Infected: consrv.dll and msimg32.dll

[Roobydoobydoo]

A little under two hours ago, I was infected with 2 trojans: TR/Crypt.XPACK.Gen in the file msimg32.dll and TR/ATRAPS.Gen2 in the file consrv.dll. Immediately after being infected, I (stupidly) did a sytem restore to about 3 hours prior to these being detected. I'm in safe mode with networking right now, and did a quick scan with MBAM, which turned up nothing, and am now doing a full scan with both MBAM and Avira. I can't seem to find the files manually, but from what I've readed about these Trojans, a simple System Restore won't do anything. So, where do I go from here? Neither of the full scans are even close to complete, but I'm already expecting them to find nothing, yet I'm just as certain that these trojans still on my computer somewhere.

[Pondus]

follow this guide and attach all logs...not copy and paste
http://forum.avast.com/index.php?topic=53253.0

[Roobydoobydoo]

Here are the logs. Thank you for assisting me.

[Pondus]

you are a bite late so you have to wait until tomorrow when Essexboy is back in here to check your log`s

he is usually here around 08:00pm - 11:59pm UK time  




OBS: also attach the aswMBR log

[Roobydoobydoo]

you are a bite late so you have to wait until tomorrow when Essexboy is back in here to check your log`s

he is usually here around 08:00pm - 11:59pm UK time  




OBS: also attach the aswMBR log

I'll have to scan with aswMBR again; I started the scan, then had to leave, and when I got back about an hour later, I had a Blue Screen. Not quite sure why, but I'm thinking it might have been caused by my laptop going into sleep mode while the scan was still running.

[Roobydoobydoo]

Here's the aswMBR log.

[Roobydoobydoo]

Great...I just started up my computer and was greeted with an AVG pop-up alerting me that I have two rootkits (KNA0.32565175694153825.EXE and OPRE0.6361965917584463.EXE), which luckily were deleted. Anybody know anything about these? Should I post new logs, or would this even affect that at all?

[Pondus]

ahaaaa......so you are running multiple AV
just looking at your OTL log and it looks as you have avast / AVG / Avira   

[Pondus]

running multiple AV can/will create all kind of windows errors and false positive detections..

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638


run and reboot - Uninstallers for Security Software
http://thewebatom.net/uninstallers/security-software/

[DavidR]

Having two resident scanners installed is not recommended (more is even worse) as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

[essexboy]

The quick system restore saved you from a lot of grief I feel

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
  [2011/12/18 21:41:59 | 000,002,504 | -HS- | M] () -- C:\Users\Ean\AppData\Local\015842x6s487c627t021q5evc1r7
  [2011/12/18 21:41:59 | 000,002,504 | -HS- | M] () -- C:\ProgramData\015842x6s487c627t021q5evc1r7
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.