consrv.dll zeroaccess but no "Safety Settings Service"

It started with a cpu hog, checked Task Manager and saw ping.exe constant at 50%

I used Kaspersky, Norton, Malware etc.

Then BSOD, so I had to make a Repair CD and regedit from consrv.dll to winsrv.dll
Got back in Windows, everything seemed fine.

Except the fact that consrv.dll is used by csrss.exe

I dont have “Safety Settings Service” in Services.

aswMBR says Win32:Sirefef-H0 [Rtk]

I can post log once it’s done scanning… (First time I clicked “Fix” but the program became unresponsive after putting consrv.dll in quarantine)

follow the guide here and attach the logs
http://forum.avast.com/index.php?topic=53253.0

OTL coming up

Do you need Malwarebytes’ Anti-Malware log when it doesnt detect anything?

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-09 20:56:40

20:56:40.238 OS Version: Windows x64 6.1.7601 Service Pack 1
20:56:40.238 Number of processors: 2 586 0x1706
20:56:40.239 ComputerName: KIMXPS UserName: kim
20:56:41.046 Initialize success
20:56:44.206 AVAST engine defs: 12020902
20:56:54.839 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-2
20:56:54.841 Disk 0 Vendor: FUJITSU_MHZ2320BH_G2 00850009 Size: 305245MB BusType: 11
20:56:54.887 Disk 0 MBR read successfully
20:56:54.890 Disk 0 MBR scan
20:56:54.894 Disk 0 Windows 7 default MBR code
20:56:54.903 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:56:54.923 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 83366 MB offset 206848
20:56:54.928 Disk 0 Partition - 00 0F Extended LBA 71000 MB offset 170940416
20:56:54.958 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 150776 MB offset 316348416
20:56:54.994 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 70999 MB offset 170942464
20:56:55.001 Service scanning
20:56:56.417 Modules scanning
20:56:56.422 Disk 0 trace - called modules:
20:56:56.465 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
20:56:56.471 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80045f4060]
20:56:56.476 3 CLASSPNP.SYS[fffff8800180143f] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-2[0xfffffa800418f060]
20:56:57.294 AVAST engine scan C:\Windows
20:57:02.139 AVAST engine scan C:\Windows\system32
20:57:20.239 File: C:\Windows\system32\consrv.dll INFECTED Win32:Sirefef-HO [Rtk]
21:01:25.950 AVAST engine scan C:\Windows\system32\drivers
21:01:38.285 AVAST engine scan C:\Users\kim
21:15:40.507 File: C:\Users\kim\AppData\Local\Temp~Quarantine.aswMBR\consrv.dll INFECTED Win32:Sirefef-HO [Rtk]
21:19:59.359 AVAST engine scan C:\ProgramData
21:21:37.994 Scan finished successfully
21:21:53.260 Disk 0 MBR has been saved successfully to “C:\MBR.dat”
21:21:53.266 The log file has been saved successfully to “C:\aswMBR.txt”

Do you need Malwarebytes' Anti-Malware log when it doesnt detect anything?
No

OBS: and you need to attach the OTL logs, and save as ANSI…to avoid using multiple post with copy and paste… see the guide

OTL attached edit: ANSI version uploaded

Let me know if there’s anything else you need.

Re-Run aswMBR

Click Scan

On completion of the scanClick the Fix Button

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBR_Zero.png

Save the log as before and post in your next reply

How long will a Fix take?

Once I click Fix there’s a new line Moved: C:/…consrv.dll and then the program becomes unresponsive… if I click in the program there’s a Windows sound. This is third time, I have waited about 1 hour prior

Edit: aswMBR.exe*32 uses 0 cpu and 56 MB ram…

ComboFix log

Major update…

http://img835.imageshack.us/img835/4357/regeditv.jpg

http://img835.imageshack.us/img835/4357/regeditv.jpg

Everytime I restart service DXEC02 (servicelayer in regedit) avast pops up with a warning about the rootkit

path to execute
C:\Windows\system32\svchost.exe -k netsvcs

A bit puzzled about the other entries… For instance PolicyAgent has Display name @%SystemRoot%\System32\polstore.dll,-5010
So I searched the web and found this http://www.systemlookup.com/O23/5345-polstore_dll.html
A restart of that service does not make Avast detect anything.

Ipsec should be running at all times…

According to the combofix log aswMBR killed the consrv.dll and repaired the registry before it locked

How is the computer behaving now ?

The computer is behaving fine. Thanks for the help.

I stopped IPsec last time I replied here just for good measure. Restarted it now.

The computer has been running fine since stopping DXEC02, and the attempts to establish a connection to my computer (from hundreds of IPs and various ports) has stopped.

Is there a relative easy way to remove the traces of this rootkit? I’m not too keen on having service (though disabled) that can cause a lot of trouble and who knows what else is laying around.

Shouldnt I be worried about the other regedits ? That’s the only entries in HKLM..\services\ in a timestamp of days.

Edit: In case of misunderstanding. The above post about regedit was made after using aswMBR thus consrv.dll and the entries in registry was there after clicking “Fix”.

The service DXEC02 is for the Knowles speech enhancement audio driver…

Do you wish to delete the service ?

Is Avast still alerting as this may be the new variant with a different name

Avast hasnt detected anything since I repeatedly restarted DXEC02 and I’m not too eager to do it again since I just replaced all my passwords… But if you need a copy of the virus I can do it.

There’s no doubt that this version of the rootkit is disguised as DXEC02.

My hosts file is repaired, I can now edit it myself. Earlier it had a weird entry with a colon in front or behind 127.0.0.1

I’d like to get rid of the service if possible.

It is the new variant but it has changed again - so lets kill it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV:64bit: - [2009.07.14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\STV680m.dll -- (servicelayer) NetSvcs:64bit: servicelayer - C:\Windows\SysNative\STV680m.dll (Oak Technology Inc.) [2009.07.14 02:39:46 | 000,051,712 | ---- | M] () MD5=CEF08BD499D029B6E685850CAC86F749 -- C:\Windows\SysNative\consrv.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I will do it in 2 hours.

Did a boot up scan during the night

02/11/2012 04:29
Scan of all local drives

File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_1b3a2ca9472cedf3457ccff54f6c5c016cdf6_cab_042cea99\WERE751.tmp.hdmp is infected by Win32:DNSChanger-VJ [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash__ex-68.exe_e0b41f88c6e8b2dea88ae6cd8babf5761c1075ae_cab_3748061a\WER5B0.tmp.mdmp is infected by Win32:Kelihos-AF [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash__ex-68.exe_e0b41f88c6e8b2dea88ae6cd8babf5761c1075ae_cab_3748061a\WERFF0B.tmp.hdmp is infected by Win32:DNSChanger-VJ [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_AMService_e3965e73f5257183d7da29864e8f39a6e9a898_cab_03cbad1f\WER9A4C.tmp.hdmp is infected by Win32:DNSChanger-VJ [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir is infected by Win32:Sirefef-HO [Rtk], Repair: Error 42060 {The file was not repaired.}
File C:\Windows\assembly\temp\twl.dll is infected by Win32:Agent-ANSR [PUP], Repair: Error 42060 {The file was not repaired.}

I probably did a mistake by choosing Repair instead of Ask/Delete so the files didnt get deleted

The *dumps are probably FP’s

Delete the one in the assembly temp folder
The qoobox is quarantined

Once the bad service is removed all should be good

“Range check error”

I think this was left

[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Did a reboot myself, BSOD… didnt read the message, just hoped to get back with last known configuation which luckily worked. The service is there (not active, no consrv.dll)

Doing a quick scan now.

OTL log

OTL no longer shows the service on your system… I believe the error was caused by ZA protecting your host file (another thing to remember )

Any problems remaining ?