« previous next »
Pages: [1]   Go Down

Author Topic: Unable to find/remove dropper for consrv.dll  (Read 2680 times)

0 Members and 1 Guest are viewing this topic.

badpandabear

  • Guest
Unable to find/remove dropper for consrv.dll
« on: February 29, 2012, 01:38:49 PM »
Hi all , my system seems to be infected with a zeroaccess variant which keeps dropping corsvr.dll in \system32

When i run Combofix it removes it , after a reboot i get a BSOD that the file is corsvr.dll is missing so i fix the registry entry in hklm\system\currentcontrolset\control\session manager\subsystems that it loads winsrv instead of consrv. My <windows does boot, but then the consrv.dll file gets dropped again and the registry is changed again...

I've attached the OTL logs and i'll be running a combofix now to post that log

Thanks for anyone who's willing to assist me...
« Last Edit: February 29, 2012, 02:46:19 PM by badpandabear »
Logged

badpandabear

  • Guest
Re: Unable to find/remove dropper for corsrv.dll
« Reply #1 on: February 29, 2012, 01:54:02 PM »
And here is the combofix log...
Logged

badpandabear

  • Guest
Re: Unable to find/remove dropper for consrv.dll
« Reply #2 on: February 29, 2012, 03:35:04 PM »
I just noticed essexboy's post about additional/custom options i should have added to the OTL scan

I did that and uploaded a new log for it.

(this is after a reboot and you'll notice consrv.dll is dropped again in the folder...
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Unable to find/remove dropper for consrv.dll
« Reply #3 on: February 29, 2012, 08:34:34 PM »
OK lets get at it

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Quote
File::
C:\Windows\SysNative\anio.dll

Folder::
C:\ProgramData\~McyWfkJP4BjPDF
C:\ProgramData\~McyWfkJP4BjPDFr
C:\ProgramData\McyWfkJP4BjPDF
C:\Users\Silvia\AppData\Local\kh3qs48dih40153ek5o00e1f314h7l353470i8u4m5rfk
C:\ProgramData\kh3qs48dih40153ek5o00e1f314h7l353470i8u4m5rfk

NetSvc::
tosrfsnd

Driver::
tosrfsnd
Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Logged

badpandabear

  • Guest
Re: Unable to find/remove dropper for consrv.dll
« Reply #4 on: March 01, 2012, 09:15:47 AM »
Ok, the log after running it with cfscript
Logged

badpandabear

  • Guest
Re: Unable to find/remove dropper for consrv.dll
« Reply #5 on: March 01, 2012, 10:42:56 AM »
Ok i scanned the pc some more with mbam, superantispyware, tdsskiller , ... it appears to be clean now. I rebooted the pc several times and the consrv.dll didn't come back.

So you helped me a lot, thank you kindly sir....
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Unable to find/remove dropper for consrv.dll
« Reply #6 on: March 01, 2012, 08:50:20 PM »
Could you now do a fresh run with OTL quickscan please to check for lurkers
Logged
Pages: [1]   Go Up
« previous next »