The dreaded "consrv.dll" virus again....

Viruses and worms
1

Hello…

I’m afraid i got the “consrv.dll” virus thing somehow and though Avast found it in both system32/64 folders and deleted it, i am afraid to make a restart, as i fear it may not re-boot, as others have mention in various similar threads here…

I also, tried to alter the registry entry, back to “winsrv”, as suggested in this forum, but it just doesn’t change; as soon as i click OK, i can see it reverts back to the dreaded “consrv”, probably cause the virus is still active on memory?..

And this is the reason i’m afraid to restart the PC now…

Please, help!
What should i do now?

Thanks in advance…
Gregg

2

U shouldnt have deleted the file anyway i know how to fix this problem though but i dont want to take the chance of making your computer unbootable i would request u to wait until our malware removal expert essexboy arrives at night till then follow the link to guide below and attach the logs here on next reply:
http://forum.avast.com/index.php?topic=53253.0

3

Thank you for the reply…
I’ll follow the guide you told me and post back the results…
Crossing fingers now!

4

Can you restore the malware file ? If so you will retain the booting ability

5

Well…
I’m not sure i can restore it, but i’ll give it a try…

In the mean time, running the Anti-Malware found no malicious items.
So at the end there were no “Show Results” option to choose.
Here’s a copy-paste of the log it generated…

Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org

Database version: 8346

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/?e?/2011 15:02:58
mbam-log-2011-12-10 (15-02-58).txt

Scan type: Quick scan
Objects scanned: 194985
Time elapsed: 1 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Let’s see if i can get back that malware file now…

Thanks for the help!
Gregg

6

If you cannot do that then we will take the bull by the horns and run Combofix

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

7

Well…
Running the ComboFix, though it all started correctly, at some point screen went black and only mouse cursor could be seen, but it was frozen and couldn’t be moved…
Only option was to push the reset button unfortunately and “what a surprise” i couldn’t log into Windows anymore…

In the next reset/restart it invoke the build in System Repair bootup and it went and restore the Windows to some point, probably before the virus attack, cause the system boot up correctly with next restart…

I’m not sure what’s going on now, what’s affected, what is not, or what files i may be missing due to the restore point, but i did boot in Windows correctly…

But, since i was forced to reset, i don’t think i have a log file from what OTL did…

What should i do next?

Edit: Sorry, said it was OTL, but in fact i was running ComboFix…

8

EDIT:Use combofix as specified by essexboy…

9

Sorry, said i was running OTL, but in fact i was running ComboFix…
Which resulted to the problems mention in my last post…

Should i run ComboFix again?

Now, Avast scanning in Windows and during boot-up, didn’t find anything.
Also, i have in root C drive, two folders called: “ComboFix” and “Qoobox”…

What should i do now?

10

c:\combofix.txt

attach that file here on your reply using additiona options provided in your post reply page.

11

That file does not exist in C:\ root, rather in C:\ComboFix\ folder.
Is it the same, to the one you mention?

Also, since the one time i run ComboFix didn’t finished correctly (windows locked up) all the info it has inside, is this:

ComboFix 11-12-10.01 - Gregory 0/?e?/2011 15:39:03.1.12 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.24574.20602 [GMT 2:00] Running from: C:\Users\Gregory\Desktop\ComboFix.exe AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C} FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47} SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

Should i run it again?
I won’t do anything unless you tell me too… :slight_smile:

12

Yes please - it was the removal of the file that caused the problem

13

Ok…
This time it finished correctly and then it restarted the PC…
When back in Windows again, it generated the attached file…

I don’t have a clue as to what it did though… ;D

Here’s waiting for feedback…

14

Combofix removed all the residue files and folders

Lets check for orphans now - what problems do you have ?

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

15

Well…
I haven’t checked everything, but most of the apps and the system seem to work okay, with one exception. There are a couple of small programs/utilities that don’t run, even when i re-install them. I got a popup saying: “A device attached to the system is not functioning”.

Mbam found nothing…
Here’s the log:

Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org

Database version: 8349

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

11/?e?/2011 01:25:00
mbam-log-2011-12-11 (01-25-00).txt

Scan type: Quick scan
Objects scanned: 194587
Time elapsed: 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What’s next please?
Thanks for everything so far!
Gregg

16
There are a couple of small programs/utilities that don't run, even when i re-install them. I got a popup saying: "A device attached to the system is not functioning".
What programmes are these ?

Does windows updates work ?

17

Windows Update works and i’m currently downloading 20 updates (177MB)…

The programs that didn’t start were Java related, but after a Windows restart everything was running fine. Weird behavior, if you ask me…

Anyways, i haven’t found anything else problematic so far, except of course a couple of apps that were removed from the system due to going back to that restored point, but that’s okay; i can re-install them anytime…

Everything seem fine now, but i still have a bitter taste that everything is so fragile with Windows…

Is there anything else i should do now?

Thanks!
Gregg

18

Windows Update finished, installed correctly, Windows restarted and all seem well so far…

19

Leave it run for a day or so, and if all seems good let me know and I will remove my tools ;D

20

Okay, thanks!
I’ll let you know tomorrow… :wink:

Thanks again!
Gregg