Hello,

I am one of the unlucky people whose computer is infected with the consrv.dll virus. The virus has installed AV Protection 2011 and Win7 Security 2012. I have been able to remove them from my computer…here are the MBAM log files from both scans:

AV Protection 2011:

Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8221

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

11/22/2011 9:02:36 PM
mbam-log-2011-11-22 (21-02-36).txt

Scan type: Full scan (C:|)
Objects scanned: 361833
Time elapsed: 45 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wSS11ivDD3nF4 (Malware.Packer) → Value: wSS11ivDD3nF4 → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B4E.exe (Malware.Packer) → Value: B4E.exe → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\K666ssWJ7f8234A (Trojan.FakeAlert.CLGen) → Value: K666ssWJ7f8234A → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Owner\AppData\Roaming\dwme.exe (Malware.Packer) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\microsoft\F5E3\B4E.exe (Malware.Packer) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\338.9838.exe (Trojan.Exploit.Drop) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\dwme.exe (Malware.Packer) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\irelxqzjxq (Trojan.Exploit.Drop) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\msimg32.dll (Trojan.Inject) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\nlv.dll (Trojan.Exploit.Drop) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\LocalLow\Sun\Java\deployment\cache\6.0\16\773490-120886de (Trojan.Exploit.Drop) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\microsoft\F5E3\9DC6.tmp (Malware.Packer) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\microsoft\F5E3\A881.exe (Malware.Packer) → Quarantined and deleted successfully.
c:\Users\Owner\downloads\jeopardysetup-dm.exe (Adware.TryMedia) → Quarantined and deleted successfully.
c:\Users\Owner\downloads\whitesmokewritergeo5002_en.exe (Trojan.Downloader) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\ldr.ini (Malware.Trace) → Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\yllloontxp0\av protection 2011v121.exe (Trojan.FakeAlert.CLGen) → Quarantined and deleted successfully.

And the Win7 Security 2012:

Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8309

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

12/13/2011 9:31:58 PM
mbam-log-2011-12-13 (21-31-58).txt

Scan type: Full scan (C:|)
Objects scanned: 338681
Time elapsed: 1 hour(s), 11 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Owner\AppData\Local\nmr.exe (Trojan.ExeShell.Gen) → Quarantined and deleted successfully.

I’m certain the scans didn’t remove consrv.dll so I’m continuing with the process as posted in:

http://forum.avast.com/index.php?PHPSESSID=8u4ove5q4mmj4jr0c7brobb2o5&topic=53253.0

The OTL logs will be in the next post…

Thanks to anyone who helps,
-KLOK

hey and welcome to the forum klok.

post the otl when you can so our malware expert can have a lock on it when he is online.

he will give you further instructions on how to proceed from there.

you using windows xp our?

when your computer is clean you might wanna upgrade to server pack 3.

KLOK,

essexboy is our resident malware expert here, and as it is now 2:34 AM CST here and 8:34 AM in Britain, it will be awhile before he can help. I understand he comes here after he is done at work in the U.K., so the earliest you will hear from him as around 12:00 CST USA time here.

EDIT: Do not mean to post the same as mikaelrask, but as he says, info re your os should be useful. In any case, OTL will give that info when a log is completed when it is run.

A word of caution: It is best to follow essexboy’s guidance in utilizing malware cleaning tools, as a wrong move can result in damage to your os, or worse, not being able to reboot back into Windows if any of these tools are used improperly. This to me, would mean to not run OTL or any other cleaning tool w/o being instructed to do so. Thought you might want to know.

Aye run the scans as stated in the thread as they are analysis tools for the initial run

I’m running Win7, and just a quick question, what does OTL actually do?

As said, primarily it analyses the system and produces a report and from that report a malware removal specialist, like essexboy compiles a fix which is then applied on another run of OTL. That information may also indicate to him if other tools need to be used.

Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and attach the logs here, not in the LOGS topic.