Hello, i think i have a ZeroAcces rootkit on my machine, a file called consrv.dll is constantly being blocked by avast’s shield ?
i have attached combofix and the aswMBR logs
can you also run and attach the OTL log`s
http://forum.avast.com/index.php?topic=53253.0
Hi Arnbarn,
Please do not run ComboFix any more without the guidance of a qualified malware remover. If used improperly it can turn your computer into a nice doorstop.
When you get the OTL logs I will be more than happy to look it over.
jeffce okay i’ll remember that and to pondus OTL’s file is 244 kb it says that it is too big ?
Just go ahead and attach it.
Your file is too large. The maximum attachment size allowed is 192 KB. i just get this ?
Ok…
Upload the file here >> http://www.mediafire.com/
Once you get it uploaded post the link that will be created for you into your next reply. I can retrieve it from there.
did you save it as ANSI ?
Here ya’ go http://www.mediafire.com/?2xdyqbw3fz0et7z
Got it.
I will return as quickly as I can with your next step.
Thank you
And pondus no i found out it was unicode, silly me
Hi Arnbarn,
Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.
[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:
ClearJavaCache::
File::
C:\Windows\SysNative\ASDR.dll
C:\Windows\SysNative\dds_trash_log.cmd
C:\Users\Kag3\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
Folder::
C:\ProgramData\IObit
Netsvc::
XTrapD12
Driver::
XTrapD12
[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
Here you go
I noticed on the forums that alot of computers is affected by this rootkit.
Avast is not warning me anymore you have mad computerskills, and thank you
Hi Arnbarn,
Yes this is an infection we are seeing a lot of.
[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:
ClearJavaCache::
DDS::
uStart Page = hxxp://asus.msn.com
mStart Page = hxxp://asus.msn.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63596
File::
c:\windows\system32\trzEE64.tmp
c:\windows\system32\trz6A4A.tmp
c:\windows\system32\trzA70A.tmp
c:\windows\system32\dds_trash_log.cmd
C:\Windows\SysNative\ASDR.dll
Netsvc::
XTrapD12
Driver::
XTrapD12
[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
Here is the latest log
I will look this over as quickly as I can. I am at work and we are putting in new computers today.
Thank you very much