Avast WEBforum
Other => Viruses and worms => Topic started by: happyrawr on March 12, 2012, 08:43:30 AM
-
Hi. I've been infected with the Consrv.dll issue that others have recently had in other topics, and I need some help with removing it.
The problems it's been causing is that Google (and other search engines) will redirect to AbNow.com, Windows Firewall is deactivated and I can't change any settings, and Windows Defender is also deactivated. I've also had Pidgin (an instant messaging program) start to ask me about accepting unverified certificates when I sign-in, though I believe this is unrelated and just coincidentally having issues too. I'm not too worried about that, but thought I should mention that in case it's important. I use a gmail account with it, with the protocol set to MSN.
I've run Avast which did detect the infected files and removed them, but like others, it would result in Windows being unable to startup and then needing a system restore, which brings me back to having the infected files. I have also tried other anti-viruses (AVG, BitDefender, and others), and the ones that picked up on the infected files did the same thing.
Due to multiple system restores, I may have several anti-virus programs around on my computer (I know this is important for logs). I've also installed Comodo Firewall for now in place of Windows Firewall, and I'm not sure if any of the anti-viruses are currently active.
I'm not sure where or how I got the virus, as I haven't done anything unusual lately. I do have utorrent which could be the cause, but I haven't used it for anything since I've got the virus.
I hope that's enough information. I'm in no rush to get this fixed, but I'm not comfortable with doing manual fixes. Also, I am usually busy between things, so I may not be able to respond as quickly as possible, just to let anyone know. Any help with this will be greatly appreciated, thanks!
-
Hi happyrawr,
Are you sure you do not have conflicting AV solutions running side by side on that computer. Two residential av solutions on one computer is a bad idea. However non-resident av and specific anti-malware solutions can be combined. Wait here until a qualified remover will look into your apparent infection,
polonus
-
I've gone through several one-by-one, always uninstalling the previous anti-virus, but due to going through several system restores, the leftover folders are still on my computer. They're mostly empty, and I currently have no anti-virus in use, but I thought it might be an important detail to mention.
I normally also use just one anti-virus.
-
Could you follow the steps here http://forum.avast.com/index.php?topic=53253.0
Then post the logs in this thread
-
Here are the logs:
-
OK found it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O1 - Hosts: 149.5.18.172 www.google-analytics.com.
O1 - Hosts: 149.5.18.172 ad-emea.doubleclick.net.
O1 - Hosts: 149.5.18.172 www.statcounter.com.
O1 - Hosts: 108.163.215.51 www.google-analytics.com.
O1 - Hosts: 108.163.215.51 ad-emea.doubleclick.net.
O1 - Hosts: 108.163.215.51 www.statcounter.com.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
:Files
ipconfig /flushdns /c
:Commands
[resethosts]
[emptyjava]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\SysNative\HWSCtrl.dll
NetSvc::
tdrpman
Driver::
tdrpman
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
When I hit Run Fix, I get an error message pop-up:
Cannot create file C:\windows\System32\drivers\etc\Host.
After that it seemingly does nothing. Is it supposed to take a long time (hours?) or is there a problem?
-
OK close down OTL and continue to the Combofix run, you have some protection on the host file, I will check that out later
-
I did the procedure for Combofix, and while the program seemed to run fine, it didn't produce a log anywhere. I've done a full search on my computer for the log, and couldn't find it.
-
It should be at C:\Combofix.txt
If no could you please re-run it
-
I have tried several times, and also re-downloaded Combofix, but no log is being created.
However, a file called "32788R22FWJFW" has appeared on my C Drive, and it links to My Computer, for whatever reason (ie, I can go back and forth by clicking C Drive and this file).
-
OK lets go a different route
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 4.1mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif)
THEN
Run OTL
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
Drives
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
I ran OTL and it created the OTL file, but not the Extras one. Since CREATERESTOREPOINT disappears from the bottom during the quick scan, I thought I had mis-pasted, so I ran OTL a second time, and still no Extras file. I don't seem to be having any luck with this, heh.
If it helps at all, here are the two OTL logs I made:
-
Sorry if double-posting is not allowed, but I forgot to include aswMBR:
-
OK most of it has gone, now I can fix the rest with combofix
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
I ran Combofix, but still no log. I checked my C drive and there's still the "32788R22FWJFW" file/folder thing, so I tried deleting it and then re-running Combofix, which created a new one.
There's no apparent changes with my computer's ability since running Combofix if that information helps.
-
On completion of this run could you run a boot scan with Avast please
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
SRV:64bit: - [2009/07/13 18:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\HWSCtrl.dll -- (tdrpman)
O1 - Hosts: 149.5.18.172 www.google-analytics.com.
O1 - Hosts: 149.5.18.172 ad-emea.doubleclick.net.
O1 - Hosts: 149.5.18.172 www.statcounter.com.
O1 - Hosts: 108.163.215.51 www.google-analytics.com.
O1 - Hosts: 108.163.215.51 ad-emea.doubleclick.net.
O1 - Hosts: 108.163.215.51 www.statcounter.com.
NetSvcs:64bit: tdrpman - C:\Windows\SysNative\HWSCtrl.dll (Iomega)
:Files
ipconfig /flushdns /c
:Commands
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
The same thing as before, OTL won't run:
"Cannot create file C:\windows\System32\drivers\etc\Host."
I didn't do the boot scan since I'm not sure if I'm supposed to now.
Edit: After having turned off my computer and using it later, I got a black screen (ie, Explorer wouldn't start), though I was still able to use it via Task Manager. After running in safe mode and then normally, it seems to be fine with that issue. Just for informational purposes.
-
OK fun and games time again
For x64 bit systems download Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select English as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select English as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/list]
- Select Command Prompt
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst.exe (for x64 bit version type [color="#FF0000"]e[/color]:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
-
What exactly will that do?
-
What exactly will that do?
It will give a log that will give essexboy the picture of what is running and will make the cleanup task easier as when essex gives u a fix to run it via FRST the fix will be made outside windows....hence it will be wacking the malware wen it is inactive...
-
Alright, here's the log:
-
As this is working before windows has loaded all services are inert
Download the attached fixlist.txt to the USB that has FRST on it
Go to system recovery options as before
Run FRST
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif)
Then press the Fix button
A fix log will be generated on the USB please post that
On completion return to normal windows and run Combofix
This should now produce a log
-
I'm assuming fixlist works automatically with the program, since I didn't do anything otherwise?
It ran fine, produced a log, Combofix ran fine, but still no log. However, there is a Combofix file on my C Drive, that acts just like the previous "log" I've been getting (sending me to My Computer). But also, the old 32788R22FWJFW thing has turned into a folder, with sub-folder EN-US, and inside that cmd.3Xe.mui, which is 128 kb.
Fixlog:
EDIT: After rebooting and using my computer some, things are looking a lot better! I am no longer getting redirected to abnow, my internet speed is back at full, and even Pidgin is working perfectly too! :D
However, I still do not have access to Windows Firewall and Defender.
-
OK lets use another farbar tool to check out the firewall and defender - clever fellow is this one ;D I love his tools
Once I have the log from this I will probably need to run OTL and look for specific files/registry entries. As this programme will just tell me what is wrong
run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
Successful:
-
Farbar Service Scanner Version: 01-03-2012
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll".
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****
MpsSvc Service
bfe Service
OK these two are the problem
From my site download the zip file with your name
https://skydrive.live.com/?cid=32D8666F4048075B&id=32D8666F4048075B%21117
Extract the three reg files to the desktop
Right click each file and select merge
Reboot the computer
Retry firewall and Defender
-
Would you mind editing out my name please.
Edit: I merged all 3 files and Windows Defender appears to be working, but not Windows Firewall.
-
I will delete the file once you have downloaded it - i.e. now ;D
Could you re-run Farbar please
Then run a fresh OTL log
-
I mean the log you posted.
-
Fixed
-
Farbar and OTL ran fine. For OTL I assumed Scan All Users and Quick Scan:
-
Ok whilst I look at the OTL log could you go to
Control Panel > Adminstrative tools > Services
And ensure that both BFE (base filtering engine) and windows firewall are set to automatic and started
-
Both are set to Automatic and neither are Started.
-
Start both services and let me know the result
OK another task
Go to control panel > Folder options
Select the View tab
Ensure that the following are deselected :
Hide protected System operating files
Hide hidden files and drives
Accept the warnings
Then go to this MS page and run the fixit there http://support.microsoft.com/kb/972034
Once run then reverse the steps that you previously did
Final task for now
Open an elevated command prompt :
Go Start > All programs > Accessories
Right click command prompt and select run as administrator
Then Type/copy/paste the following commands pressing enter after each :
netsh winsock reset catalog
netsh int ip reset reset.log hit
-
I went to those two services and I'm unable to start either:
BFE: Error 5: Access Denied
Firewall: Error 1068: The dependency service or group failed to start.
I also noticed Windows Defender is Automatic (Delayed Start), and does start after a small delay.
I ran the Fixit, it ran fine, then ran those commands in command prompt, which worked fine too.
After restarting, I still am unable to start Firewall or BFE, but Defender seems to be fine now.
-
It is a permissions problem on bfe
I will give you a full export of my 64 bit key and see if that solves it
It is now at the same place as before with your name on it
Extract the bfe reg file, merge and reboot
Let me know if that works
Otherwise I will have to work out a way to change permissions for you
-
Downloaded, merged, rebooted, but nothing changed.
-
OK 'tis a while since I changed permissions in the registry so bear with me whilst I ensure I get it right
-
OK lets get at it
First create a restore point
Download SWReg (http://fstaal01.home.xs4all.nl/downloads/swreg.exe) and save to the desktop
Create and Run a Batch File
1.
Please copy everything in the code box below into notepad. To do this highlight all text, then right click and click Copy.
@Echo Off
CLS
SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE /P /GE:F
exit
- Next, open Notepad, or click Start->Run and in the Open: box type notepad.exe and click OK.
- Right click in the notepad window and click Paste, or put the cursor inside the notepad window and press the Ctrl-V keys to paste the text into notepad.
- On the File menu, click Save
- On the Save AS window that comes up, do the following:
- On the left side, click the Desktop Icon. This will put "Desktop" in the Save In: box at the top.
- At the bottom in the File Name: box type Fix.bat
- In the Save as type: box, click the down arrow and click All Files(*.*)
- Click Save
This will put a new file on the Desktop named Fix.bat
The file icon will look like this (http://img524.imageshack.us/img524/9383/batmp6.jpg)
2. Close all open windows and any open Browsers.
3. Right click Fix.bat file on the desktop and select run as administrator. A command window will open briefly, then close. This is quite normal.
When the command window has closed, Reboot the computer to make the changes effective.
-
Alright! That seemed to do the trick and now Defender, Firewall and everything is back 100%!
So I'm sure there's a check via log you can instruct me to do, to make sure everything truly is all finished, and after that's done, I'd like some suggestions on setting myself up for protection so I never have to do this again, but we can discuss that later.
Thanks so much for everything and all the hard work! You have my support for Avast!
-
Nice ;D
The only check left now is a quick run with Malwarebytes and a fresh OTL scan - to look for any orphans
If you could post/attach both logs
-
Both ran fine:
-
Looks OK - any outstanding problems ?
-
None that I've encountered.
Alright, so my last question is how to set myself up properly. Would combining Comodo Firewall, Malwarebytes and Avast (Free) be effective and work together without problems? Also, would it be best to uninstall and reinstall each after having gone through this virus removal?
And one other important (small) problem is that in the past when I've used Avast (Free), it would result in me needing to do a System Restore after rebooting my computer, similar to how it would when deleting Consrv.dll. I imagine this is because of some sort of virus I must've had then, and I imagine in general this is not a problem, but am I able come back to my current fixed state in the event that it happens again?
-
It would not go amiss I feel to reinstall all security programmes after this attack - the programmes themselves are probably OK so in a way it is your choice.
Anyway a fresh install ensures that there are no old version files hanging around
Avast with a firewall and MBAM is a good layered protection
-
Alright, that should be everything then!
Thanks again for helping out! Greatly appreciated!
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave: