Dropper trying to install rootkit

Hello, i think i have a ZeroAcces rootkit on my machine, a file called consrv.dll is constantly being blocked by avast’s shield ?
i have attached combofix and the aswMBR logs :slight_smile:

can you also run and attach the OTL log`s
http://forum.avast.com/index.php?topic=53253.0

Hi Arnbarn,

Please do not run ComboFix any more without the guidance of a qualified malware remover. If used improperly it can turn your computer into a nice doorstop. :slight_smile:

When you get the OTL logs I will be more than happy to look it over.

jeffce okay i’ll remember that :wink: and to pondus OTL’s file is 244 kb it says that it is too big ?

Just go ahead and attach it.

Your file is too large. The maximum attachment size allowed is 192 KB. i just get this ?

Ok…

Upload the file here >> http://www.mediafire.com/

Once you get it uploaded post the link that will be created for you into your next reply. I can retrieve it from there. :slight_smile:

did you save it as ANSI ?

Here ya’ go :wink: http://www.mediafire.com/?2xdyqbw3fz0et7z

Got it. :slight_smile:

I will return as quickly as I can with your next step.

Thank you :slight_smile:

And pondus no i found out it was unicode, silly me :wink:

Hi Arnbarn,

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

File::
C:\Windows\SysNative\ASDR.dll
C:\Windows\SysNative\dds_trash_log.cmd
C:\Users\Kag3\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Folder::
C:\ProgramData\IObit

Netsvc::
XTrapD12

Driver::
XTrapD12

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Here you go :slight_smile:

I noticed on the forums that alot of computers is affected by this rootkit.

Avast is not warning me anymore :slight_smile: you have mad computerskills, and thank you :wink:

Hi Arnbarn,

Yes this is an infection we are seeing a lot of. :slight_smile:

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

DDS::
uStart Page = hxxp://asus.msn.com
mStart Page = hxxp://asus.msn.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63596

File::
c:\windows\system32\trzEE64.tmp
c:\windows\system32\trz6A4A.tmp
c:\windows\system32\trzA70A.tmp
c:\windows\system32\dds_trash_log.cmd
C:\Windows\SysNative\ASDR.dll

Netsvc::
XTrapD12

Driver::
XTrapD12

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Here is the latest log :slight_smile:

I will look this over as quickly as I can. I am at work and we are putting in new computers today. :slight_smile:

Thank you very much :smiley: