consrv.dll zeroaccess but no "Safety Settings Service"

[zerokit]

I will do it in 2 hours.

Did a boot up scan during the night

02/11/2012 04:29
Scan of all local drives

File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_1b3a2ca9472cedf3457ccff54f6c5c016cdf6_cab_042cea99\WERE751.tmp.hdmp is infected by Win32:DNSChanger-VJ [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash__ex-68.exe_e0b41f88c6e8b2dea88ae6cd8babf5761c1075ae_cab_3748061a\WER5B0.tmp.mdmp is infected by Win32:Kelihos-AF [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash__ex-68.exe_e0b41f88c6e8b2dea88ae6cd8babf5761c1075ae_cab_3748061a\WERFF0B.tmp.hdmp is infected by Win32:DNSChanger-VJ [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_AMService_e3965e73f5257183d7da29864e8f39a6e9a898_cab_03cbad1f\WER9A4C.tmp.hdmp is infected by Win32:DNSChanger-VJ [Trj], Repair: Error 42060 {The file was not repaired.}
File C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir is infected by Win32:Sirefef-HO [Rtk], Repair: Error 42060 {The file was not repaired.}
File C:\Windows\assembly\temp\twl.dll is infected by Win32:Agent-ANSR [PUP], Repair: Error 42060 {The file was not repaired.}

I probably did a mistake by choosing Repair instead of Ask/Delete so the files didnt get deleted

[essexboy]

The *dumps are probably FP's

Delete the one in the assembly temp folder
The qoobox is quarantined

Once the bad service is removed all should be good

[zerokit]

"Range check error"

I think this was left

[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


Did a reboot myself, BSOD.. didnt read the message, just hoped to get back with last known configuation which luckily worked. The service is there (not active, no consrv.dll)

Doing a quick scan now.

[zerokit]

OTL log

[essexboy]

OTL no longer shows the service on your system... I believe the error was caused by ZA protecting your host file (another thing to remember )

Any problems remaining ?

[zerokit]

Great, system is fine and no threats detected on full scan, thank you

So the service is repaired and can be enabled again?

[essexboy]

Yes restart Ipsec and let me know if that causes any errors/problems

[zerokit]

IPSec has been running for a few days, I'm talking about DXEC02 / servicelayer which is present in Services / regedit

[essexboy]

According to OTL that is no longer present

Could you run a fresh log please as you do not want that started

[zerokit]

Under parameters: ServiceDLL "%systemroot%\system32\STV680m.dll"

[essexboy]

Lets run OTL on it again to see if it can locate it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

Code: [Select]

:OTL
SRV:[b]64bit:[/b] - [2009.07.14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\STV680m.dll -- (servicelayer)
NetSvcs:[b]64bit:[/b] servicelayer - C:\Windows\SysNative\STV680m.dll (Oak Technology Inc.)


• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

OTL will produce a list of actions could you post that please

[zerokit]

DXEC02 / servicelayer gone,



========== OTL ==========
Service servicelayer stopped successfully!
Service servicelayer deleted successfully!
File C:\Windows\SysNative\STV680m.dll not found.
Unable to remove 64bit: servicelayer from NetSvcs value.
File C:\Windows\SysNative\STV680m.dll not found.
 
OTL by OldTimer - Version 3.2.31.0 log created on 02132012_204418

[essexboy]

OK file that under weird - and it has gone now ?

[zerokit]

Yes, after applying your Fix and rebooting it's gone.

[essexboy]

Ok run as normal for the next day or so and when you are happy I will remove my tools