Consrv.DLL Rootkit problems

[h4zmat]

I've been running every program I've ever used to clean up infected systems with no luck removing this one. Avast keeps showing that svchost is creating consrv.dll right when I turn on my computer and then again every few hours or so.
The only other symptom aside from the Avast popup is that my shortcut icons aren't showing, MBAM and Avast cleaned it up pretty well.

Thanks for any input, I appreciate the help

[true indian]

malware removal expert essexboy is notified...

[akama1]

you have to ask essexboy then the last time i gave my own opinion post was deleted so i dont think i sould post anymore of my suggestions here though....

[jeffce]

Hi h4zmat,

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.
----------

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

File::
C:\Windows\SysNative\websensecpmcommunicationagent.dll

Driver::
stunnel

NetSvcs::
stunnel


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[essexboy]

Jeff a word of caution the latest variant of this may need two or three runs with a cfscript to clear it..  I have a few like that at the moment, trying to clear the left over service with OTL may necessitate a system restore 

And welcome again to the madhouse 

[jeffce]

Thanks essexboy!  Yep I have been looking over some of the logs you are working as well and being sure to keep notes. 

[h4zmat]

I ran Combofix and Avast hasn't blocked anything yet, looking good so far. All of my icons are still blank though.

[jeffce]

Hi h4zmat,

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

AtJob::

DDS::
uInternet Settings,ProxyOverride = 127.0.0.1:9421

File::
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
c:\windows\system32\J8FNQN1.com

Folder::
c:\programdata\IObit
c:\program files (x86)\IObit

NetSvcs::
stunnel

Driver::
AdvancedSystemCareService5
aswSP
aswSnx
aswFsBlk
stunnel


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[h4zmat]

Here you go. Still no Avast popups & no icons showing

-edit- Ok so now I can't get the Avast service to start, I tried reinstalling with no luck.

[true indian]

Reinstall once again and if no luck

follow the instructions given here:
http://www.avast.com/uninstall-utility

Then do a install again that will be fixed.

[jeffce]

Hi,

Let's hit it again. 

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

NetSvc::
stunnel

Driver::
stunnel


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[h4zmat]

Reinstall once again and if no luck

follow the instructions given here:
http://www.avast.com/uninstall-utility

Then do a install again that will be fixed.

That did the trick, thanks!

My latest combofix log was too big to post, I had to upload it to another website.
http://www.sendspace.com/file/fikgzx

[jeffce]

Hi,

Please run a new scan with OTL. 
Be sure to include in the Custom Scan section the following bolded text:
netsvcs
CREATERESTOREPOINT

Once the scan is complete please post the newly created log. 

[h4zmat]

Done

[jeffce]

Hi h4zmat,

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Right-click and Run as Administrator dds to run the tool.
  
• When done, two DDS.txt's will open.
  
• Save both reports to your desktop.
  

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt

Attach.txt
----------