Avast WEBforum
Other => Viruses and worms => Topic started by: Phobophile89 on February 07, 2012, 10:54:36 PM
-
Hi,
I finaly got rid of the Win7 Recovery virus, got everything back to normal like a boss!, almost. I still have this consrv.dll threats spawning again and again. Seems like that problems need a particular treatment for every case, so i got that "OTL by oldtimer" tool and did the scan. I don't seem to find an official forum to analyse the result, i noticed their's a few post of that kind and as i use Avast! i think it's the best place to post it !
Thank you !
UP : I'll folow the procedure form "Logs to assist in cleaning malware"
-
Malware Byte's log
-
I still have this consrv.dll threats spawning again and again
this can be the Zero Access rootkit.......
continue with the rest of the logs from the guide ("Logs to assist in cleaning malware") attach, not copy and paste
see below: Attachments and other options
Essexboy is notified.....
-
OTL by oldtimer didn't output the Extras.txt .
Here is the OTL.txt
-
OTL by oldtimer didn't output the Extras.txt .
that only happens at first run....so if you have run it before ?
anyway it is not that important....just some extra sys info
-
Finaly aswMBR.txt
-
Looks like Avast is stopping it from respawning - so lets kill those files now
Let me know if the alerts continue
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
[2012-02-06 12:31:18 | 000,000,304 | ---- | M] () -- C:\ProgramData\~nkABaemCYmTnry
[2012-02-06 12:31:17 | 000,000,192 | ---- | M] () -- C:\ProgramData\~nkABaemCYmTnryr
[2012-02-06 12:26:45 | 000,000,448 | ---- | M] () -- C:\ProgramData\nkABaemCYmTnry
[2012-02-04 11:52:34 | 000,000,320 | ---- | M] () -- C:\ProgramData\~RGhqt5dtvRJvHx
[2012-02-04 11:52:34 | 000,000,216 | ---- | M] () -- C:\ProgramData\~RGhqt5dtvRJvHxr
:Files
ipconfig /flushdns /c
C:\windows\tasks\At*.job
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here's the other OTL Log, and their's an output i got after rebooting, i joined it too.
P.S.: At each boot i get a Desktop.ini opening.
-
That is a know bug with 7 - Ms has a small fixit for it here http://support.microsoft.com/kb/330132 just run the fixit button
How is the computer behaving now ?
-
Tried the MS fix, doesn't work.
and consrv.dll still their
-
Could you re-run aswMBR please as according to the last run it was not there
-
Here's the fresh aswMBR log runned as an administrator.
-
Where is the indication of the infection coming from ?
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
So during step 2, dumphive.3xe "yes, (three)xe" crashed, after the reboot it recrashed, then combofix was telling me not to open any program because it hasn't had finished, it was idle like this for about 10 minutes untill i juste shut it, i can't open anything, Wordpad, NotePad, Google Chrome, internet explorer, avast!, OTL, combofix, adobe reader, i can't run no program, i don't have the consrv.dll threat alert, but i don't have any anti-virus nor anti malware, my computer is TOTALY unoperational, the only thing it will do is telling me i tried an unauthorised operation on a registy key marked as "to delete" (Excuse my raw french/english translation)
The threats was comming from "Objet : c:\Windows\system32\consrv.dll / infection : Win32:Sirefef... / Process : c:\windows\system32\svchost.dll"
and here's the log.
Sorry for the registy thing, i rebooted as instructed :-[
So after a reboot and a Avast! scan, i got twice the c:\windows\system32\consrv.dll and on c:\windows\system64\consrv.dll wich i deleted, the system64 on was unreachable so every action failed, after i shut Avast!, i got the c:\windows\system32\consrv.dll threats pop-up
-
Up,
So i rebooted to cure the registry issue, once done i waited for Avast! to detecte consrv.dll ... Nothing, nice. I launched a scan wich got me twice the consrv.dll in system32 and consrv.dll in system64 (Wut???), i tried to delete all, but the system64 one has the error, fill doesn't exist.
So i clicked do nothing for the system64 infection, i got that pop-up telling me consrv.dll in system32 was the win32:Sirefef... [HO] and asked me to scan at reboot, during the scan i deleted 3 time consrv.dll, then rebooted, and still get warned about the consrv.dll
The ComboFix log is in my last post.
-
Yep they are being respawned it is the new variant
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
SRV:64bit: - [2009-07-13 20:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\Dell1100_FUService.dll -- (sqlagent$soshome22)
NetSvcs:64bit: sqlagent$soshome22 - C:\Windows\SysNative\Dell1100_FUService.dll (Oak Technology Inc.)
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix Button
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBR_Zero.png)
Save the log as before and post in your next reply
-
I ran OTL with the costum config and it hanged during the "flush dns" phase and didn't respond in any way. CPU uses at idle.
I tried to reboot, the computer was on the "Shutting down" windows for a 10 minutes... Hard shut, rebooted, ran OTL with the costum config, "Cannot create ipconfig /flushdns /c" and now it's resetting HOSTS file forever !
i did the flushdns on my own, and it worked, so i removed the ":Files | ipconfig /flushdns"
And i've had a big message error about NetSvcs 64bits blablabla
I can open a few windows in the control panel but most of the time "access denied"
Rebooted, blue screen... Boot repair utility, on reboot OTL output "02102012_130527.txt" wich already exist because when i tried to save it i had to overwrite it.
Still have the "cannot create ipconfig /flushdns" error, and Resetting HOSTS file run forever, the progam isn't "not responding" but if i click in the windows nothing happen, i click the X and it close without any problem !
a trojan and a dnschanger was detected, that's new, reboot, blue screen, boot repair,OTL output a file that already exist, boot,OTL, reboot, blue screen , boot repair utility,OTL output, boot,OTL, reboot, blue screen ...
Should i re-run awsMBR even if OTL cannot finish is task ?
UP, tried to re-run OTL for the tenth time or so, and now the error is "Check Range Error"
-
OK stop OTL
This variant is now protecting the respawning driver
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Still have consrv.dll, if i scan the dll with avast it tells me that 2 of them are Rootkit, 1 is Trojan, 1 is dropper
And here's the combofix log.
-
This malware is now changing on a daily basis.. This should get it
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\SysNative\Dell1100_FUService.dll
NetSvc::
sqlagent$soshome22
Driver::
sqlagent$soshome22
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Did i told you ? Last ComboFix, step 2 dumphive.3xe crashed, then on completion before reboot.
Now, it's the same, i dragged the CFScript.txt, ComboFix launched, step 2 dumphive.3xe crashed, and before reboot.
Opened start menu, searched for consrv.dll, it's not there anymore =)
Here's the last log, should i scan with avast and SpyBot ?
-
One more run with OTL as the net service entry has not gone. once this has run a log will popup could you post that please
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
SRV:64bit: - [2009-07-13 20:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\Dell1100_FUService.dll -- (sqlagent$soshome22)
NetSvcs:64bit: sqlagent$soshome22 - C:\Windows\SysNative\Dell1100_FUService.dll (Oak Technology Inc.)
:Files
ipconfig /flushdns /c
C:\Windows\SysNative\Dell1100_FUService.dll
- Then click the Run Fix button at the top
- Let the program run unhindered,
-
I ran OTL with the instruction you gave me...
No internet access... Plug an USB Key to get the log, unable to install the new hardware...
Reboot, blue screen...
Tried the boot repair utility, i said that i didn't wanted to restore using a restauration point. Now the boot repair process runs forever, and i can't cancel it !
-
Restore to the latest restore point please and let me know the result
-
I restored consrv has returned.
-
OK this one is very resilient and it really takes umbrage if I use OTL to kill the respawning service... So I may need to run Combofix two or three times to really smack it down
So initially could you run a full combofix scan, allow it to update if it asks
Post the resultant log
-
Is theire any difference between a ComboFix Scan and a FULL ComboFix Scan ???
anyway ! hivedump.3xe crashed on step 2, and on output. Rebooted to resolve the registry thing.
Here's the log
-
Yep this one will target the protection service
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\SysNative\Dell1100_FUService.dll
NetSvc::
sqlagent$soshome22
Driver::
sqlagent$soshome22
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Can you explain me what is that DumpHive.3xe ??
Here's the fresh CF log.
-
Excellent,
Avast doesn't detect consrv.dll anymore, i ran a complete scan and the only entry it found were in the quarantine !
Thank you very much !
-
We need to do another run to remove the service now as it doesn't really get the hint the first time that it should go
DumpHive.3xe is a part of combofixes inner workings
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\SysNative\Dell1100_FUService.dll
NetSvc::
sqlagent$soshome22
Driver::
sqlagent$soshome22
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Hello everyone,
I don't know if I should post there, it seems relevant because I have the exact same problem as Phobophile89, I had google redirectory, ads and slow internet.
Avast detected some threats (consrv.dll in system32 and desktop.ini, I don't know if the two threats were related.).
Avast quarantined the threats and I encountered the blue screen of death. I did a restore and followed the steps I found in this article (http://blog.crosbydrive.com/?p=245) .
It was tricky because it included manual modifications in 2 registry keys.
Anyway, after that, few more scans with avast, malwarebites, combofix, roguekiller, tdsskiller ... (yes I was very upset).
In the end, the registry keys is back to normal, BUT, I still have a little problem, sometimes (like 10/20 times a day) avast tells me that a threat was detected and quarantined (consrv.dll) but when I do a scan with avast or something else, it tells me that everything is clean.
Do you advise to do as in the last post (by essexboy) ?
Thanks,
Clad_fisher
-
Do you advise to do as in the last post (by essexboy) ?
do not run any fix from this topic....
you should start your own topic and attach the logs there
http://forum.avast.com/index.php?topic=53253.0
Then Essexboy will help you when he arrive in a few hours...