Hi. I recently reinstalled windows, and in my brilliance, forgot to install an anti-virus program until a few days in. As a result, I’ve become infected with numerous malware, and what avast tells me is a rootkit. I only noticed the infection when numerous windows functions stopped working (windows firewall), and ping.exe kept appearing in my processes tab. At any rate, I tried to find a result via google, and was met with limited luck by running a few scans and using combofix. However, the rootkit remained, and kept attempting to drop consrv.dll into my files. While Avast seemed to hold it in check for a while, I think it’s turned into a serious infection once again. Any help would be greatly appreciated. I’ve attached the results of the scans advised by the sticky in this forum.
did you try running a scan with aswMBR?
Yeah, it just finished. Here is the log. Also. I seem to be getting a lot of foiled attempts at placing a trojan from Win32: DNSChanger-VJ [Trj] and Win64:ZAccess-A [Trj]. Just wondering if that’s revelant to the consrv.dll/sirefef issue, or another one altogether.
File: C:\Windows\system32\consrv.dll INFECTED Win32:Sirefef-HO [Rtk]
00:10:42.291 File: C:\Windows\system32\trzBE7E.tmp INFECTED Win32:Sirefef-HO [Rtk]
00:11:16.114 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-FQ [Drp]
00:11:18.397 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-HO [Rtk]
these for sure are definitely infections… did you remove them? if removal fails boot to safe mode and do another scan
ok by the seeing of the aswMBR and mbam logs i think its best u scan with dr web cure it in SAFE MODE
http://www.freedrweb.com/cureit/?lng=en - dr web cure it
i hope i dont get warned for the 5th time on giving malware removal guides :-\
If you continue,you sure will.
yes sir! i’ll stop here
I think we have a new com155 here :
@Mikhail
wait for Essexboy or any of the other trained malware removers advice before you do anything
Haha, well, thanks for the help you gave anyway.
yeah sure no prob btw who is com115? O.o
Stop being a spammer,for heaven’s sake.You really want us to report you?Last warning from me.Don’t post again here.
Hi,
Sorry for your delay…
Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2
Note: It is important that it is saved directly to your desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.
It’s cool - timezones and all that. Here’s the log from combofix.
Hi,
[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:
ClearJavaCache::
File::
c:\windows\system32\trzBE7E.tmp
c:\windows\system32\dds_trash_log.cmd
C:\Windows\SysNative\bcoreusb.dll
Folder::
c:\windows\1C4551A64743409391E41477CD655043.TMP
Netsvc::
infrastructure
Driver::
infrastructure
RegLock::
[HKEY_USERS\S-1-5-21-516045585-2200605829-1669517708-500\Software\Microsoft\Internet Explorer\User Preferences]
[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
Alright. I did as you said. Here’s the log that it presented.
Edit - Its approx 2 hours since I ran Combofix, and in that time Avast hasn’t had to block any attacks. I think It may have fixed the issue, but I’m not sure.
Hi,
Looks like ComboFix may have knocked it out, but we need to be sure.
Run a new scan with OTL. In the Custom Scans section please place the following:
netsvcs
/MD5START
consrv.dll
bcoreusb.dll
/MD5STOP
CREATERESTOREPOINT
In your next reply please post the log that is created by OTL.
Sorry I took so long to reply.
Hi Mikhail,
Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
[5 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
:Files
C:\Windows\SysNative\bcoreusb.dll
:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Hi,
Are you still with me?