Consrv.DLL Rootkit problems

[h4zmat]

Here ya go

[jeffce]

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  https://www.virustotal.com/

copy and paste the following into the upload a file box  (one at a time if more than one file is listed)

c:\windows\system32\drivers\FWPKCLNT.SYS


Scroll down a bit and click "send file", wait for the results and post the link to your results into your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

[h4zmat]

That file doesn't seem to exist

[jeffce]

Ok...thanks for letting me know.

Please download

Malwarebytes' Anti-Malware to your desktop.

• Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:
C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.

• Do not use this instance of your browser for anything besides doing this scan
• When the scan is complete and the results saved, close that instance of your browser
• Open a new one the usual way and post the results in this topic.

• Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  
  
• Check
  
• Click the Start button.
  
• Accept any security warnings from your browser.
• Check
  
• Make sure that the option "Remove found threats" is Unchecked
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as
  ESETScan. Include the contents of this report in your next reply.
  
• Push the Back button.
  
• Push Finish
  

http://www.eset.com/onlinescan/
----------

In your next reply please post the Malwarebytes and ESET online scanner logs.  :)

[h4zmat]

Done and done

[jeffce]

Hi,

Looks like we still have some work to do...

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

File::
C:\Users\AJ\Downloads\cnet_FileMenuTools-setup_exe.exe
C:\Users\AJ\Downloads\Kingdoms.of.Amalur.Reckoning-THETA\Kingdoms.of.Amalur.Reckoning-THETA\AutoRun.exe
C:\Users\AJ\Downloads\Kingdoms.of.Amalur.Reckoning-THETA\Kingdoms.of.Amalur.Reckoning-THETA\EASetup.exe
C:\Users\AJ\Downloads\Kingdoms.of.Amalur.Reckoning-THETA\Kingdoms.of.Amalur.Reckoning-THETA\KAReckoning.iso
C:\Windows.old\Documents and Settings\Administrator\AppData\Roaming\gamebooster.exe
C:\Windows.old\Documents and Settings\Administrator\Application Data\gamebooster.exe
C:\Windows.old\Users\Administrator\AppData\Roaming\gamebooster.exe
C:\Windows.old\Users\Administrator\Application Data\gamebooster.exe
D:\Program Files (x86)\Ubisoft\Tom Clancy's Splinter Cell Conviction\src\system\ubiorbitapi_r2.dll
D:\Users\AJ\Downloads\Software\Game Booster 2.3 + Serial\gamebooster.exe


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

In your next reply post the log created by ComboFix and let me know how your system is running.  :)

[h4zmat]

 

[jeffce]

Hi,

Looks like we have it cleaned up.  How is your system running? 

[h4zmat]

It's running great! The only problem I have now is my icon cache not rebuilding itself.

Thanks for all your help!

[jeffce]

Hi,

Try this and let me know if it helps. 

Please download Unhide.exe to your desktop:

• Right click on the Unhide.exe icon and click "Run as Administrator" on your desktop and allow the program to run.
• Once it's finished check to see if the icons are visible and the items in the programs menu have returned.

[h4zmat]

No change 

[jeffce]

Hi,

Ok...I found this set of instructions to try and resolve this problem. 

To Rebuild icon cache follow the below mentioned steps -

1. Open Folder Options to select (dot) Show hidden files and folders.

2. Open a Windows Explorer window.

3. Go to C:\Users\(User Name)\AppData\Local
4. Right click on IconCache.db and click on Delete.


5. Click on Yes to confirm the deletion.
NOTE: This deletes the file to the Recycle Bin. It is safe to empty the Recycle Bin when finished.

6. Close the window.

7. Empty the Recycle Bin.

8. Restart the computer.

9. When you go back, you will notice the Size of the IconCache.db file is smaller, and the Date Modified is now the current date. (See screenshot below)
NOTE: If for some reason IconCache.db is not there or the size has not changed much, then just restart the computer again. You may need to restart a couple of times in some cases.

10. The icon cache has been rebuilt.

Let me know if this has resolved your problem. 

[h4zmat]

Multiple restarts and the iconcache.db file comes back the same size every time

[jeffce]

Hi,

I have been looking around for the best approach to fixing your icon cache problem and I believe that the best course of action for you would be to post a new topic at the Windows Vista and Windows 7 forum at Geeks to Go found here >> http://www.geekstogo.com/forum/forum/79-windows-vista-and-windows-7/   You will have to register I believe before you can post, but it is free.  They will be better versed at helping you with an issue like this.   

When they are done helping you please come back so that we can remove the tools we have used and also I can give you some good information on keeping your system more secure.   Please PM me when you return so I don't overlook.