I’m turning to this forum, because I can’t get rid of this Sirefef (and perhaps some other) infection. Consrv.dll identified, PING.exe using 100% CPU and MBAM keeps detecting unauthorized outgoing connections via svchost.exe and iexplore.exe.
Hopefully the attached logs (OTL.txt in next post due to filesize) can clear up the problem and you can provide me with a solution!
Download Combofix from either of the links below, and save it to your desktop. Link 1 Link 2
Note: It is important that it is saved directly to your desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the [b]
Custom Scans/Fixes[/b] box located at the bottom of OTL
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
In your next reply please post both of the logs that will be created by OTL.
[*]Disable any script blocking protection
[*]Right-click and Run as Administrator dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.
Please include the contents of the following in your next reply:
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\Windows\Monkey2.exe
scroll down a bit and click “send file”, wait for the results and then post the link to the results in your next reply.
Please notethat sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
Just so you know, the shortened url did not work. It should look like this: https://www.virustotal.com/file/4c6572ec338c82e9611eab727fec3d08c68d45385c6161511b38798f4699af37/analysis/1330214710/, but the link gives this: http://"https//www.virustotal.com/file/4c6572ec338c82e9611eab727fec3d08c68d45385c6161511b38798f4699af37/analysis/1330214710/%22, where https // is missing the : & has quotation marks.
I think it best not to use shortened urls as other users cannot see the link unless they have add-on software in their browser. Just saying.