Need help with a rootkit - (consrv.dll, sirefef rtk)

[Mikhail]

Hi. I recently reinstalled windows, and in my brilliance, forgot to install an anti-virus program until a few days in. As a result, I've become infected with numerous malware, and what avast tells me is a rootkit. I only noticed the infection when numerous windows functions stopped working (windows firewall), and ping.exe kept appearing in my processes tab. At any rate, I tried to find a result via google, and was met with limited luck by running a few scans and using combofix. However, the rootkit remained, and kept attempting to drop consrv.dll into my files. While Avast seemed to hold it in check for a while, I think it's turned into a serious infection once again. Any help would be greatly appreciated. I've attached the results of the scans advised by the sticky in this forum.

[akama1]

did you try running a scan with aswMBR?

[Mikhail]

Yeah, it just finished. Here is the log. Also. I seem to be getting a lot of foiled attempts at placing a trojan from Win32: DNSChanger-VJ [Trj] and Win64:ZAccess-A [Trj]. Just wondering if that's revelant to the consrv.dll/sirefef issue, or another one altogether.

[akama1]

 File: C:\Windows\system32\consrv.dll  **INFECTED** Win32:Sirefef-HO [Rtk]
00:10:42.291    File: C:\Windows\system32\trzBE7E.tmp  **INFECTED** Win32:Sirefef-HO [Rtk]
00:11:16.114    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-FQ [Drp]
00:11:18.397    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-HO [Rtk]
these for sure are definitely infections... did you remove them? if removal fails boot to safe mode and do another scan

[akama1]

ok by the seeing of the aswMBR and mbam logs i think its best u scan with dr web cure it in SAFE MODE

http://www.freedrweb.com/cureit/?lng=en - dr web cure it

i hope i dont get warned for the 5th time on giving malware removal guides 

[Left123]

ok by the seeing of the aswMBR and mbam logs i think its best u scan with dr web cure it in SAFE MODE

http://www.freedrweb.com/cureit/?lng=en - dr web cure it

i hope i dont get warned for the 5th time on giving malware removal guides 

If you continue,you sure will.

[akama1]

yes sir! i'll stop here 

[Pondus]

yes sir! i'll stop here 

I think we have a new com155 here   



@Mikhail
wait for Essexboy or any of the other trained malware removers advice before you do anything   

[Mikhail]

yes sir! i'll stop here 

Haha, well, thanks for the help you gave anyway.

[akama1]

yes sir! i'll stop here 

Haha, well, thanks for the help you gave anyway.

yeah sure no prob  btw who is com115? O.o

[Left123]

Stop being a spammer,for heaven's sake.You really want us to report you?Last warning from me.Don't post again here.

[jeffce]

Hi,

Sorry for your delay...

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

[color="#FF0000"]IMPORTANT[/color] - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[Mikhail]

It's cool - timezones and all that. Here's the log from combofix.

[jeffce]

Hi,

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

File::
c:\windows\system32\trzBE7E.tmp
c:\windows\system32\dds_trash_log.cmd
C:\Windows\SysNative\bcoreusb.dll

Folder::
c:\windows\1C4551A64743409391E41477CD655043.TMP

Netsvc::
infrastructure

Driver::
infrastructure

RegLock::
[HKEY_USERS\S-1-5-21-516045585-2200605829-1669517708-500\Software\Microsoft\Internet Explorer\User Preferences]


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[Mikhail]

Alright. I did as you said. Here's the log that it presented.

Edit - Its approx 2 hours since I ran Combofix, and in that time Avast hasn't had to block any attacks. I think It may have fixed the issue, but I'm not sure.