consrv.dll desktop.ini ping.exe Win32:Sirefef-HO [Rtk]

[DaManJ]

Hi,
I was infected by the consvr.dll virus which was intercepting my web queries and redirecting my browser.
I managed to get rid of desktop.ini, ping.exe, consrv.dll.
When fixing the problem I also had the bsod problem after removing consrv.dll - but fixed it by editing the windows registry to change consrv.dll to winsrv from recovery console (as mentioned here http://www.bleepingcomputer.com/forums/topic400730.html/page__st__15__p__2271737#entry2271737)

So anyway, I'm basically virus free now - avast, avg, and malware anti-bytes all give clean bill of health when running scan.
However, there is still a persistent virus dropper somewhere that keeps dropping the consrv.dll into my C:\Windows\System32 folder, which Avast keeps putting it into the Virus Chest (as Win32:Sirefef-HO [Rtk]). It must have put it into the virus chest over 100 seperate times now.
So i'm not sure what is putting it there but something that disguises itself pretty well I guess.
Can anyone help?

Thanks,
J

[DavidR]

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.

[DaManJ]

Hi, here are the logs.

Thanks,
J

[DavidR]

I'm not a malware removal specialist, so I don't know what methods this malware uses.

Unfortunately it is now 1:20am in the UK and essexboy who normally analyses these will be in bed. He is normally on-line after work around 7pm UK time.

Unless another of the specialists is able to pick this up it will be a while before he is able to look at it.

[DaManJ]

No problem. I'm just happy people are willing to help

From the description, this guy has the exact same virus I have http://forum.avast.com/index.php?topic=92751.0

I also had the files 80000004.$, 80000032.$, 80000032.@ as well (though no longer).

And before essexboy asks, no I do not have any service called "Safety Settings Service" listed in task manager.

Unfortunately I have also had 2 random bsod's today which I guess are virus related. Have never had bsod's on this pc before.

Thanks,
J

[DavidR]

Unfortunately it is a bit of a game of catch up, whilst there are many similarities, they continue to create variants to make it easier to hide, which is why these analysis tools are used to gather the information before proceeding.

Some variants, if improperly removed can cause problems on the system, which at times are harder to resolve than the malware. Some malware is also badly written and as such can have an impact on the normal running of your system.

[oldman]

Hi DaManJ,

I see you ran combofix. There should be a log at C:\combofix.txt, please post it's contents.

Next

Please open OTL.

• Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, click the None button near the top (it may looked greyed out)
  
  
• In the window under [color="blue"]Custom Scans/Fixes[/color] copy and paste the following
  
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTIDrvr /s
  /md5start
  incdrm.*
  /md5stop
     
  
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Please post back with

• combofix log
• OTL.txt

[DavidR]

Thanks for joining the topic oldman.

[DaManJ]

Hi,
Here are the combofix and OTL logs.

Thanks,
J

[oldman]

Hi DaManJ,

That service doesn't look quite right.

Please go to VirusTotal and submit the following file for analysis.

• use the choose file button to navigate to
  
  C:\Windows\system32\incdrm.dll
  
  
• click the scan it button
  If it says the file has all ready been scanned click reanalalyze
  

Please post the results.

[DaManJ]

Hi oldman,
I don't have any file at c:\windows\system32\incdrm.dll

I uploaded the incdrm.dll at C:\Windows\SysNative\ and C:\Windows\system64\ though, but the scans didn't find any problems.

It is interesting though, because all other dll's in that folder have TrustedInstaller as owner under security tab of properties, but this dll does not have it, so it seems foreign.

Someone has written a comment on that website though of "Seems to be a zero access loader" (https://www.virustotal.com/file/77c3a8a545e7339fb149f20bf0864c7e5772022f4ced67236d8b78d51328dc12/analysis/1328754716/)

I've modified permissions to deny access to all users on incdrm.dll, so i'll reboot and see if avast keeps finding consrv.dll popping up.


Portable Executable structural information

PE Sections...................:

Name        Virtual Address  Virtual Size  Raw Size  Entropy  MD5
.text                  4096          1664      2048     5.33  aaf91b113926ae493eec8c5d71878cff
.rdata                 8192          1136      1536     3.34  56d6416c322465203a32f8f356694427
.data                 12288            76       512     0.12  079c994a503500c2182eb28a393cac08
.pdata                16384           120       512     1.04  573a1379382940b53060c249d59a5f0d
.rsrc                 20480           808      1024     2.69  04adb191b0415df07b52a8b2d37c9829

PE Imports....................:

ADVAPI32.dll
   RegisterServiceCtrlHandlerExW, SetServiceStatus

ntdll.dll
   ZwDelayExecution, ZwClose, ZwQueryEaFile, ZwOpenThread, RtlFreeUnicodeString, ZwOpenFile, RtlDosPathNameToNtPathName_U, LdrFindEntryForAddress, ZwAlertThread, memcpy, strcmp, __chkstk

KERNEL32.dll
   FreeLibrary, GetCurrentThreadId, GetCurrentProcessId, LocalFree, VirtualFree, VirtualAlloc, LocalAlloc

Cabinet.dll
   -, -, -


PE Exports....................:

S, e, r, v, i, c, e, M, a, i, n

[DaManJ]

right, it seems that indeed was the dropper.
no consrv.dll respawn since reboot.
Any idea for removing that dll? should i just delete incdrm.dll and the registry key?

Btw for anyone else looking at this thread, I suggest getting this removal tool from ESET which targets this virus specifically - http://kb.eset.com/esetkb/index?page=content&id=SOLN2895
And make sure you have avast so the virus cannot respawn.

Thanks,
J

[DaManJ]

Btw i have uploaded the incdrm.dll file to here if someone wants to analyze it and add it to avast definition.

https://www.wuala.com/jeremylei/virus/?key=R0FRuDXCcpeX

[oldman]

Hi DaManJ,

We'll make it go away.

We will be using Combofix again but will run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  

Code: [Select]


File::
C:\Windows\SysNative\incdrm.dll
C:\Windows\system64\incdrm.dll

Driver::
NTIDrvr

NetSvc::
NTIDrvr

In the notepad

• Click File, Save as..., and set the Save in to your usb device
  
• In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  
• Click save
  

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close  all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



Please post back with the combofix log.

[DaManJ]

Hi, here is the combofix log.

Thanks,
J