Hi all, a few days ago, my computer became infected with the google redirect virus (ZeroAccess, affecting both firefox and chrome, not sure about IE, because I don’t use that unless I absolutely have to.). As a result of this virus, PING.exe began running and using up to 99% of my CPU, whilst pinging seemingly random sites. After multiple scans with MBAM and avast!, not to mention having to repair my registry so I could boot after said programs removed consrv.dll, I was finally able to regain control of my computer, and most traces of the rootkit seemed to be gone.
However, every 10-15 minutes, without fail, avast! blocks svchost.exe from re-installing consrv.dll.
One of my acquaintances, who claimed to be familiar with such things, ran combofix once or twice in an attempt to solve my problems. Having looked at the forums after that didn’t help, I realize now that letting him do so was probably a bad idea. However, my computer still works otherwise normally, so hopefully no significant damage was done by his use of that tool.
Attached are, in order, my MBAM Log, my OTL log, and my aswMBR log.
I’ll be awaiting further help, and won’t try to do any further repair on my own (or allow anyone else to try, for that matter)
Thanks,
Rich
If you have the other ComboFix logs on your system could you post those so that we can have a look at those as well. They should be in your C:\ folder named ComboFix.txt. Thanks
Yes the infection is still on your system so as soon as we see what the old ComboFix logs reveal we can continue. If you don’t have them just let me know and we can move on.
Sure thing, here you go, here’s both (I’m not sure what he did in between the two runs, so I can’t really account for any discrepancies.)
Also, looking at the two files briefly, I think, but I’m not sure, that the file titled ComboFix2 was actually the first one that was run, but I’m not positive.
Thanks for the speedy reply!
Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.
Disable your AntiVirus and AntiSpyware applications.
Double click on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
Hi there,
I did as you requested and deleted and then redownloaded and ran combofix. Upon reboot, however, I have found that I am unable to run any programs as a normal user, getting the error message “Illegal operation attempted on a registry key that has been marked for deletion.” I can launch certain programs (like avast or chrome) as administrator, but cannot connect to the internet (dns error), and I have found that the consrv.dll file has returned (I can’t tell what else has, because I’m unable to access task manager.) I’m typing this from my phone, so I unfortunately cannot attach the combofix log you requested.
Go ahead and reboot the system and that should clear it up. ComboFix just has not released the registry. You may have to reboot a couple of times but it is not a problem. Once you get that fixed up post the new ComboFix log.
Hi, when I tried rebooting, my system bluescreened with the message:
“STOP: c0000135 The program can’t start because %hs is missing from your computer. Try reinstalling the program to fix this problem.”
Windows repair utility can’t fix the problem, and I checked my subsystem windows keys, thinking the winsrv line might have been changed to consrv (as this rootkit seems to like to do) but I was unable to find a solution.
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
Hi there, I ran ComboFix with the script you provided, here’s the log.
Three questions though,
One, in the log, it says that I had windows defender enabled. I specifically checked before running CF to make sure it was disabled. I’m unsure if this impacted CF’s ability to run in any way.
Two, I now have a file named desktop.ini on my desktop, I’m not quite sure what to do with or about it.
Three, I’m once again having the problem wherein I’m unable to run any programs without running them as admin. I’m cautious about rebooting at the moment, because if I have to system restore in order to start windows again, will that just undo everything we’ve done with ComboFix thus far?
Well, ignore question 3 from that post, I rebooted and everything’s running fine. My searches are no longer being hijacked, and thus far, avast! hasn’t notified me of having to stop any reinstallations of consrv.dll. I’ll obviously wait for your confirmation before uninstalling anything or making any major changes, but I’m just giving you a status update.
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Here you go, here’s the Fix Log and the OTL Log.
One thing I noticed in glancing over the fix log is that there’s a user account on my system named “Updatus User”. It’s not listed under user accounts in my control panel, and it doesn’t seem to have any files of its own. It also doesn’t seem to have any permissions, so I’m not too worried about it, just curious if you know what this could be.
NVIDIA Corporation will creates an account named “Updatus User” so that it will already have permissions on your system and updates will perform smoothly.
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
[*][quote]Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install. All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
[*]Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
[*]When prompted allow the Add-On/Active X to install.
[*]Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:
[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology
[*]The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
In your next reply please post the logs made by Malwarebytes and ESET online scanner. Also how is your system running?