Another consrv.dll Victim Needing Help

[adc]

Greetings All,

I've been working with a friend's Asus laptop that was infected with a fake security program.

I have been able to get Avast Internet Security (AIS) running and have removed and deleted;

(1) isecurity.exe  (Fake Security App)

(2) $REEEP7L.exe described as MSIL:Dropper

and

(3) other various temp, or infected files.

I've had some of the same problems as others here. Trying to repair, or move consrv.dll
which causes a boot problem which needs to be repaired before troubleshooting can be resumed.


A current scan with AIS shows that only 4 files remain that need some type of "Action".

(1)C:\...\consrv.dll      High      Threat: Win32:Siref-HO (Rtk)
(2)C:\...\consrv.dll      High      Threat: Win32:Siref-HO (Rtk)
(3)C:\...\RLO2j3.com      High      Threat: Win32:FakeAlert-BVT (Trj)
(4)C:\...\consrv.dll      High      Threat: Win32:Siref-HO (Rtk)


I believe it is time to try and run OTL and aswMBR, but I will definitely need some guidance.

The laptop's OS Windows 7 SP1, 64 bit.

Thanks for any help.
Al

[Pondus]

I believe it is time to try and run OTL and aswMBR, but I will definitely need some guidance.

you find the guide here
http://forum.avast.com/index.php?topic=53253.0


attach the logs: lower left corner > additional options > attach

[essexboy]

Monitoring

[adc]

Thanks for link.

Results for MalwareBytes scan and repair.

OTL is on my Desktop.

++++++++
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.02.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Jwoww :: J-PC [administrator]

2/2/2012 1:55:30 PM
mbam-log-2012-02-02 (13-55-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215061
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\System32\RLO2j3.com (Trojan.Krypt) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\RLO2j3.com (Trojan.Krypt) -> Quarantined and deleted successfully.
C:\Users\Jwoww\Downloads\FLVPlayerSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.

(end)

[adc]

OTL.txt attatched.

[adc]

Extras.txt attached.

Note:Both files were too large in total to place both in one reply.


Should I wait for a reply to run aswMBR?

[Pondus]

Should I wait for a reply to run aswMBR?

nope...run and attach log


Essexboy is logged out now. but will be back tomorrow. He is usually in here around 08:00pm - 11:59pm UK time

[adc]

Completed aswMBR scan, and the log file is attached.

Should I "Fix", or wait for a reply?

Or,should I just wait for Essexboy's reply tomorrow?

THX
Al

[Pondus]

Should I "Fix", or wait for a reply?

you wait for Essexboy....so this is done properly   


OBS....that is the longest aswMBR logg i have seen 

[adc]

you wait for Essexboy....so this is done properly   

OBS....that is the longest aswMBR logg i have seen 

I thought I might have to split the log in two in order to attach. 

THX again.
Al

[essexboy]

aswMBR gets better every time


Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  IE - HKU\S-1-5-21-72642340-1585939968-2348190475-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
  [2011/11/18 23:19:20 | 000,000,000 | ---D | M] (StartNow Toolbar) -- C:\Users\Jwoww\AppData\Roaming\Mozilla\Firefox\Profiles\21lng6lc.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
  O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll ()
  O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll ()
  O4 - HKLM..\Run: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe" File not found
  [2011/12/24 04:50:50 | 000,000,112 | ---- | C] () -- C:\ProgramData\k3yIM1c.dat
  
  :Files
  ipconfig /flushdns /c
  C:\Program Files (x86)\StartNow Toolbar
  C:\Windows\tasks\At*.job
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN


Re-Run aswMBR

Click Scan

On completion of the scan
Click the   Fix Button



Save the log as before and post in your next reply

[adc]

Essexboy,

I started OTL 25 minutes ago (12:25 pm PST) and I got an alert box that read "Cannot create file C:\Windows\System32\drivers\etc\Hosts." I clicked "OK" and OTL has the message at the bottom that says "Resetting HOSTS file. DO NOT INTERRUPT..." and it has had that message for over 12 minutes.

OTL may be stuck.

[essexboy]

OK close it out and manually reboot please - do you have spybot

[adc]

OK close it out and manually reboot please - do you have spybot

Yes Spybot is installed on machine. I can remove if needed.

[essexboy]

It is protecting the HOST file and it does need resetting.

So if you could uninstall when we do the final sweep OTL run