Avast WEBforum
Other => Viruses and worms => Topic started by: glebidiah on March 14, 2012, 10:13:23 PM
-
Afternoon,
Got a co-worker's computer with a sirefef.b infection. Very similar to a few other posts here, every time it restarts MSE finds C:\Windows\system32\consrv.dll and removes it, but the registry is already altered to look for that file. I can get the computer to restart by altering the registry using a recovery CD but consrv.dll returns and re-edits the registry. Running a scan from the recovery CD finds the C:\Windows\assembly\GAC_32\Desktop.ini (and ...\GAC_64\...) but deleting them makes no difference. In Safe Mode, RKill stops the rundll32.exe process and a Malwarebytes scan finds various registry key agents which all seem to be related to C:\Windows\system32\grpconv.exe through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|GrpConv. Also tried renaming grpconv.exe to GARBAGEgrpconv.exe from the recovery CD - didn't delete it though.
An IT guy ran ComboFix at some point before I got the computer but I don't know if it solved anything. I have attached the logs but they may not be relevant anymore. MSE was installed after these logs were created, and Sophos was disabled (but the folder is still there and can't be deleted).
Thanks!
-
follow this guide and attach logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0
-
Hi I will need to see the OTL log to determine the files which are driving the protection service
-
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.13.06
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
hbilly :: HBILLY [administrator]
3/14/2012 2:38:43 PM
mbam-log-2012-03-14 (14-38-43).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260681
Time elapsed: 2 minute(s), 27 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Thank you!
-
OK got the file
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\SysNative\NxSysMon.dll
NetSvc::
BVRPMPR5
Driver::
BVRPMPR5
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
Running ComboFix. In the meantime, here's the aswMBR log:
Thanks again!
-
Looks like there may be a second protection service running according to aswMBR so I will see what Combofix tells me
-
Might be Sophos, which doesn't appear in the installed programs list, but its folder is still there and can't be deleted, or MSE, but I thought I disabled that before running anything.
Is it usual for ComboFix to hang the computer with a black screen and a mouse cursor on it after the reboot? Been like that for about 5 minutes.
If necessary I can delete the Sophos folder from the recovery disk.
-
No it does not look like a sophos file
Give it another five minutes or so as it can take a while - it needs to reset a lot of registry settings with this infection
-
Still rebooting but seeing disk activity so I'm just gonna let it run unless told otherwise.
-
I'll be leaving the office within the hour and returning to this problem tomorrow. ComboFix ran and the computer is still restarting, still showing disk activity. If that completes and the log is available before the end of the day today I'll post it immediately. Unfortunately I'm working at a mine site so staying late isn't an option right now unless I want to stay the night :D
-
No problem see you when you get back
-
Twelve hours later, no change to the computer's status. Still a black screen with a cursor. Looks like the only thing to do is try to turn it off and on again and see what's there.
-
Yes reboot the system and see if Combofix generates the log
If not then re-run OTL quick scan with this script
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
Drives
CREATERESTOREPOINT
-
ComboFix has generated a log, please find it attached. It is quite heartening that the computer actually started without giving the "%hs missing" error!
-
Also, not sure if this is relevant or not, but trying to open any application on the machine produces an error, "Illegal operation on a registry key that has been marked for deletion."
-
have you reboot twice after running Combofix ?
-
Just restarted again, all the applications work. MSE is disabled, won't turn it on again until told to, so I don't know offhand if anything is still there or not. A look in the registry shows that "HKLM\System\ControlSet001\Control\Session Manager\SubSystems\Windows" is pointing to winsrv.dll instead of consrv.dll so that hasn't been changed - looking good.
-
Yep looks good just one or two more things to do on the repair side now. The minor problem was Combofix failing to release the registry
Exit all programs.
2. Click Start, and then click Control Panel.
3. Under System and Security, click Find and Fix Problems.
4. In the Task pane, click View All.
5. Click Internet Explorer Performance.
6.In the new window, click Next.
Note The troubleshooter runs and fixes all identified issues automatically.
7.Click Close.
That should reset the winsock
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\system32\int15.dll
C:\Windows\system32\NCPro.dll
C:\Windows\system32\NxSysMon.dll
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
NetSvc::
BVRPMPR5
AmdLLD
eeyeevnt
Driver::
BVRPMPR5
AmdLLD
eeyeevnt
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
"Internet Explorer Performance" is not an option for me - please see the included screencap for the Troubleshoot options that are available.
-
You are on 7 aren't you
-
Yup, Windows 7 Pro x64.
-
OK we will do it manually ;D
Go start > All Programs > Accessories
Right click the command prompt and select Run as Administrator
In the command window copy/paste the following commands hitting enter after each :
netsh winsock reset catalog
netsh int ip reset reset.log hit
Once done reboot
-
Done and rebooting, continue with the CFScript on startup?
-
Yes please
Once complete can you let me know of any outstanding problems
-
Restarted after ComboFix and no issues to report. Please find the log attached. I'm going to run a Quick Scan with MSE and see if it picks up anything. Thank you very much for everything!
Quick question: I've been using a flash drive to swap the logs and scripts back and forth, should I been at all concerned about the infection transferring to it? I've been scanning it from a clean computer and nothing has cropped up, and the clean computer has no issues, so I'm not too concerned.
-
MSE reports Sirefef.AB and Sirefef.P, both in C:\Qoobox\Quarantine\... . I believe that's ComboFix's quarantine location - should I do anything to them or will trying to delete the files bring them back to life? Thanks!
-
Apparently MSE had its own ideas and while I was watching it automatically removed both items. Damnit Microsoft!
EDIT: looks like uninstalling ComboFix using Run "ComboFix /u" will get rid of them. I'd like to uninstall ComboFix before returning the computer just in case the user tries to run it. I'm thinking it should be safe to do so now, but I'll hold off in case. Thanks!
EDIT2: "ComboFix /Uninstall" did the trick. No issues to report!
-
Yep it is uninstall using u will just run it again ;D
How is the computer running ? Any further problems before I remove the tools and tidy up behind me