Sirefef.b, consrv.dll

Afternoon,

Got a co-worker’s computer with a sirefef.b infection. Very similar to a few other posts here, every time it restarts MSE finds C:\Windows\system32\consrv.dll and removes it, but the registry is already altered to look for that file. I can get the computer to restart by altering the registry using a recovery CD but consrv.dll returns and re-edits the registry. Running a scan from the recovery CD finds the C:\Windows\assembly\GAC_32\Desktop.ini (and …\GAC_64.…) but deleting them makes no difference. In Safe Mode, RKill stops the rundll32.exe process and a Malwarebytes scan finds various registry key agents which all seem to be related to C:\Windows\system32\grpconv.exe through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|GrpConv. Also tried renaming grpconv.exe to GARBAGEgrpconv.exe from the recovery CD - didn’t delete it though.

An IT guy ran ComboFix at some point before I got the computer but I don’t know if it solved anything. I have attached the logs but they may not be relevant anymore. MSE was installed after these logs were created, and Sophos was disabled (but the folder is still there and can’t be deleted).

Thanks!

follow this guide and attach logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

Hi I will need to see the OTL log to determine the files which are driving the protection service

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.13.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
hbilly :: HBILLY [administrator]

3/14/2012 2:38:43 PM
mbam-log-2012-03-14 (14-38-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260681
Time elapsed: 2 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Thank you!

OK got the file

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\NxSysMon.dll

NetSvc::
BVRPMPR5

Driver::
BVRPMPR5

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Running ComboFix. In the meantime, here’s the aswMBR log:

Thanks again!

Looks like there may be a second protection service running according to aswMBR so I will see what Combofix tells me

Might be Sophos, which doesn’t appear in the installed programs list, but its folder is still there and can’t be deleted, or MSE, but I thought I disabled that before running anything.

Is it usual for ComboFix to hang the computer with a black screen and a mouse cursor on it after the reboot? Been like that for about 5 minutes.

If necessary I can delete the Sophos folder from the recovery disk.

No it does not look like a sophos file

Give it another five minutes or so as it can take a while - it needs to reset a lot of registry settings with this infection

Still rebooting but seeing disk activity so I’m just gonna let it run unless told otherwise.

I’ll be leaving the office within the hour and returning to this problem tomorrow. ComboFix ran and the computer is still restarting, still showing disk activity. If that completes and the log is available before the end of the day today I’ll post it immediately. Unfortunately I’m working at a mine site so staying late isn’t an option right now unless I want to stay the night :smiley:

No problem see you when you get back

Twelve hours later, no change to the computer’s status. Still a black screen with a cursor. Looks like the only thing to do is try to turn it off and on again and see what’s there.

Yes reboot the system and see if Combofix generates the log

If not then re-run OTL quick scan with this script

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
/md5stop
C:\Windows\assembly\tmp\U*.* /s
Drives
CREATERESTOREPOINT

ComboFix has generated a log, please find it attached. It is quite heartening that the computer actually started without giving the “%hs missing” error!

Also, not sure if this is relevant or not, but trying to open any application on the machine produces an error, “Illegal operation on a registry key that has been marked for deletion.”

have you reboot twice after running Combofix ?

Just restarted again, all the applications work. MSE is disabled, won’t turn it on again until told to, so I don’t know offhand if anything is still there or not. A look in the registry shows that “HKLM\System\ControlSet001\Control\Session Manager\SubSystems\Windows” is pointing to winsrv.dll instead of consrv.dll so that hasn’t been changed - looking good.

Yep looks good just one or two more things to do on the repair side now. The minor problem was Combofix failing to release the registry

Exit all programs.
2. Click Start, and then click Control Panel.
3. Under System and Security, click Find and Fix Problems.
4. In the Task pane, click View All.
5. Click Internet Explorer Performance.
6.In the new window, click Next.
Note The troubleshooter runs and fixes all identified issues automatically.
7.Click Close.

That should reset the winsock

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\system32\int15.dll C:\Windows\system32\NCPro.dll C:\Windows\system32\NxSysMon.dll C:\Windows\assembly\GAC_32\Desktop.ini C:\Windows\assembly\GAC_64\Desktop.ini

NetSvc::
BVRPMPR5
AmdLLD
eeyeevnt

Driver::
BVRPMPR5
AmdLLD
eeyeevnt

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

“Internet Explorer Performance” is not an option for me - please see the included screencap for the Troubleshoot options that are available.