Consrv.DLL Rootkit problems

I’ve been running every program I’ve ever used to clean up infected systems with no luck removing this one. Avast keeps showing that svchost is creating consrv.dll right when I turn on my computer and then again every few hours or so.
The only other symptom aside from the Avast popup is that my shortcut icons aren’t showing, MBAM and Avast cleaned it up pretty well.

Thanks for any input, I appreciate the help

malware removal expert essexboy is notified…

you have to ask essexboy then :slight_smile: the last time i gave my own opinion post was deleted so i dont think i sould post anymore of my suggestions here though…

Hi h4zmat,

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


File::
C:\Windows\SysNative\websensecpmcommunicationagent.dll

Driver::
stunnel

NetSvcs::
stunnel

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Jeff a word of caution the latest variant of this may need two or three runs with a cfscript to clear it… I have a few like that at the moment, trying to clear the left over service with OTL may necessitate a system restore

And welcome again to the madhouse ;D

Thanks essexboy! Yep I have been looking over some of the logs you are working as well and being sure to keep notes. :smiley:

I ran Combofix and Avast hasn’t blocked anything yet, looking good so far. All of my icons are still blank though.

Hi h4zmat,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

AtJob::

DDS::
uInternet Settings,ProxyOverride = 127.0.0.1:9421

File::
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
c:\windows\system32\J8FNQN1.com

Folder::
c:\programdata\IObit
c:\program files (x86)\IObit

NetSvcs::
stunnel

Driver::
AdvancedSystemCareService5
aswSP
aswSnx
aswFsBlk
stunnel

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Here you go. Still no Avast popups & no icons showing

-edit- Ok so now I can’t get the Avast service to start, I tried reinstalling with no luck.

Reinstall once again and if no luck

follow the instructions given here:
http://www.avast.com/uninstall-utility

Then do a install again that will be fixed. 8)

Hi,

Let’s hit it again. :slight_smile:

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


NetSvc::
stunnel

Driver::
stunnel

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

That did the trick, thanks!

My latest combofix log was too big to post, I had to upload it to another website.
http://www.sendspace.com/file/fikgzx

Hi,

Please run a new scan with OTL.
Be sure to include in the Custom Scan section the following bolded text:
netsvcs
CREATERESTOREPOINT

Once the scan is complete please post the newly created log.

Done

Hi h4zmat,

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any script blocking protection
[*]Right-click and Run as Administrator dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

Here ya go

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click https://www.virustotal.com/

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

c:\windows\system32\drivers\FWPKCLNT.SYS

Scroll down a bit and click “send file”, wait for the results and post the link to your results into your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.

That file doesn’t seem to exist

Ok…thanks for letting me know.

Please download Malwarebytes’ Anti-Malware to your desktop.

[*]Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform quick scan
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:
C:\Documents and Settings<User name>\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\Logs\mbam-log-date (time).txt

ESET Online Scanner
I’d like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.

[]Do not use this instance of your browser for anything besides doing this scan
[
]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.

[]Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
[*]Click the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png
button.
[*]For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[*]Click on
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png
to download the ESET Smart Installer. Save it to your desktop.
[
]Double click on the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png
icon on your desktop.

[*]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png

[*]Click the Start button.
[]Accept any security warnings from your browser.
[
]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png

[*]Make sure that the option “Remove found threats” is Unchecked
[*]Push the Start button.
[]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
[
]When the scan completes, push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png

[*]Push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png
, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
[*]Push the Back button.
[*]Push Finish

http://www.eset.com/onlinescan/

In your next reply please post the Malwarebytes and ESET online scanner logs. :slight_smile:

Done and done