consrv.dll ZeroAccess?

[lotorien]

When i've started the laptop, the redirection of google's search has come back again
I've run OTL, but it does not found consrv.dll (log attach), but actually, consrv.dll is still in windows/system32
The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems has consrv instead of winsrv.
I think that i've the same Driverx's variant (consrv.dll+95p).
Attach the new Malwarebytes's log.

[essexboy]

So far you two are the only ones I have come across

Do the following:

[list=1]

• Click on the Start button and then choose Control Panel.
  
• Click on the System and Security link.
   
  Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4.
  
• In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
  
• In the Administrative Tools window, double-click on the Computer Management icon.
  
• When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.
   
  After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.
   
  Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

[lotorien]

Attach screen shot

[essexboy]

OK I would ike you to update and try Combofix one more time please as I really need to see what is going on

If you need to restore again then run OTL with this script in the custom scans box as I will look at an area that has been unused for a while

/md5start
consrv.*
/md5stop
c:\windows\*. /RP /s

[lotorien]

Attach combofix´s log.
I have restored windows 7, so i attach OTL's log too.

[essexboy]

Well there are no junction points

I will try a different method with combofix for this next run...  If this is getting too tedious you can flatten the system and restore it

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::
c:\windows\system32\consrv.dll

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[lotorien]

It´s not tedious . I'm very curious about this rootkit and don't worry about windows's restore, it's very fast.

Here it is new combofix's log.
I've killed AV's proccess, but in combofix's log appears that Resident AV is active.

[driverx]

@lotorien

Just a check, please verify in windows/system32 if you have the file named Epiusb.dll.

Also "Safety Settings Service" should be present in Control Panel/Administrative Tools/Services

[lotorien]

I don`t have Epiusb.dll but i have present Safety Settings Service and it's started!!!!

The exec file is in:
C:\Windows\system32\svchost.exe -k netsvcs

[driverx]

Disable the service, reboot, delete consrv.dll 
It worked on my computer

[essexboy]

Yep I feel the trigger may be this

wencrservice it is purportedly windows encryption (legit)

Could you copy the following to a notepad file and select save and select all files in the drop down box
Save as seek.bat

@echo off
Regedit /E "%userprofile%\Desktop\wensvc.reg"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wencrservice
exit

Double click to run it

A reg file will appear on the desktop
Right click and select edit
Then copy and paste the contents here please

I would like a copy of the file

[lotorien]

In my case, the problem was in tpkd.dll
I've disabled the service and I´ve run Combofix with CFRscript:
File::
C:\windows\\system32\tpkd.dll

Driver::
wenrservice

Now everything is Ok . Thanks very much for your help and sorry for my english.

WENRSERVICE:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wencrservice]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Safety Settings Service"
"ObjectName"="LocalSystem"
"Description"="New service would allow parents to control their children's online activity."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wencrservice\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  74,00,70,00,6b,00,64,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001

Essexboy, if you want i can send you a copy of tpkd.dll

[driverx]

I think it's the same virus I had. You can scan tpkd.dll at https://www.virustotal.com/ and post the link of the result page here, i'm curious if the launcher it's the same as mine.
Have you used usb flash disks before the infection? I belive that i got the virus from a flash disk but i'm not 100% sure (and I'm afraid to reinsert the flash disk again, I've disabled the autorun from group policy editor but who knows what other modifications the virus has made in the registry)

[lotorien]

Yes, it´s the same virus:

https://www.virustotal.com/file/90f15003f26877aca2dccaec5d9d65ed692c059029d17535537acb6a8909892f/analysis/1327312920/

I had used a friend's USB before infection, so i'm quite sure that i was infected by usb.
That usb, is almost always used in MacO's laptop

Maybe you can format the USB in a linux computer.

[driverx]

I'll make a live cd with linux and I'll take a look at the files on the flash drive.

edit : it seems that the flash disk is clean. No autorun.inf on it.