MAX++ rootkit, consrv.dll virus, Sirefef.DN / Sirefed.G & 100% PING.EXE

Hello and I hereby welcome myself to this forum.

*** [edit] logs can be found in the 5th post of this thread ***

Yesterday I seem to have gotten infected by a / multiple virii. I wanted to re-install a new (trial) version of nod32 and so I disabled my virus scanner, uninstalled, rebooted… WANTED to install but alas it was too late.

Hardware:
Apple macbook air 15" late 2010 edition
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3831.2454
=> 64 Bit OS

Symptons:

  • I heard my CPU jump to 100% and saw PING.EXE running wild.
    => killing ping.exe would start it again later.
  • After googling I saw my browser requests getting redirected to random advertisements.
  • Tried installing windows update… most updates failed
  • Tried installing NOD32 virus scanner… almost finished but roll back at the end due to “failure”
    Registry: HKLM\CurrentControlSet\Control\Session Manager\Sybsystems
    as well as ControlSet001 & ControlSet 002 have key Windows:
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    With ServerDll=consrv:ConServerDllInitialization in stead of ServerDll=winsrv:ConServerDllInitialization
    Everytime I move this back to WIN either 1, 2 or all 3 keys are set back to CON (seems random which one).

Actions undertaken so far:

  • First get rid of browser redirects. IE tools, internet settings, connections got rid of the PROXY to a local port in the 50000 range.
  • googled for fixes.
  • Ran TDSSKiller => found nothing
  • installed NOD32 and at the point of rollback killed the installer (which made it not roll back)
  • Task manager → Services. Closed ALL the services I could (and see if PING.EXE would come back). Then started them all back up again.
    It seems name: elbycdfl description: Se58mdfl & name: firelm01 & Hpqddsvc didn’t do anything and after killing them PING.EXE did not come back. So I went into services.msc and disabled them for startup.
  • Ran HIJACKTHIS looked at all the entries deleted most that I didn’t recognize or seemed not neccesary.
  • Ran windows update
  • Ran COMBOFIX which rebooted my computer, after which WIN 7 wouldn’t load. I’m not sure if this is due to combofix or windows update (it would startup then give a:
    blue screen C0000135 The pprogram can’t start because %hs is missing. Try reinstalling the program.
    => I went into windows repair, opened console went into c:\windows\system32\config and copied the registry .BAK’s to the normal names (COMPONENTS, DEFAULT, SAM, SECURITY, SYSTEM, SOFTWARE).
    Windows now started again.

Then I installed / ran all these in various sequences (really can’t remember which)

  • Ran aswMBR. Found c:\windows\system32\consrv.dll infected. => FIXED
    installed Malwarebytes. Scanned
    => found
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) → Data: http=127.0.0.1:59212 → Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|EC3.exe (Backdoor.CycBot) → Data: C:\Program Files (x86)\LP\97F6\EC3.exe → Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|0D2.exe (Backdoor.CycBot) → Data: C:\Program Files (x86)\LP\87B6\0D2.exe → Quarantined and deleted successfully.
    ran again found:
    C:\Users\Maurits\AppData\Roaming\60375\ACF97.exe (Trojan.Downloader.BH) → Quarantined and deleted successfully.
    C:\Users\Maurits\AppData\Roaming\60375\DB287.exe (Trojan.Downloader.BH) → Quarantined and deleted successfully.
    C:\Windows\assembly\temp\twl.dll (PUP.BitMiner) → Quarantined and deleted successfully.
    C:\Windows\Setup\scripts\faXcooL.exe (HackTool.Wpakill) → Quarantined and deleted successfully.
  • Ran NOD32 found nothing
  • Ran combofix again.
  • installed Avast antivirus =>

At this point PING.EXE is not coming back to life. And the redirects are gone. The Registry WIN → CON is still there and upon startup of my comp NOD32 informs me that Siferef.G (win64), Siferef.DN (win32) file are being created:
2/23/2012 10:35:33 AM Startup scanner file Operating memory » C:\Windows\assembly\GAC_32\Desktop.ini a variant of Win32/Sirefef.DN trojan cleaned by deleting (after the next restart)
2/23/2012 10:26:15 AM Real-time file system protection file C:\Windows\assembly\GAC_64\Desktop.ini Win64/Sirefef.G trojan cleaned by deleting (after the next restart) Event occurred during an attempt to access the file by the application: C:\Users\Maurits\Desktop\Downloads\aswMBR.exe.

Now this last line does seem weird, because I disabled NOD32 during ASWMBR (I think I did!).

I’m kind of desperate to get rid of this last bit of this virus / rootkit.

Also aswMBR the first time I ran it I said it saw an infection of c:\windows\system32\consrv.dll with Sirefef and I fixed it.

I hope you can help me! I can attach new / some old logs of combofix/aswmbr/nod32/hijackthis/malwarebytes/… ?

I would like to run http://deletemalware.blogspot.com/2011/09/zeroaccesssirefefmax-rootkit-removal.html but it’s for 32 bit OS only.

Also my hosts file was edited (and I can’t edit it myself) with ::1 attached

*** [edit] logs can be found in the 5th post of this thread ***

Maurits

Follow this guide… http://forum.avast.com/index.php?topic=53253.0
attach the logs requested…
Then one of the trained malware removers will help you when they arrive…it may take several hours

I ran Avast & it found consrv.dll & deleted it.
Then restarted, went into repair mode for windows. Console → regedit. changed the consrv values to winsrv to be able to boot.

Now booted & avast finds that when i boot into windows consrv.dll is again created (registry values stay winsrv). It deletes it automaticaly, but obviously there’s still a process that creates consrv.dll

I’m now in the process of running OTL and will attach the log when done.

[edit] consrv.dll is not only created at startup, but sofar avast removed it 4 times in the last 1/2 hour.
Also Avast is ON during OTL scan, not sure if that matters?

consrv.dll
dont remove it...if you do it wrong it may damage the machine...

follow the guide…and let the experts fix it

Also Avast is ON during OTL scan, not sure if that matters?
usually not....but sometimes it want to run OTL in sandbox (do not) or it detect OTL as malware (ignore)

Did remove it
windows won’t load
→ started in startup repair
console
regedit
loaded SYSTEM hive (c:\windows\system32\config\SYSTEM)
changed the consrv → winsrv
unloaded hive
=> computer boots up again :wink:

→ Avast now and then finds consrv.dll is created (immidately removed & registry stays winsrv).

OTL is done, will attach log to this post

Hmm they are getting desperate now - not just one protecting service but five

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\SNMPTRAP.dll C:\Windows\SysNative\OracleOraHome92ClientCache.dll C:\Windows\SysNative\rupsd.dll C:\Windows\SysNative\a016mdm.dll C:\Windows\SysNative\tcpip.dll

NetSvc::
lwwlicenseservice
winachsf
sony_ssm.sys
elbycdfl
smartscaps

Driver::
lwwlicenseservice
winachsf
sony_ssm.sys
elbycdfl
smartscaps

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Ok I ran as you said. Attached is the log file.

Thanks, Maurits

Could you now run the same Combofix script again please and then follow up with a fresh aswMBR scan

Also how is the computer behaving now

I haven’t had any consrv.dll creations anymore, but I’m not sure if all traces are gone. Computer seems to run fine.

Attached are the logs!

OK third run now to remove the last bits as it is stubborn this one

Run Combofix for a final time with the same script, once done then run a fresh OTL quick scan ensuring that all users and LOP are selected…

This is more in the way of a confirmatory run to ensure that it is dead

Computer seems to be running fine, except I’m still getting some redirects now and then.

Attached again are the last logs (made after I ran the progs you said)

OK theoretically this should be the last run

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\sisnic.dll C:\ProgramData\5Vvq2C67S.dat C:\Windows\SysNative\dds_trash_log.cmd

NetSvc::
firelm01
sscdbhk5
ctxcpusched
lwwlicenseservice
winachsf
sony_ssm.sys
elbycdfl
smartscaps
smwdm
pdlncfwk

Driver::
firelm01
sscdbhk5
ctxcpusched
lwwlicenseservice
winachsf
sony_ssm.sys
elbycdfl
smartscaps
smwdm
pdlncfwk

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV:64bit: - [2009/07/14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Disabled | Stopped] -- C:\Windows\SysNative\sisnic.dll -- (firelm01) SRV:64bit: - [2009/07/14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\SysNative\OracleOraHome92ClientCache.dll -- (winachsf) SRV:64bit: - [2009/07/14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\rupsd.dll -- (sony_ssm.sys) SRV:64bit: - [2009/07/14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Disabled | Stopped] -- C:\Windows\SysNative\tcpip.dll -- (smartscaps) SRV:64bit: - [2009/07/14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Disabled | Stopped] -- C:\Windows\SysNative\SNMPTRAP.dll -- (lwwlicenseservice) SRV:64bit: - [2009/07/14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Disabled | Stopped] -- C:\Windows\SysNative\sisnic.dll -- (firelm01) SRV:64bit: - [2009/07/14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Disabled | Stopped] -- C:\Windows\SysNative\a016mdm.dll -- (elbycdfl) NetSvcs:64bit: firelm01 - C:\Windows\SysNative\sisnic.dll (Oak Technology Inc.) NetSvcs:64bit: lwwlicenseservice - C:\Windows\SysNative\SNMPTRAP.dll (Oak Technology Inc.) NetSvcs:64bit: winachsf - C:\Windows\SysNative\OracleOraHome92ClientCache.dll (Oak Technology Inc.) NetSvcs:64bit: sony_ssm.sys - C:\Windows\SysNative\rupsd.dll (Oak Technology Inc.) NetSvcs:64bit: elbycdfl - C:\Windows\SysNative\a016mdm.dll (Oak Technology Inc.) NetSvcs:64bit: smartscaps - C:\Windows\SysNative\tcpip.dll (Oak Technology Inc.) [2012/02/22 19:47:27 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd [2012/02/22 11:05:59 | 000,000,112 | ---- | C] () -- C:\ProgramData\5Vvq2C67S.dat [2012/02/23 12:28:18 | 000,000,000 | ---D | M] -- C:\Users\Maurits\AppData\Roaming\60375

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Wow I did both. I ran Combofixed which seemed to have removed some files. log attached.

I ran OTL, but it gave an error as it could not create \desktop\cmd.bat
I did run a quick scan afterwards, with the quickscan log attached.

I then rebooted but could not boot due to a BSOD (code 0x0000007B) so I ran sys restore and did a restore to the combofix restore point. I did install some windows update, so I’m not sure if it’s that or the deletion of some files.

And here’s the OTL log. I could not attach both in one post as it said I could only attach 195 KB

Could yo run a fresh OTL scan for me please so that I can confirm that combofix did do all the removals and they have not been re-instated