Unable to find/remove dropper for consrv.dll

Hi all , my system seems to be infected with a zeroaccess variant which keeps dropping corsvr.dll in \system32

When i run Combofix it removes it , after a reboot i get a BSOD that the file is corsvr.dll is missing so i fix the registry entry in hklm\system\currentcontrolset\control\session manager\subsystems that it loads winsrv instead of consrv. My <windows does boot, but then the consrv.dll file gets dropped again and the registry is changed again…

I’ve attached the OTL logs and i’ll be running a combofix now to post that log

Thanks for anyone who’s willing to assist me…

And here is the combofix log…

I just noticed essexboy’s post about additional/custom options i should have added to the OTL scan

I did that and uploaded a new log for it.

(this is after a reboot and you’ll notice consrv.dll is dropped again in the folder…

OK lets get at it

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\anio.dll

Folder::
C:\ProgramData~McyWfkJP4BjPDF
C:\ProgramData~McyWfkJP4BjPDFr
C:\ProgramData\McyWfkJP4BjPDF
C:\Users\Silvia\AppData\Local\kh3qs48dih40153ek5o00e1f314h7l353470i8u4m5rfk
C:\ProgramData\kh3qs48dih40153ek5o00e1f314h7l353470i8u4m5rfk

NetSvc::
tosrfsnd

Driver::
tosrfsnd

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Ok, the log after running it with cfscript

Ok i scanned the pc some more with mbam, superantispyware, tdsskiller , … it appears to be clean now. I rebooted the pc several times and the consrv.dll didn’t come back.

So you helped me a lot, thank you kindly sir…

Could you now do a fresh run with OTL quickscan please to check for lurkers