consrv.dll ZeroAccess?

Well there are no junction points

I will try a different method with combofix for this next run… If this is getting too tedious you can flatten the system and restore it

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
Rootkit:: c:\windows\system32\consrv.dll
Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

It´s not tedious ;D. I’m very curious about this rootkit and don’t worry about windows’s restore, it’s very fast.

Here it is new combofix’s log.
I’ve killed AV’s proccess, but in combofix’s log appears that Resident AV is active.

@lotorien

Just a check, please verify in windows/system32 if you have the file named Epiusb.dll.

Also “Safety Settings Service” should be present in Control Panel/Administrative Tools/Services

I don`t have Epiusb.dll but i have present Safety Settings Service and it’s started!!!

The exec file is in:
C:\Windows\system32\svchost.exe -k netsvcs

Disable the service, reboot, delete consrv.dll :wink:
It worked on my computer

Yep I feel the trigger may be this

wencrservice it is purportedly windows encryption (legit)

Could you copy the following to a notepad file and select save and select all files in the drop down box
Save as seek.bat

@echo off
Regedit /E "%userprofile%\Desktop\wensvc.reg"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wencrservice
exit

Double click to run it

A reg file will appear on the desktop
Right click and select edit
Then copy and paste the contents here please

I would like a copy of the file

In my case, the problem was in tpkd.dll
I’ve disabled the service and I´ve run Combofix with CFRscript:
File::
C:\windows\system32\tpkd.dll

Driver::
wenrservice

Now everything is Ok ;D. Thanks very much for your help and sorry for my english.

WENRSERVICE:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wencrservice]
“Type”=dword:00000020
“Start”=dword:00000002
“ErrorControl”=dword:00000000
“ImagePath”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
“DisplayName”=“Safety Settings Service”
“ObjectName”=“LocalSystem”
“Description”=“New service would allow parents to control their children’s online activity.”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wencrservice\Parameters]
“ServiceDll”=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,
74,00,70,00,6b,00,64,00,2e,00,64,00,6c,00,6c,00,00,00
“ServiceDllUnloadOnStop”=dword:00000001

Essexboy, if you want i can send you a copy of tpkd.dll

I think it’s the same virus I had. You can scan tpkd.dll at https://www.virustotal.com/ and post the link of the result page here, i’m curious if the launcher it’s the same as mine.
Have you used usb flash disks before the infection? I belive that i got the virus from a flash disk but i’m not 100% sure (and I’m afraid to reinsert the flash disk again, I’ve disabled the autorun from group policy editor but who knows what other modifications the virus has made in the registry)

Yes, it´s the same virus:

https://www.virustotal.com/file/90f15003f26877aca2dccaec5d9d65ed692c059029d17535537acb6a8909892f/analysis/1327312920/

I had used a friend’s USB before infection, so i’m quite sure that i was infected by usb.
That usb, is almost always used in MacO’s laptop

Maybe you can format the USB in a linux computer.

I’ll make a live cd with linux and I’ll take a look at the files on the flash drive.

edit : it seems that the flash disk is clean. No autorun.inf on it.

Could I have a copy of that file please - there is a bit of interest in this one… So far I am the only one that has come across it - so 'tis new

If you could locate the dropper that would be even better

I have also found that OTL will find and clear this ;D

Here it’s the last ComboFix’s log.
I can not upload .dll files, so how can i send you the file?
Thanks very much again :slight_smile:

I will pm my e-mail - could you zip it and then post Ta

Also could you repost the Combofix log saved as ANSI please as there is one bit I cannot quite make out

Ok. I’ve sent you the files.

Ta got it

Just a netservice to clear away

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
NetSvc:: wencrservice

Driver::
wencrservice

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Let me know how it is running now please

Sorry the delay, yesterday i cold not connect to the forum.
Tha laptop is still working Ok.
Attach the new combofix’log.

How is the system behaving now, as it appears that Combofix did not remove the service key

The behavior is correct and everything works OK.
I have no redirect of google searches and not open mediafishing pages.
I’ve run Mawarebytes again and it does not find anything.
I´ve not found tpk.dll and consrv.dll in windows\system32
I have reviewed the keys and they are correct:
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ Session Manager \ Sub Systems \ and HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ SubSystems

The registry key: HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ services \ wencrservice does not exits in the registry.
And Service Safety Settings does not exits as service.

Magic when you are happy I will remove my tools

Do I need to check something else? Am I missing something? :-[