OTL Analysis for consrv.dll

[Phobophile89]

Hi,
   I finaly got rid of the Win7 Recovery virus, got everything back to normal like a boss!, almost. I still have this consrv.dll threats spawning again and again. Seems like that problems need a particular treatment for every case, so i got that "OTL by oldtimer" tool and did the scan. I don't seem to find an official forum to analyse the result, i noticed their's a few post of that kind and as i use Avast! i think it's the best place to post it !

Thank you !

UP : I'll folow the procedure form "Logs to assist in cleaning malware"

[Phobophile89]

Malware Byte's log

[Pondus]

I still have this consrv.dll threats spawning again and again

this can be the Zero Access rootkit.......
continue with the rest of the logs from the guide ("Logs to assist in cleaning malware")  attach, not copy and paste


see below: Attachments and other options


Essexboy is notified.....

[Phobophile89]

OTL by oldtimer didn't output the Extras.txt .
Here is the OTL.txt

[Pondus]

OTL by oldtimer didn't output the Extras.txt .

that only happens at first run....so if you have run it before ?
anyway it is not that important....just some extra sys info

[Phobophile89]

Finaly aswMBR.txt

[essexboy]

Looks like Avast is stopping it from respawning - so lets kill those files now

Let me know if the alerts continue

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
  [2012-02-06 12:31:18 | 000,000,304 | ---- | M] () -- C:\ProgramData\~nkABaemCYmTnry
  [2012-02-06 12:31:17 | 000,000,192 | ---- | M] () -- C:\ProgramData\~nkABaemCYmTnryr
  [2012-02-06 12:26:45 | 000,000,448 | ---- | M] () -- C:\ProgramData\nkABaemCYmTnry
  [2012-02-04 11:52:34 | 000,000,320 | ---- | M] () -- C:\ProgramData\~RGhqt5dtvRJvHx
  [2012-02-04 11:52:34 | 000,000,216 | ---- | M] () -- C:\ProgramData\~RGhqt5dtvRJvHxr
  
  :Files
  ipconfig /flushdns /c
  C:\windows\tasks\At*.job
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Phobophile89]

Here's the other OTL Log, and their's an output i got after rebooting, i joined it too.
P.S.: At each boot i get a Desktop.ini opening.

[essexboy]

That is a know bug with 7 - Ms has a small fixit for it here http://support.microsoft.com/kb/330132 just run the fixit button

How is the computer behaving now ?

[Phobophile89]

Tried the MS fix, doesn't work.
and consrv.dll still their

[essexboy]

Could you re-run aswMBR please as according to the last run it was not there

[Phobophile89]

Here's the fresh aswMBR log runned as an administrator.

[essexboy]

Where is the indication of the infection coming from ?

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Phobophile89]

So during step 2, dumphive.3xe "yes, (three)xe" crashed, after the reboot it recrashed, then combofix was telling me not to open any program because it hasn't had finished, it was idle like this for about 10 minutes untill i juste shut it, i can't open anything, Wordpad, NotePad, Google Chrome, internet explorer, avast!, OTL, combofix, adobe reader, i can't run no program, i don't have the consrv.dll threat alert, but i don't have any anti-virus nor anti malware, my computer is TOTALY unoperational, the only thing it will do is telling me i tried an unauthorised operation on a registy key marked as "to delete" (Excuse my raw french/english translation)
The threats was comming from "Objet : c:\Windows\system32\consrv.dll / infection : Win32:Sirefef... / Process : c:\windows\system32\svchost.dll"


and here's the log.

Sorry for the registy thing, i rebooted as instructed 

So after a reboot and a Avast! scan, i got twice the c:\windows\system32\consrv.dll and on c:\windows\system64\consrv.dll wich i deleted, the system64 on was unreachable so every action failed, after i shut Avast!, i got the c:\windows\system32\consrv.dll threats pop-up

[Phobophile89]

Up,
So i rebooted to cure the registry issue, once done i waited for Avast! to detecte consrv.dll ... Nothing, nice. I launched a scan wich got me twice the consrv.dll in system32 and consrv.dll in system64 (Wut???), i tried to delete all, but the system64 one has the error, fill doesn't exist.

So i clicked do nothing for the system64 infection, i got that pop-up telling me consrv.dll in system32 was the win32:Sirefef... [HO] and asked me to scan at reboot, during the scan i deleted 3 time consrv.dll, then rebooted, and still get warned about the consrv.dll

The ComboFix log is in my last post.