OTL Analysis for consrv.dll

Hi,
I finaly got rid of the Win7 Recovery virus, got everything back to normal like a boss!, almost. I still have this consrv.dll threats spawning again and again. Seems like that problems need a particular treatment for every case, so i got that “OTL by oldtimer” tool and did the scan. I don’t seem to find an official forum to analyse the result, i noticed their’s a few post of that kind and as i use Avast! i think it’s the best place to post it !

Thank you !

UP : I’ll folow the procedure form “Logs to assist in cleaning malware”

Malware Byte’s log

I still have this consrv.dll threats spawning again and again
this can be the Zero Access rootkit....... continue with the rest of the logs from the guide ("Logs to assist in cleaning malware") [b]attach[/b], not copy and paste

see below: Attachments and other options

Essexboy is notified…

OTL by oldtimer didn’t output the Extras.txt .
Here is the OTL.txt

OTL by oldtimer didn't output the Extras.txt .
that only happens at first run....so if you have run it before ? anyway it is not that important....just some extra sys info

Finaly aswMBR.txt

Looks like Avast is stopping it from respawning - so lets kill those files now

Let me know if the alerts continue

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found. [2012-02-06 12:31:18 | 000,000,304 | ---- | M] () -- C:\ProgramData\~nkABaemCYmTnry [2012-02-06 12:31:17 | 000,000,192 | ---- | M] () -- C:\ProgramData\~nkABaemCYmTnryr [2012-02-06 12:26:45 | 000,000,448 | ---- | M] () -- C:\ProgramData\nkABaemCYmTnry [2012-02-04 11:52:34 | 000,000,320 | ---- | M] () -- C:\ProgramData\~RGhqt5dtvRJvHx [2012-02-04 11:52:34 | 000,000,216 | ---- | M] () -- C:\ProgramData\~RGhqt5dtvRJvHxr

:Files
ipconfig /flushdns /c
C:\windows\tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here’s the other OTL Log, and their’s an output i got after rebooting, i joined it too.
P.S.: At each boot i get a Desktop.ini opening.

That is a know bug with 7 - Ms has a small fixit for it here http://support.microsoft.com/kb/330132 just run the fixit button

How is the computer behaving now ?

Tried the MS fix, doesn’t work.
and consrv.dll still their

Could you re-run aswMBR please as according to the last run it was not there

Here’s the fresh aswMBR log runned as an administrator.

Where is the indication of the infection coming from ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

So during step 2, dumphive.3xe “yes, (three)xe” crashed, after the reboot it recrashed, then combofix was telling me not to open any program because it hasn’t had finished, it was idle like this for about 10 minutes untill i juste shut it, i can’t open anything, Wordpad, NotePad, Google Chrome, internet explorer, avast!, OTL, combofix, adobe reader, i can’t run no program, i don’t have the consrv.dll threat alert, but i don’t have any anti-virus nor anti malware, my computer is TOTALY unoperational, the only thing it will do is telling me i tried an unauthorised operation on a registy key marked as “to delete” (Excuse my raw french/english translation)
The threats was comming from “Objet : c:\Windows\system32\consrv.dll / infection : Win32:Sirefef… / Process : c:\windows\system32\svchost.dll”

and here’s the log.

Sorry for the registy thing, i rebooted as instructed :-[

So after a reboot and a Avast! scan, i got twice the c:\windows\system32\consrv.dll and on c:\windows\system64\consrv.dll wich i deleted, the system64 on was unreachable so every action failed, after i shut Avast!, i got the c:\windows\system32\consrv.dll threats pop-up

Up,
So i rebooted to cure the registry issue, once done i waited for Avast! to detecte consrv.dll … Nothing, nice. I launched a scan wich got me twice the consrv.dll in system32 and consrv.dll in system64 (Wut???), i tried to delete all, but the system64 one has the error, fill doesn’t exist.

So i clicked do nothing for the system64 infection, i got that pop-up telling me consrv.dll in system32 was the win32:Sirefef… [HO] and asked me to scan at reboot, during the scan i deleted 3 time consrv.dll, then rebooted, and still get warned about the consrv.dll

The ComboFix log is in my last post.

Yep they are being respawned it is the new variant

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV:64bit: - [2009-07-13 20:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\Dell1100_FUService.dll -- (sqlagent$soshome22) NetSvcs:64bit: sqlagent$soshome22 - C:\Windows\SysNative\Dell1100_FUService.dll (Oak Technology Inc.)

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Re-Run aswMBR

Click Scan

On completion of the scan
Click the Fix Button

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBR_Zero.png

Save the log as before and post in your next reply

I ran OTL with the costum config and it hanged during the “flush dns” phase and didn’t respond in any way. CPU uses at idle.

I tried to reboot, the computer was on the “Shutting down” windows for a 10 minutes… Hard shut, rebooted, ran OTL with the costum config, “Cannot create ipconfig /flushdns /c” and now it’s resetting HOSTS file forever !

i did the flushdns on my own, and it worked, so i removed the “:Files | ipconfig /flushdns”

And i’ve had a big message error about NetSvcs 64bits blablabla

I can open a few windows in the control panel but most of the time “access denied”

Rebooted, blue screen… Boot repair utility, on reboot OTL output “02102012_130527.txt” wich already exist because when i tried to save it i had to overwrite it.

Still have the “cannot create ipconfig /flushdns” error, and Resetting HOSTS file run forever, the progam isn’t “not responding” but if i click in the windows nothing happen, i click the X and it close without any problem !

a trojan and a dnschanger was detected, that’s new, reboot, blue screen, boot repair,OTL output a file that already exist, boot,OTL, reboot, blue screen , boot repair utility,OTL output, boot,OTL, reboot, blue screen …

Should i re-run awsMBR even if OTL cannot finish is task ?

UP, tried to re-run OTL for the tenth time or so, and now the error is “Check Range Error”

OK stop OTL

This variant is now protecting the respawning driver

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Still have consrv.dll, if i scan the dll with avast it tells me that 2 of them are Rootkit, 1 is Trojan, 1 is dropper

And here’s the combofix log.

This malware is now changing on a daily basis… This should get it

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\Dell1100_FUService.dll

NetSvc::
sqlagent$soshome22

Driver::
sqlagent$soshome22

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.