Malware Discussions

turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Stone Emissary doublehappy2012
Stone Emissary
doublehappy2012
Posts: 12
Registered: ‎12-12-2011

TROJ_SIREFEF.BX and HouseCall

Options

‎12-12-2011 05:53 PM

I downloaded HouseCall, ran a scan and found 1 threat TROJ_SIREFEF.BX, path is C:/windows/system32/consrv.dll. This was not found in the Trend Micro threat detailed report.  I let HouseCall to "Fix" it and it was "successfully removed". After that, I can not start my computer(window 7 64bits). It says something like windows file has been changed due to a recent hardware or software change(I didn't do any hardware change). I had to restore windows 7 in order to start it. I repeated above again and same occurred. 

 

My question is if this threat is serious(not picked by Trend Micro) and how can I get rid of it if Housecall can't seem to remove it without causing problems. 

 

Thank you for your help in advance.

Report Inappropriate Content
Message 1 of 5 (1,191 Views)
Reply
0 Kudos
Champion Noble malwarekiller
Champion Noble
malwarekiller
Posts: 3,557
Registered: ‎08-08-2011

Re: TROJ_SIREFEF.BX and HouseCall

[ Edited ]
Options

‎12-12-2011 11:05 PM - edited ‎12-12-2011 11:07 PM

Welcome aboard! Posted Image

 Conserv.dll is win32: DNSChanger-VJ this is the best way to remove mr.conserv...

Download ComboFix from the any of the locations given in this website:

    • IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
      • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
      • Double click on ComboFix.exe & follow the prompts.
      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Posted Image

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

      Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

      When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply at your topic.
Report Inappropriate Content
Message 2 of 5 (1,185 Views)
Reply
Stone Emissary doublehappy2012
Stone Emissary
doublehappy2012
Posts: 12
Registered: ‎12-12-2011

Re: TROJ_SIREFEF.BX and HouseCall

Options

‎12-14-2011 06:04 PM

Thank you for your reply. I ran combofix. Hopefully it's fixed. Here's the log file.

 

It may sounds silly, how do I know it's been removed?

 

Thank you very much.

Attachment 12142011ComboFix.txt ‏14 KB
Report Inappropriate Content
Message 3 of 5 (1,133 Views)
Reply
0 Kudos
Stone Emissary doublehappy2012
Stone Emissary
doublehappy2012
Posts: 12
Registered: ‎12-12-2011

Re: TROJ_SIREFEF.BX and HouseCall

Options

‎12-14-2011 06:24 PM

I wanted to share that after the combofix, i reran houseCall and it apprears the threat is gone(not threat found). I hope it's gone for ever and good. Thank you comboxfix!

Report Inappropriate Content
Message 4 of 5 (1,130 Views)
Reply
0 Kudos
Champion Noble malwarekiller
Champion Noble
malwarekiller
Posts: 3,557
Registered: ‎08-08-2011

Re: TROJ_SIREFEF.BX and HouseCall

[ Edited ]
Options

‎12-14-2011 07:13 PM - edited ‎12-14-2011 07:14 PM

Lets get rid of some left overs...

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
3. Open notepad and copy/paste the text in the code box below into it:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

 Save this as CFScript.txt, in the same location as ComboFix.exe

 

Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Report Inappropriate Content
Message 5 of 5 (1,124 Views)
Reply
0 Kudos