consrv.dll desktop.ini ping.exe Win32:Sirefef-HO [Rtk]

Hi,
I was infected by the consvr.dll virus which was intercepting my web queries and redirecting my browser.
I managed to get rid of desktop.ini, ping.exe, consrv.dll.
When fixing the problem I also had the bsod problem after removing consrv.dll - but fixed it by editing the windows registry to change consrv.dll to winsrv from recovery console (as mentioned here http://www.bleepingcomputer.com/forums/topic400730.html/page__st__15__p__2271737#entry2271737)

So anyway, I’m basically virus free now - avast, avg, and malware anti-bytes all give clean bill of health when running scan.
However, there is still a persistent virus dropper somewhere that keeps dropping the consrv.dll into my C:\Windows\System32 folder, which Avast keeps putting it into the Virus Chest (as Win32:Sirefef-HO [Rtk]). It must have put it into the virus chest over 100 seperate times now.
So i’m not sure what is putting it there but something that disguises itself pretty well I guess.
Can anyone help?

Thanks,
J

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.

Hi, here are the logs.

Thanks,
J

I’m not a malware removal specialist, so I don’t know what methods this malware uses.

Unfortunately it is now 1:20am in the UK and essexboy who normally analyses these will be in bed. He is normally on-line after work around 7pm UK time.

Unless another of the specialists is able to pick this up it will be a while before he is able to look at it.

No problem. I’m just happy people are willing to help :slight_smile:

From the description, this guy has the exact same virus I have http://forum.avast.com/index.php?topic=92751.0

I also had the files 80000004.$, 80000032.$, 80000032.@ as well (though no longer).

And before essexboy asks, no I do not have any service called “Safety Settings Service” listed in task manager.

Unfortunately I have also had 2 random bsod’s today which I guess are virus related. Have never had bsod’s on this pc before.

Thanks,
J

Unfortunately it is a bit of a game of catch up, whilst there are many similarities, they continue to create variants to make it easier to hide, which is why these analysis tools are used to gather the information before proceeding.

Some variants, if improperly removed can cause problems on the system, which at times are harder to resolve than the malware. Some malware is also badly written and as such can have an impact on the normal running of your system.

Hi DaManJ,

I see you ran combofix. There should be a log at C:\combofix.txt, please post it’s contents.

Next

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)

[*]In the window under Custom Scans/Fixes copy and paste the following

[b]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTIDrvr /s
/md5start
incdrm.*
/md5stop

[/b]

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Please post back with
[]combofix log
[
]OTL.txt

Thanks for joining the topic oldman.

Hi,
Here are the combofix and OTL logs.

Thanks,
J

Hi DaManJ,

That service doesn’t look quite right.

Please go to VirusTotal and submit the following file for analysis.
[*]use the choose file button to navigate to

C:\Windows\system32\incdrm.dll

[*]click the scan it button
If it says the file has all ready been scanned click reanalalyze

Please post the results.

Hi oldman,
I don’t have any file at c:\windows\system32\incdrm.dll

I uploaded the incdrm.dll at C:\Windows\SysNative\ and C:\Windows\system64\ though, but the scans didn’t find any problems.

It is interesting though, because all other dll’s in that folder have TrustedInstaller as owner under security tab of properties, but this dll does not have it, so it seems foreign.

Someone has written a comment on that website though of “Seems to be a zero access loader” (https://www.virustotal.com/file/77c3a8a545e7339fb149f20bf0864c7e5772022f4ced67236d8b78d51328dc12/analysis/1328754716/)

I’ve modified permissions to deny access to all users on incdrm.dll, so i’ll reboot and see if avast keeps finding consrv.dll popping up.

Portable Executable structural information

PE Sections…:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 1664 2048 5.33 aaf91b113926ae493eec8c5d71878cff
.rdata 8192 1136 1536 3.34 56d6416c322465203a32f8f356694427
.data 12288 76 512 0.12 079c994a503500c2182eb28a393cac08
.pdata 16384 120 512 1.04 573a1379382940b53060c249d59a5f0d
.rsrc 20480 808 1024 2.69 04adb191b0415df07b52a8b2d37c9829

PE Imports…:

ADVAPI32.dll
RegisterServiceCtrlHandlerExW, SetServiceStatus

ntdll.dll
ZwDelayExecution, ZwClose, ZwQueryEaFile, ZwOpenThread, RtlFreeUnicodeString, ZwOpenFile, RtlDosPathNameToNtPathName_U, LdrFindEntryForAddress, ZwAlertThread, memcpy, strcmp, __chkstk

KERNEL32.dll
FreeLibrary, GetCurrentThreadId, GetCurrentProcessId, LocalFree, VirtualFree, VirtualAlloc, LocalAlloc

Cabinet.dll
-, -, -

PE Exports…:

S, e, r, v, i, c, e, M, a, i, n

right, it seems that indeed was the dropper.
no consrv.dll respawn since reboot.
Any idea for removing that dll? should i just delete incdrm.dll and the registry key?

Btw for anyone else looking at this thread, I suggest getting this removal tool from ESET which targets this virus specifically - http://kb.eset.com/esetkb/index?page=content&id=SOLN2895
And make sure you have avast so the virus cannot respawn.

Thanks,
J

Btw i have uploaded the incdrm.dll file to here if someone wants to analyze it and add it to avast definition.

https://www.wuala.com/jeremylei/virus/?key=R0FRuDXCcpeX

Hi DaManJ,

We’ll make it go away.

We will be using Combofix again but will run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE



File::
C:\Windows\SysNative\incdrm.dll
C:\Windows\system64\incdrm.dll

Driver::
NTIDrvr

NetSvc::
NTIDrvr

In the notepad
[*]Click File, Save as…, and set the Save in to your usb device
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post back with the combofix log.

Hi, here is the combofix log.

Thanks,
J

If you still have that file in the combofix quarantine, submit to the virus labs so that it can be added to the avast! detections.

Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample (combofix quarantine or still in the original location) and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location, in due course by combofix, etc.

done :slight_smile:

Thank you for helping to improve avast detections.

Hi DaManJ,

I’m not sure if combofix got all of it.

Next

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)

[*]In the window under Custom Scans/Fixes copy and paste the following

[b]
NetSvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTIDrvr /s
/md5start
incdrm.*
/md5stop

[/b]

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Please post back with
[*]OTL.txt

here it is,

OTL logfile created on: 10/02/2012 10:56:22 - Run 4
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Jeremy\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

7.89 Gb Total Physical Memory | 4.86 Gb Available Physical Memory | 61.68% Memory free
15.77 Gb Paging File | 12.37 Gb Available in Paging File | 78.41% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 285.20 Gb Total Space | 100.33 Gb Free Space | 35.18% Space Free | Partition Type: NTFS
Drive Q: | 11.72 Gb Total Space | 2.38 Gb Free Space | 20.30% Space Free | Partition Type: NTFS
Drive W: | 3.00 Gb Total Space | 2.18 Gb Free Space | 72.62% Space Free | Partition Type: FAT32

Computer Name: LACEY | User Name: Jeremy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

========== Custom Scans ==========

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTIDrvr /s >

< End of report >