE



File::
C:\Windows\SysNative\ca-messagequeuing.dll

Driver::
Si3132r5

NetSvc::
Si3132r5

In the notepad
[*]Click File, Save as…, and set the Save in to your usb device
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post back with the combofix log.

here is the combofix

thanks for the assist oldman :smiley:

Hi BigmaccyD,

How’s the computer? Is Avast still giving warnings?

[QUOTE]AV: avast! Antivirus Disabled/Updated {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Lavasoft Ad-Watch Live! Anti-Virus Disabled/Updated {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: avast! Antivirus Disabled/Updated {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Lavasoft Ad-Watch Live! Disabled/Updated {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender Enabled/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
[/quote]
The log shows multiple antivirus programs. There are also traces of AVG. This will not give you more protection but could actually results in less due to conflicts.

Please uninstall Lavasoft and AVG.

Next

[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]unCheck the boxes beside LOP Check and Purity Check.
[*]In the window under Custom Scans/Fixes copy and paste the following

[B]
netsvcs
/md5start
ca-messagequeuing.dll
consrv.dll
/md5stop

[/B]
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will a two notepad windows, OTL.Txt no Extras.Txt this time.

heya oldman, yeah the virus warnings have passed. although when i ran combofix to get the log i had to shut down the avast shields and combofix had to remove consrv.dll and sys64 folder. ?

i have uninstalled lavasoft at your request :slight_smile: as for avg they must be remnants of a past install as i dont have it on my system.

hese is the otl.log.

thanks for all the help so far you guys are awesome :slight_smile:

best wishes Marc

Hi BigmaccyD,

Your java is out of date. Click your start button > Control Panel
[*]Use the drop down menu beside view by and change it to small icons
[*]locate java (32bit) (looks like a coffee cup) in the list and click on it
[*]when the java console opens click the update tab
[*]Click update now

Next, Right click on OTL.exe and chose Run as Administrator to run it
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :

:Services

:OTL
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll File not found
O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart)
DRV:[b]64bit:[/b] - (SirefefRemover) -- C:\Windows\SysNative\drivers\SirefefRemover.sys (ESET spol. s r.o.)

:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SirefefRemover]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

:Files
C:\Windows\SysNative\ca-messagequeuing.dll
C:\Windows\SysNative\dds_trash_log.cmd
C:\Windows\SysNative\drivers\SirefefRemover.sys
C:\Users\Marky\AppData\Roaming\AVG2012

:Commands
[resthosts]
[emptytemp]
[createrestorepoint]

Then click the Run Fix button at the top

[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
[*]Reboot your computer
Please post the OTL fix log.

You have this program installed, Malwarebytes’ Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

[*]Click the Update tab
[*]Click Check for Updates
[*]If an update is found, it will download and install the latest version.
[*]The program will close to update and reopen.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with
[]OTL fix log
[
]MBAM log
Any problems?

hmm otl stops responding, at boot execute avg2012

normal or ?

edit, mbam finished without finding anything to remove still need the log ?

Hi

No need to post the MBAM log if it’s clean.

Let’s give the AVG Removal Tool a try. Download it from HERE and save it to your desktop.

double click it and follow the prompts.

Rerun the OTL fix, I removed the line OTL seems to be having problems with.

:Services

:OTL
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll File not found
DRV:[b]64bit:[/b] - (SirefefRemover) -- C:\Windows\SysNative\drivers\SirefefRemover.sys (ESET spol. s r.o.)

:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SirefefRemover]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

:Files
C:\Windows\SysNative\ca-messagequeuing.dll
C:\Windows\SysNative\dds_trash_log.cmd
C:\Windows\SysNative\drivers\SirefefRemover.sys
C:\Users\Marky\AppData\Roaming\AVG2012

:Commands
[resthosts]
[emptytemp]
[createrestorepoint]

Post back with the OTL fix log.

ran avg cleaner as requested and otl straight after it completed with no errors this time :slight_smile:

also ive included the avg log so you can take a look at it

im not sure if this is the right otl as it saved it too otl moved files ? and not the desktop

best regards

marc

Hi BigmaccyD,

Everything looks pretty good.

One more scan to check for stragglers.

As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.
[]Do not use this instance of your browser for anything besides doing this scan
[
]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

[*]Tick the box next to YES, I accept the Terms of Use.
[*]Click Start
[*]When asked, allow the activex control to install
[*]Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
[*]Click Start
[*]Make sure that the option “Remove found threats” is Unchecked, and the option “Scan unwanted applications” is Checked.
[*]Click Scan.
[*]Wait for the scan to finish.
[*]When the scan completes, click List of found threats
[*]click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
[*]Include the contents of this report in your next reply

Note - when ESET doesn’t find any threats, no report will be created.

[*]Push the back button.
[*]Push Finish
[*]Re-enable your Antivirus software.

ran esnet online scan and it came back clean bill of health :slight_smile:

Hi BigmaccyD,

One little fix to fix an error in the script I had you run.

Next, Right click on OTL.exe and chose Run as Administrator to run it
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :

:Services

:Commands
[resethosts]
[createrestorepoint]

Then click the Run Fix button at the top

[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
Please post the OTL fix log

One more OTL log to see if anything is left. We’ll clean up the tools and send you on your way after you post back.

Open OTL if it’s not still open and click the Quick Scan button.

Please post back with both OTL logs.

Thanks

kicks out an error saying “cannot create file C:\windows\system32\drivers\etc\hosts”

and kicks out this file when closed, should i have left it to complete ? it seemed like it had hung and wasnt doing anything?

best wishes marc

Hi BigmaccyD,

Let’s try it this way. Regardless of the outcome of the fix please obtain a new OTL scan log after you run the fix.

:Services

:OTL
O1 - Hosts: 109.163.226.208 www.google-analytics.com.
O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net.
O1 - Hosts: 109.163.226.208 www.statcounter.com.
O1 - Hosts: 67.215.245.19 www.google-analytics.com.
O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.

:Commands
[createrestorepoint]
[reboot]

Post back with the OTL fix log and the new OTL.txt.

still coming up with the same error, but isnt giving any logs on close

Hi BigmaccyD,

Reboot the computer, After it starts open OTL and click the Quick Scan button.

here is the otl log

best wishes

Hi BigmaccyD,

Please download DDS and save it to your desktop.

[]Disable any script blocking protection
[
] Double click dds.scr to run the tool.
[]When done, DDS.txt will open.An additional log called Attach.txt should appear minimized on the task bar.
[
]Save both reports to your desktop before closing the DDS window.

heya, here are both logs from dds :slight_smile:

Hi BigmaccyD,

Use combofix fix with this script.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE



File::
C:\Windows\SysNative\ca-messagequeuing.dll
C:\Windows\System32\ca-messagequeuing.dll

Driver::
Si3132r5

NetSvc::
Si3132r5

DDS::
Hosts: 109.163.226.208 www.google-analytics.com.
Hosts: 109.163.226.208 ad-emea.doubleclick.net.
Hosts: 109.163.226.208 www.statcounter.com.
Hosts: 67.215.245.19 www.google-analytics.com.
Hosts: 67.215.245.19 ad-emea.doubleclick.net.
Hosts: 67.215.245.19 www.statcounter.com.



In the notepad
[*]Click File, Save as…, and set the Save in to your desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post back with the combofix log and a new DDS log.