*** [edit] logs can be found in the 5th post of this thread ***
Yesterday I seem to have gotten infected by a / multiple virii. I wanted to re-install a new (trial) version of nod32 and so I disabled my virus scanner, uninstalled, rebooted… WANTED to install but alas it was too late.
Hardware:
Apple macbook air 15" late 2010 edition
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3831.2454
=> 64 Bit OS
Symptons:
I heard my CPU jump to 100% and saw PING.EXE running wild.
=> killing ping.exe would start it again later.
After googling I saw my browser requests getting redirected to random advertisements.
Tried installing windows update… most updates failed
Tried installing NOD32 virus scanner… almost finished but roll back at the end due to “failure”
Registry: HKLM\CurrentControlSet\Control\Session Manager\Sybsystems
as well as ControlSet001 & ControlSet 002 have key Windows:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
With ServerDll=consrv:ConServerDllInitialization in stead of ServerDll=winsrv:ConServerDllInitialization
Everytime I move this back to WIN either 1, 2 or all 3 keys are set back to CON (seems random which one).
Actions undertaken so far:
First get rid of browser redirects. IE tools, internet settings, connections got rid of the PROXY to a local port in the 50000 range.
googled for fixes.
Ran TDSSKiller => found nothing
installed NOD32 and at the point of rollback killed the installer (which made it not roll back)
Task manager → Services. Closed ALL the services I could (and see if PING.EXE would come back). Then started them all back up again.
It seems name: elbycdfl description: Se58mdfl & name: firelm01 & Hpqddsvc didn’t do anything and after killing them PING.EXE did not come back. So I went into services.msc and disabled them for startup.
Ran HIJACKTHIS looked at all the entries deleted most that I didn’t recognize or seemed not neccesary.
Ran windows update
Ran COMBOFIX which rebooted my computer, after which WIN 7 wouldn’t load. I’m not sure if this is due to combofix or windows update (it would startup then give a:
blue screen C0000135 The pprogram can’t start because %hs is missing. Try reinstalling the program.
=> I went into windows repair, opened console went into c:\windows\system32\config and copied the registry .BAK’s to the normal names (COMPONENTS, DEFAULT, SAM, SECURITY, SYSTEM, SOFTWARE).
Windows now started again.
Then I installed / ran all these in various sequences (really can’t remember which)
Ran aswMBR. Found c:\windows\system32\consrv.dll infected. => FIXED
installed Malwarebytes. Scanned
=> found
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) → Data: http=127.0.0.1:59212 → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|EC3.exe (Backdoor.CycBot) → Data: C:\Program Files (x86)\LP\97F6\EC3.exe → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|0D2.exe (Backdoor.CycBot) → Data: C:\Program Files (x86)\LP\87B6\0D2.exe → Quarantined and deleted successfully.
ran again found:
C:\Users\Maurits\AppData\Roaming\60375\ACF97.exe (Trojan.Downloader.BH) → Quarantined and deleted successfully.
C:\Users\Maurits\AppData\Roaming\60375\DB287.exe (Trojan.Downloader.BH) → Quarantined and deleted successfully.
C:\Windows\assembly\temp\twl.dll (PUP.BitMiner) → Quarantined and deleted successfully.
C:\Windows\Setup\scripts\faXcooL.exe (HackTool.Wpakill) → Quarantined and deleted successfully.
Ran NOD32 found nothing
Ran combofix again.
installed Avast antivirus =>
At this point PING.EXE is not coming back to life. And the redirects are gone. The Registry WIN → CON is still there and upon startup of my comp NOD32 informs me that Siferef.G (win64), Siferef.DN (win32) file are being created:
2/23/2012 10:35:33 AM Startup scanner file Operating memory » C:\Windows\assembly\GAC_32\Desktop.ini a variant of Win32/Sirefef.DN trojan cleaned by deleting (after the next restart)
2/23/2012 10:26:15 AM Real-time file system protection file C:\Windows\assembly\GAC_64\Desktop.ini Win64/Sirefef.G trojan cleaned by deleting (after the next restart) Event occurred during an attempt to access the file by the application: C:\Users\Maurits\Desktop\Downloads\aswMBR.exe.
Now this last line does seem weird, because I disabled NOD32 during ASWMBR (I think I did!).
I’m kind of desperate to get rid of this last bit of this virus / rootkit.
Also aswMBR the first time I ran it I said it saw an infection of c:\windows\system32\consrv.dll with Sirefef and I fixed it.
I hope you can help me! I can attach new / some old logs of combofix/aswmbr/nod32/hijackthis/malwarebytes/… ?
Follow this guide… http://forum.avast.com/index.php?topic=53253.0 attach the logs requested…
Then one of the trained malware removers will help you when they arrive…it may take several hours
I ran Avast & it found consrv.dll & deleted it.
Then restarted, went into repair mode for windows. Console → regedit. changed the consrv values to winsrv to be able to boot.
Now booted & avast finds that when i boot into windows consrv.dll is again created (registry values stay winsrv). It deletes it automaticaly, but obviously there’s still a process that creates consrv.dll
I’m now in the process of running OTL and will attach the log when done.
[edit] consrv.dll is not only created at startup, but sofar avast removed it 4 times in the last 1/2 hour.
Also Avast is ON during OTL scan, not sure if that matters?
Did remove it
windows won’t load
→ started in startup repair
console
regedit
loaded SYSTEM hive (c:\windows\system32\config\SYSTEM)
changed the consrv → winsrv
unloaded hive
=> computer boots up again
→ Avast now and then finds consrv.dll is created (immidately removed & registry stays winsrv).
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
THEN
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Wow I did both. I ran Combofixed which seemed to have removed some files. log attached.
I ran OTL, but it gave an error as it could not create \desktop\cmd.bat
I did run a quick scan afterwards, with the quickscan log attached.
I then rebooted but could not boot due to a BSOD (code 0x0000007B) so I ran sys restore and did a restore to the combofix restore point. I did install some windows update, so I’m not sure if it’s that or the deletion of some files.