Once I click Fix there’s a new line Moved: C:/…consrv.dll and then the program becomes unresponsive… if I click in the program there’s a Windows sound. This is third time, I have waited about 1 hour prior
Everytime I restart service DXEC02 (servicelayer in regedit) avast pops up with a warning about the rootkit
path to execute
C:\Windows\system32\svchost.exe -k netsvcs
A bit puzzled about the other entries… For instance PolicyAgent has Display name @%SystemRoot%\System32\polstore.dll,-5010
So I searched the web and found this http://www.systemlookup.com/O23/5345-polstore_dll.html
A restart of that service does not make Avast detect anything.
The computer is behaving fine. Thanks for the help.
I stopped IPsec last time I replied here just for good measure. Restarted it now.
The computer has been running fine since stopping DXEC02, and the attempts to establish a connection to my computer (from hundreds of IPs and various ports) has stopped.
Is there a relative easy way to remove the traces of this rootkit? I’m not too keen on having service (though disabled) that can cause a lot of trouble and who knows what else is laying around.
Shouldnt I be worried about the other regedits ? That’s the only entries in HKLM..\services\ in a timestamp of days.
Edit: In case of misunderstanding. The above post about regedit was made after using aswMBR thus consrv.dll and the entries in registry was there after clicking “Fix”.
Avast hasnt detected anything since I repeatedly restarted DXEC02 and I’m not too eager to do it again since I just replaced all my passwords… But if you need a copy of the virus I can do it.
There’s no doubt that this version of the rootkit is disguised as DXEC02.
My hosts file is repaired, I can now edit it myself. Earlier it had a weird entry with a colon in front or behind 127.0.0.1
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_1b3a2ca9472cedf3457ccff54f6c5c016cdf6_cab_042cea99\WERE751.tmp.hdmp is infected by Win32:DNSChanger-VJ [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash__ex-68.exe_e0b41f88c6e8b2dea88ae6cd8babf5761c1075ae_cab_3748061a\WER5B0.tmp.mdmp is infected by Win32:Kelihos-AF [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash__ex-68.exe_e0b41f88c6e8b2dea88ae6cd8babf5761c1075ae_cab_3748061a\WERFF0B.tmp.hdmp is infected by Win32:DNSChanger-VJ [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_AMService_e3965e73f5257183d7da29864e8f39a6e9a898_cab_03cbad1f\WER9A4C.tmp.hdmp is infected by Win32:DNSChanger-VJ [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir is infected by Win32:Sirefef-HO [Rtk], Repair: Error 42060 {The file was not repaired.}
File C:\Windows\assembly\temp\twl.dll is infected by Win32:Agent-ANSR [PUP], Repair: Error 42060 {The file was not repaired.}
I probably did a mistake by choosing Repair instead of Ask/Delete so the files didnt get deleted
Did a reboot myself, BSOD… didnt read the message, just hoped to get back with last known configuation which luckily worked. The service is there (not active, no consrv.dll)