Consrv.dll, cant find the dropper

[oldman]

Hi BigmaccyD,


Reboot the computer, After it starts open OTL and click the Quick Scan button.

[BigmaccyD]

here is the otl log

best wishes

[oldman]

Hi BigmaccyD,


Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.An additional log called Attach.txt should appear minimized on the task bar.
• Save both reports to your desktop before closing the DDS window.

     

[BigmaccyD]

heya, here are both logs from dds

[oldman]

Hi BigmaccyD,


Use combofix fix with this script.


Please follow all previous instructions regarding security programs.

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  

Code: [Select]


File::
C:\Windows\SysNative\ca-messagequeuing.dll
C:\Windows\System32\ca-messagequeuing.dll

Driver::
Si3132r5

NetSvc::
Si3132r5

DDS::
Hosts: 109.163.226.208 www.google-analytics.com.
Hosts: 109.163.226.208 ad-emea.doubleclick.net.
Hosts: 109.163.226.208 www.statcounter.com.
Hosts: 67.215.245.19 www.google-analytics.com.
Hosts: 67.215.245.19 ad-emea.doubleclick.net.
Hosts: 67.215.245.19 www.statcounter.com.



In the notepad

• Click File, Save as..., and set the Save in to your desktop
  
• In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  
• Click save
  

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close  all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



Please post back with the combofix log and a new DDS log.

[BigmaccyD]

is there something wrong ?

here are the required test files

[oldman]

Hi BigmaccyD

There are some entries in your hosts file that should be removed. However I'm having a problem resetting it as there seems to be something locking it.


Press the WinKey + R to open a run box. Copy and paste the following command into the run box and click OK (don't miss the " at the end)

Code: [Select]

regedit /e "%userprofile%\desktop\output.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"
Please attach the resulting notepad it will be named output.txt.

[BigmaccyD]

here ya go

[oldman]

Hi  BigmaccyD,

Let's see if you can access the Hosts file. Let me know of any error you may recieve.

Click on the Windows Explorer icon on the taskbar

• When it opens click the Organize button
  
• click folder and search options
  
• click the View tab
  
• check Show hidden files, folders and drives
  
• uncheck hide extentions for known file types
  
• uncheck hide protected operating system files (recommended)
  
• click apply, click ok
  

Navigate to C:\windows\system32\drivers\etc

• locate hosts
  
• right click it and click open
  
• choose notepad from the list of options
  
• click ok

If you can open the file

• locate these lines

109.163.226.208 www.google-analytics.com.
109.163.226.208 ad-emea.doubleclick.net.
109.163.226.208 www.statcounter.com.
67.215.245.19 www.google-analytics.com.
67.215.245.19 ad-emea.doubleclick.net.
67.215.245.19 www.statcounter.com.

• highlight them all
• right click and click delete
  
• click file and click save
  
• close the notepad.

How did you make out?

[/list]

[BigmaccyD]

when i try to save it says this file is set to read only please try a different name

edit' just tried to do it safe mode and same thing. also tried modifying the file rights but no go there either something doesnt want me touching that file 

[oldman]

Hi  BigmaccyD,

Try the steps HERE . If you can rename the hosts file I suggest doing the manual fix. There is a copy of the Win7 default hosts file shown there.

[BigmaccyD]

i cant rename it, says i need permission from the system lol Grrr @ computers

ok after some further research i downloaded a reg fix and took ownership of the file and then deleted the required lines..

ive added the reg edit i downloaded for you to take a look

[oldman]

Hi  BigmaccyD,

Try using the fixIt Tool on that page,

[BigmaccyD]

ahh i must of just missed you, read my previous post

[oldman]

Hi BigmaccyD

Before you start changing permissions which may be exploitable by malware. Try this first

Click Start

• in the Search box type notepad
  
• notepad will appear at the top of the list
• right click it and click "Run as Administrator"
• Ok it to run
• in the notepad that opens click file, click open
  
• change the box in the lower right to All files (*.*)
  
• change the encoding box to Ansi
• navigate to c:\Windows\System32\drivers\etc\hosts
  
• click open
• delete these lines

109.163.226.208 www.google-analytics.com.
109.163.226.208 ad-emea.doubleclick.net.
109.163.226.208 www.statcounter.com.
67.215.245.19 www.google-analytics.com.
67.215.245.19 ad-emea.doubleclick.net.
67.215.245.19 www.statcounter.com.

• click save