Need help with consrv.dll removal

Hi there,

My avast has been showing “Rootkit consrv.dll detected” for two weeks. I have tried to remove it by following a thread in avast forum, but avast detected another virus 8000032.S. When I tried to remove it by following another thread, my laptop failed to start and I had to use the system restore. Now it’s back to consrv.dll problem. It’s getting really annoying because the detection window pops up every 15 minutes. Anybody can help me please?

Thanks before.

-Ihsan

consrv.dll
if you remove this wrong, you may damage your computer....

Follow this guide and attach the logs requested
http://forum.avast.com/index.php?topic=53253.0

one of the certified malware removers will then help you…it may take several hours before they arrive

thank you for your prompt reply!

It’s time to do my homework :slight_smile:

Here are the logs for MBAM and OTL. I’ll do aswMBR later. Gotta go now.

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.07.01

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Ihsan :: IHSAN-PC [administrator]

Protection: Enabled

3/7/2012 2:49:05 PM
mbam-log-2012-03-07 (14-49-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188613
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\ServerNabs7 (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) → Data: http=127.0.0.1:55455 → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Hi,

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

File::
C:\Windows\SysNative\rksample.dll
C:\Windows\SysNative\dds_trash_log.cmd
C:\Windows\tasks\At2.job
C:\Windows\SysWow64\xhysgksg.dat
C:\Windows\SysWow64\krwstaqv.dat
C:\Windows\SysWow64\wwefwwhg.dat
C:\Windows\SysWow64\zyljrtfo.dat
C:\Windows\SysWow64\wyyisqgv.dat
C:\Windows\SysWow64\itfpoiif.dat
C:\Windows\SysWow64\fphmxuxz.dat
C:\Windows\SysWow64\ojigdhmh.dat

Folder::
C:\Users\Ihsan\AppData\Roaming\xszdaqhwsr3qkxvboltembuhh1nnyfmd2
C:\Users\Ihsan\AppData\Local\589ab0b5
C:\Users\Ihsan\AppData\Roaming\xlewayudrk2j31kqp33bchguqkdlrytp2
C:\Users\Ihsan\AppData\Roaming\9679B
C:\Users\Ihsan\AppData\Roaming\038E2
C:\Users\Ihsan\AppData\Roaming\62196
C:\Users\Ihsan\AppData\Roaming\1C503

Netsvc::
uiusys

Driver::
uiusys

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Here is the ComboFix log. Thank you, Jeff!

Please run a new scan with OTL
In the Custom Scan section put the following:

netsvc
/md5start
consrv.dll
rksample.dll
/md5stop
createrestorepoint

Post the newly created OTL log into your next reply. :slight_smile:

Here is the OTL log, Jeff.

Hi,

Looking better so far. :slight_smile:

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 55455
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

:Files
C:\Windows\SysNative\rksample.dll
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )


Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

[*]Please go here then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

[*][quote]Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
[*]Select the option YES, I accept the Terms of Use then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif

[*]When prompted allow the Add-On/Active X to install.
[*]Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:

[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology

[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif

[*]The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply please post the logs made by OTL, Malwarebytes and ESET online scanner. :slight_smile:

Hi,

HW’s done :slight_smile:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.08.07

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Ihsan :: IHSAN-PC [administrator]

Protection: Enabled

3/9/2012 5:45:02 AM
mbam-log-2012-03-09 (05-45-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188920
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Hi,

No log from ESET? If not that means it is all clear.

How is your system running?

Hi Jeff,

Yes, there is. I attached 2 .txt files which are logs from OTL and ESET. ESET found 7 infections. My system is running good. It just sometimes became “not responding” when I ran OTL scan, but then the scan resumed until it’s done. Avast no longer detects anything.

I re-attached the log from ESET.

Thanks!

Hi,

Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

Hi,

Are you still with us?? :slight_smile:

Hi,

Yes. Sorry, I had stuff to do on the weekend, so I was offline the whole time. The log is attached. Thanks!

Hi,

Not a problem at all. I was just checking. :slight_smile: I was on a mini-vacation myself this weekend.

CKScanner has detected illegal software on your system. Besides being illegal, it’s the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of illegal software except for their removal. If I were to continue helping you with illegal software installed, not only could I not feel confident your system will ever be clean, but it could be construed in the eyes of the law as aiding and abetting a crime.

I have worked up a fix for their removal. If you do not agree to this then this thread will be closed and no further help will be offered. Please let me know if you wish to continue.

Hi,

Yes, I want to continue.

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

File::
C:\Users\Ihsan\Documents\Flash Drive 01132012\From flash drive\CadSoft Eagle Professional 5.11 Full\keygen\Keygen.exe	
C:\Users\Ihsan\Downloads\cnet_bic_setup_exe.exe	
C:\Users\Ihsan\Downloads\PowerISO4.7KeyGen.rar	
C:\Windows\assembly\temp\U\80000032.@
c:\users\ihsan\documents\flash drive 01132012\from flash drive\antiwpa\antiwpa\amd64\antiwpa.dll
c:\users\ihsan\documents\flash drive 01132012\from flash drive\cadsoft eagle professional 5.11 full\keygen\again.nfo
c:\users\ihsan\documents\flash drive 01132012\from flash drive\cadsoft eagle professional 5.11 full\keygen\file_id.diz
c:\users\ihsan\documents\flash drive 01132012\from flash drive\cadsoft eagle professional 5.11 full\keygen\keygen.exe
c:\users\ihsan\documents\flash drive 01132012\from flash drive\cadsoft eagle professional 5.11 full\keygen\license.key
c:\users\ihsan\downloads\poweriso4.7keygen.rar

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Once you get that completed post the new ComboFix log and let me know how your system is running now. :slight_smile:

Hi,

Log is attached. My system is running great. No more pop-up windows for virus detection :slight_smile: Thanks!

Hi,

Glad things are running better. :slight_smile:

Please run a new scan with OTL
In the Custom Scan section put the following:

netsvc
/md5start
consrv.dll
/md5stop
createrestorepoint

Post the newly created OTL log into your next reply.