Consrv.dll Removal Help

[happyrawr]

I ran Combofix, but still no log. I checked my C drive and there's still the "32788R22FWJFW" file/folder thing, so I tried deleting it and then re-running Combofix, which created a new one.

There's no apparent changes with my computer's ability since running Combofix if that information helps.

[essexboy]

On completion of this run could you run a boot scan with Avast please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  SRV:64bit: - [2009/07/13 18:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\HWSCtrl.dll -- (tdrpman)
  O1 - Hosts: 149.5.18.172 www.google-analytics.com.
  O1 - Hosts: 149.5.18.172 ad-emea.doubleclick.net.
  O1 - Hosts: 149.5.18.172 www.statcounter.com.
  O1 - Hosts: 108.163.215.51 www.google-analytics.com.
  O1 - Hosts: 108.163.215.51 ad-emea.doubleclick.net.
  O1 - Hosts: 108.163.215.51 www.statcounter.com.
  NetSvcs:64bit: tdrpman - C:\Windows\SysNative\HWSCtrl.dll (Iomega)
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[happyrawr]

The same thing as before, OTL won't run:

"Cannot create file C:\windows\System32\drivers\etc\Host."

I didn't do the boot scan since I'm not sure if I'm supposed to now.

Edit: After having turned off my computer and using it later, I got a black screen (ie, Explorer wouldn't start), though I was still able to use it via Task Manager. After running in safe mode and then normally, it seems to be fine with that issue. Just for informational purposes.

[essexboy]

OK fun and games time again
 
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
 
Plug the flashdrive into the infected PC.
 
Enter System Recovery Options.
 
To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type [color="#FF0000"]e[/color]:\frst64)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[happyrawr]

What exactly will that do?

[true indian]

What exactly will that do?

It will give a log that will give essexboy the picture of what is running and will make the cleanup task easier as when essex gives u a fix to run it via FRST the fix will be made outside windows....hence it will be wacking the malware wen it is inactive...

[happyrawr]

Alright, here's the log:

[essexboy]

As this is working before windows has loaded all services are inert

Download the attached fixlist.txt to the USB that has FRST on it

Go to system recovery options as before
Run FRST

Then press the Fix button
A fix log will be generated on the USB please post that

On completion return to normal windows and run Combofix
This should now produce a log

[happyrawr]

I'm assuming fixlist works automatically with the program, since I didn't do anything otherwise?

It ran fine, produced a log, Combofix ran fine, but still no log. However, there is a Combofix file on my C Drive, that acts just like the previous "log" I've been getting (sending me to My Computer). But also, the old 32788R22FWJFW thing has turned into a folder, with sub-folder EN-US, and inside that cmd.3Xe.mui, which is 128 kb.

Fixlog:

EDIT: After rebooting and using my computer some, things are looking a lot better! I am no longer getting redirected to abnow, my internet speed is back at full, and even Pidgin is working perfectly too!

However, I still do not have access to Windows Firewall and Defender.

[essexboy]

OK lets use another farbar tool to check out the firewall and defender - clever fellow is this one  I love his tools

Once I have the log from this I will probably need to run OTL and look for specific files/registry entries.  As this programme will just tell me what is wrong

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[happyrawr]

Successful:

[essexboy]

Farbar Service Scanner Version: 01-03-2012


Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll".


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

MpsSvc Service
bfe Service

OK these two are the problem

From my site download the zip file with your name
https://skydrive.live.com/?cid=32D8666F4048075B&id=32D8666F4048075B%21117
Extract the three reg files to the desktop
Right click each file and select merge
Reboot the computer

Retry firewall and Defender

[happyrawr]

Would you mind editing out my name please.

Edit: I merged all 3 files and Windows Defender appears to be working, but not Windows Firewall.

[essexboy]

I will delete the file once you have downloaded it - i.e. now 

Could you re-run Farbar please

Then run a fresh OTL log

[happyrawr]

I mean the log you posted.