Yet more conserv.dll / Sirefef.. Please save me essexboy

So a friend ask me to fix her computer… After hours of removing malware I find I am left with a rootkit to deal with. MBAM keeps telling me ping.exe is attempting to establish an outbound connection to various IPs.

Shall we begin with a aswMBR scan and a OTL log?

seems to be the Zero Access rootkit…

Essexboy is notified. He is usually in here around 08:00pm - 11:59pm UK time

Hi there

Re-Run aswMBR

Click Scan

On completion of the scanClick the Fix Button

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBR_Zero.png

Save the log as before and post in your next reply

Ok just got home from work. Starting scan/fix/log now.

Ok so ran scan and then fix. Was expecting it to allow me to save a log but it rebooted upon finishing the fix cycle. so ran scan again once it booted back up and here are the results.

If this procedure requires system restore to fix the infection then things may be more difficult since I ran windows update after clearing all the malware before I found out there was a rootkit so it created an infected restore point.

It has been about 4 hours since fix/reboot and have not seen any more warnings from MBAM concerning outgoing traffic or any other warnings in the MBAM log so looking good so far.

Guess I spoke to soon. one hour later svchost.exe atempts an outbound connection to 91.207.60.22

Run this OTL fix please and the re-run aswMBR

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following


:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC_32\Desktop.ini 
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\temp\U

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Done

Issues encountered…

 Forgot to uncheck start with windows on MBAM so was running after reboot. Killed it before running requested scan.
OTL started up with windowss after reboot and spit out a log file.. Hope MBAM starting with it didn't mess up any post reboot fixes.

Logs here

OK this one is a tad resilient

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

running combofix now. It will say in the report that it detected AVG, but AVG has been uninstalled for a while now and I can verify that no AVG program files or services are left on this box. It must be detecting some reg entries that never got completely removed on uninstall.

Yeah this one is quite resilient and I had already resorted to running combofix before I came here with no luck. And Microsoft safety scanner just messed things up to where it would not boot and had to be restored to repair when removing Fakerean.

combofix results are ready

Blue screened after a bit and then failed to restart windows… had to restore from OTL restore point to get it back up. Reaction to combofix removing conserv.dll?

ok after reading up a bit more and looking thru the registry this is the consrv.dll variant that loads via csrss.exe via replacing winsrv.dll

Time to die Max++ consrv

Need a way to remove consrv.dll and fix the reg keys during reboot or off a bootable drive

Not sure why combofix failed

OK I can remove it - it is the new variant - but I do need to see the netsvc name to remove it
You must have missed scripting this part

So run OTL again with this in the custom scans box

[*]Run OTL.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open one notepad.

Ok here is the log.

I am also noting that this thing disabled Windows defender from starting. Got a fix for that?

Yep whilst I look at the log

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/fss.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Looking at your other thread looks like the dropper posing as a service is :[/b] - [2009/07/13 20:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] – C:\Windows\SysNative\SECYPUSB.dll – (SMCB000)

here is the log hope you get some useful data

OK got the blighter

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV:64bit: - [2009/07/13 20:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\SECYPUSB.dll -- (SMCB000) NetSvcs:64bit: SMCB000 - C:\Windows\SysNative\SECYPUSB.dll (Oak Technology Inc.) 2012/02/07 20:56:50 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_trash_log.cmd [2011/06/21 19:07:25 | 000,012,054 | -HS- | C] () -- C:\Users\Tara Evans\AppData\Local\55m6d713s7tde328841cv6817j237g313e60evj [2011/06/21 19:07:25 | 000,012,038 | -HS- | C] () -- C:\ProgramData\55m6d713s7tde328841cv6817j237g313e60evj

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and run the MS Fixit on this page http://support.microsoft.com/kb/811259