Avast WEBforum

Other => Viruses and worms => Topic started by: natex1 on March 09, 2012, 05:13:13 AM

Title: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: natex1 on March 09, 2012, 05:13:13 AM

Never thought I would have to search for PC help, but it seems that my computer has become infected with some pesky issues. MSE detects Sirefef.AB, Sirefef.B, Sirefef.P & Alureon.FP and cleans them but as i restart my computer they pop right back up. Avast shows that Consrv.dll is infected with Win32:Sirefef-HO [Rtk]. When i used Avast to clean Consrv.dll it puts me in a bootloop.

Malawarebytes was already installed on my computer and has not found anything after multiple scans.

Some file locations of some of the issues:
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\System32\consrv.dll
D:\Users\Nathanael\AppData\Local\Temp\av443D.tmp
 (seems like there keeps to be a random file with av4 popping up in this temp folder every few seconds)

I would really prefer not to reformat my system as i just did a clean install a few weeks ago.
I went ahead and attached aswMBR & OTL logs. If anything else is needed please let me know!
Thanks a ton I appreciate it!

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: natex1 on March 09, 2012, 05:21:24 AM

added OTL in normal format as the other file doesnt have anything in it (dont know if it should be like that or not)

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: Pondus on March 09, 2012, 07:25:19 AM

so you have avast and MSE installed ?

never install more the one AV. running multiple AV will give all kind of windows errors and false positive detections
after you have uninstalled one AV it is recomended to run a removal tool to clear any leftover files that may conflict

run and reboot - Uninstallers – Security Software
http://singularlabs.com/uninstallers/security-software/

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: natex1 on March 09, 2012, 11:58:41 AM

Originally i only had MSE installed alongside Malwarebytes which continuously detected Sirefef.AB, Sirefef.B, Sirefef.P & Alureon.FP. After 'cleaning' and restarting they come right back. So I ended up installing avast after reading some posts about similar issues which reported consrv.dll to be corrupt.

Regardless of the AV installed these issues are still here.

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: oldman on March 09, 2012, 06:00:21 PM

Hi natex1,

I see you have ran combofix. Please post the log so I can see wha it has all ready removed. The log can be found at C:\combofix.txt.

Thanks

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: natex1 on March 09, 2012, 07:21:19 PM

i ran it a few times but here it is

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: oldman on March 10, 2012, 01:15:18 AM

Hi natex1,

Before we get to cleanning this for you I need a bit more information. The most useful combofix log will be the one from the first run. Please navigate to C:\qoobox. Please post the contents of combofix4.txt.

Next

One more short scan from OTL. Don't forget to click the None button, it will make for a much shorter log.

• Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, click the None button near the top (it may looked greyed out)
  
  
• In the window under Custom Scans/Fixes copy and paste the following
  
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\se26nd5 /s
  /md5start
  consrv.dll
  /md5stop
     
  
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Please post back with

• combofix4.txt
• OTL.txt

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: natex1 on March 10, 2012, 04:01:59 AM

Latest OTL and combofix posted!

Thank you, I really appreciate your help!

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: oldman on March 10, 2012, 05:04:07 AM

Hi natex1,

Please delete the copy of combofix from your download folder. Download a new copy from  Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)or  Link 2 (http://www.infospyware.net/antimalware/combofix/) and save it directly to your desktop.

• If you are using Firefox, make sure that your download settings are as follows:

     -Tools->Options->Main tab
     -Set to "Always ask me where to Save the files".

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
  
  
  Open a new Notepad session
  • Click the Start button
    
  • in the search box type notepad
    
  • click on notepad that appears at the top
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
    
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
    
    
    

[/list]

Code: [Select]

File::
C:\Windows\System32\n3900.dll
c:\windows\system32\dds_trash_log.cmd
C:\Windows\system32\ssdiagn.dll

Driver::
dsbrokerservice

NetSvc::
dsbrokerservice


In the notepad

• Click File, Save as..., and set the Save in to your Desktop
  
• In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  
• Click save
  

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close  all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

Please post back with

• combofix log

How's the computer?

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: natex1 on March 10, 2012, 06:35:10 AM

 ;D Looks like it deleted a good chunk of bad stuff!!!

I posted the log from C: and from C:\qoobox

So far so good (crossing fingers), MSE has yet to inform me of the 2 infected files that usually appear a few minutes after boot.

Does everything in the logs look good?

As I said before i really really appreciate your time.
Thanks for all of the help!

Edit: did a full scan of C and seems like the files are now in quarantine. Should i delete them?

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: oldman on March 10, 2012, 07:30:29 AM

Hi natex1,

You're welcome.

Looks good so far.

uTorrent
You have LimeWire, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. It's not the program itself that is the problem but what can be downloade with it usually from an unknown source. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx (http://www.microsoft.com/windows/ie/community/columns/protection.mspx)

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm (http://www.internetworldstats.com/articles/art053.htm)

I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Please navigate to C:\Qoobox, locate Add-Remove Programs.txt and post it's contents.

Next

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
  
• Click Check for Updates
  
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
[color="#2E8B57"]If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.[/color]

Please post back with

• add-remove programs.txt
• MBAM log

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: natex1 on March 11, 2012, 07:01:10 AM

here are the other logs


Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.11.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nathanael :: PRO-PC [administrator]

Protection: Enabled

3/10/2012 9:37:34 PM
mbam-log-2012-03-10 (21-37-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 259831
Time elapsed: 1 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Title: Re: Computer plauged with consrv.dll/Win32:Sirefef-HO
Post by: oldman on March 11, 2012, 05:44:43 PM

Hi natex1,

One more to check for stragglers.


As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.

• Do not use this instance of your browser for anything besides doing this scan
• When the scan is complete and the results saved, close that instance of your browser
• Open a new one the usual way and post the results in this topic.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET  (http://www.eset.eu/online-scanner)

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
  
• Click Start
  
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is  Checked.
  
• Click Scan.
  
• Wait for the scan to finish.
• When the scan completes, click List of found threats
  
• click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
  
• Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

• Push the back button.
  
• Push Finish
  
• Re-enable your Antivirus software.