Consrv.dll Picked up somewhere.

[jacko!]

Greetings!

So today I noticed I kept getting redirected by abnow, probably even picked it up today. This prompted me to get some AV's going and loe and behold, there was viruses.
I manage to get rid of the abnow redirect thing, but now I'm still stuck with ze consrv.dll which refuses to leave, regardless of reboots. I've googled around and tried different stuff but nothing so far has really worked.
So far the culprits seems to be:

HEUR:Backdoor.Win64.Generic
HEUR:Backdoor.Win32.Generic
Trojan-Downloader.JS.Expack.es
Trojan.Win.32.Chifrax.a
Trojan.Script.Iframer

Reg:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

MBAM logs show nothing.

Attachments are OTL and MBR logs.

Using Windows 7 64, and Kaspersky Trial (as well as a bunch of other stand alone programs).

Thanks in advance /Jacko

[oldman]

Hi jacko!, welcome to the forum.

To make cleaning this machine easier

• Please do not uninstall/install any programs unless asked to
  It is more difficult when files/programs are appearing in/disappearing from the logs.
  
• Please do not run any scans other than those requested
  
• Please follow all instructions in the order posted
• All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
• Do not attach any logs/reports, etc.. unless specifically requested to do so.
• If you have problems with or do not understand the instructions, Please ask before continuing.
  
• Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
  

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Right click on ComboFix.exe, click Run as Administrator & follow the prompts.
  

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.   
4. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

[jacko!]

There we go, didn't see anything real strange in there myself.

[oldman]

Hi jacko! ,

Did a bit more than you may think. Let's see if it's all gone.

Please rerun Combofix the way you did last time.

Next

Rerun aswMBR as you did before.

Please post back with

• Combofix log
• aswMBR log

Thanks

[jacko!]

There we go, so far so good!

I have to say, I'm really impressed by the Avast tool. It seemed to have picked up the stuff that 'all the rest' missed.

[oldman]

Hi jacko! ,

Looking good so far. Any problems?

• Double click on OTL.exe  to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output
  
• unCheck the boxes beside LOP Check and Purity Check.
  
• In the window under Custom Scans/Fixes copy and paste the following

Code: [Select]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc /s
/md5start
consrv.dll
/md5stop

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

There will only be an OTL.txt this time.

[jacko!]

Computer seems to be working fine, too much crap on C:, but that's down to bad cleaning I'd say. Sorry for the long wait, sleep got in the way.

[oldman]

Hi jacko,

No problem. You had me going there for a bit. You posted an old OTS log which shows your computer is infected. Couldn't figure out why it "came back" until I checked the date.

OTS logfile created on: 2012-02-29

That log was made before we ran combofix. I asked for an OTL log with the custom scan. Please run OTL with the custom scan I asked for n my last post.

Thanks

[jacko!]

*facepalm*

Yes Indeed I did, sorry about that, here's the proper one.

[oldman]

Hi jacko!,

Next, create this batch file.

Open a new Notepad session

• Click Start
  
• in the search box type notepad
  
• click notepad when it appears at the top
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
  
• Copy and paste all the text in the code box below into the Notepad.
  

Do Not copy the word CODE

Code: [Select]

reg query HKLM\system\currentcontrolset\services\MpsSvc /s > log.txt
start log.txt
In the notepad

• Click File, Save as..., and set the Save in to your Desktop
  
• In the filename box, type (including quotation marks) as the filename: "log.bat"
  
• Click save
  

You will have a new file on your desktop called log.bat with an icon that has a couple of gears on it.

Double click log.bat to run it.

A notepad named log.txt will open. It will also be on your desktop, please posts it's contents.



Your java is out of date. Click your start button > Control Panel

• Use the drop down menu beside view by and change it to small icons
  
• locate java in the list and click on it
  
• when the java console opens click the update tab
  
• Click update now
  

Next

Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
• Do Not copy the word CODE
  
• please note the fix starts with the :
  

Code: [Select]

:Services

:OTL
O4 - Startup: C:\Users\Jacko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_28626557.lnk =  File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

:Reg

:Files
C:\Users\Jacko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_28626557.lnk
dir C:\Users\Jacko\AppData\Local\0764d10b\*.*  /s /c

:Commands
[purity]
[emptytemp]
[createrestorepoint]

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.
• Reboot your computer

Please post the  OTL fix log.

Please post back with

• log.txt
• OTL fix log

[jacko!]

That's was a lot of wasted space on C:. Logs in attachment.

[oldman]

Hi

re: C:\Users\Jacko\AppData\Local\0764d10b

The folder we looked at is empty so you can delete it if you want.

AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

You have 2 antivirus programs installed. They may conflict causing slowdowns, lockups, etc even if one is disabled. I suggest you uninstall Lavasoft Ad-Watch Live! Anti-Virus, Kaspersky is all ready doing the job for you in both antivirus and antispyware protection plus the firewall.

Drive C: | 111,69 Gb Total Space | 8,24 Gb Free Space | 7,38% Space Free | Partition Type: NTFS

Your C:\ is getting a bit full.

uTorrent
You have uTorren, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it. It's not the program itself but what can be downloaded with it usually from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

                                                                                                                       

Everything looks good so we'll remove the tools and send you on your way.

From your desktop, please delete, if present

• any notepads/logs that we created
• log.txt
• log.bat
• aswMBR

Next

Click the Start button,in the search box type Run. At the top click run

 Copy and paste the following line into the run box and click OK

Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.



Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have those.

You should also use Spyware Blaster to help immunize your computer.

 - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.
 
OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  

Next press the Apply button and then the OK to exit the Internet Properties page.



- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System and Security > change settings

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

 Please post back if you have any problems.

Take care