Avast WEBforum
Other => Viruses and worms => Topic started by: shrawan32 on July 17, 2011, 08:32:38 AM
-
i am using avast free version and it detects a malware as "c:\windows\system32\consrv.dll"
Is it safe to remove consrv.dll since it is in windows folder?please reply soon
-
can u post a sreenshot for us to get an idea of what is the problem?
-
i am using avast free version and it detects a malware as "c:\windows\system32\consrv.dll"
Is it safe to remove consrv.dll since it is in windows folder?please reply soon
http://www.virustotal.com/file-scan/report.html?id=5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f-1310865513
http://threatpost.com/en_us/blogs/zeroaccess-rootkit-latest-line-x64-malware-appear-052411
http://www.securelist.com/en/blog/493/MAX_sets_its_sights_on_x64_platforms
-
my problem is that threat has been detected and the infected file is "consrv.dll" in "c:\windows\system32\" and also "c:\windows\system64\" both have severity as high and status as
"Threat:Win32:Malware-gen".i tried to repair by avast but it don't got repaired and throws error.then i moved it to avast's chest, after that the windows is not booting and it prompts to make startup repair.but it can't repair it and finally i have restored windows by no way.i am using windows 7 ultimate 64 bit
-
Hi shrawan32,
This could be part of the so-called "ZeroAccess", 64-bit rootkit dropper.You could have been infected because your Adobe or java software is not fully updated, check with secunia.com/vulnerability_scanning/online/
For the malware to be cleansed I asked essexboy to come and have a look here,
polonus
-
Looks like it may be a reincarnation of max++ haven't seen that in a while
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Under the Custom Scan box paste this in
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
-
from the VT scan posted by Dim@rik, click show all
sigcheck:
publisher....: Microsoft Corporation
copyright....: _ Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Server DLL
original name: consrv.dll
internal name: consrv
file version.: 5.2.3790.3959
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
looks legit ??? ..... or is the info Fake
test the file(s) at www.virustotal.com
-
I don't have a copy on my system
verified.....: Unsigned Not like MS for 64bit system
file version.: 5.2.3790.3959 XP ?
-
Hi Pondus,
Not if I and essexboy consider this to be excluded first:
http://www.dataprotectioncenter.com/antivirus/kaspersky/max-sets-its-sights-on-x64-platforms/
and
http://threatpost.com/en_us/blogs/zeroaccess-rootkit-latest-line-x64-malware-appear-052411
There this dll is the body of the dropper. Could also be part of the Google-redirect misery as the victim experiences reboot problems, as an unknown (unsigned dll) process in taskmanager it can be easily been adopted to perform as part of malware, then conserv.dll may appear to be a normal process, but it is not.
Do you think this is a FP? I would certainly not: http://www.virustotal.com/file-scan/report.html?id=5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f-1310865513
polonus
-
More info here http://www.securelist.com/en/blog/493/MAX_sets_its_sights_on_x64_platforms
Take a note:The body of the dropper is placed in the system32 folder under the name consrv.dll.
Edit:Pol,did we post the same? 8)
-
No Left123,
No but you gave the same link as Dim@rik. But the info all touches the same dropper. Let's wait for essexboy to perform his cleansing routines on this new max++ malcreation,
polonus
-
I don't have a copy on my system
verified.....: Unsigned Not like MS for 64bit system
file version.: 5.2.3790.3959 XP ?
I also do not have a sample ... I'm also searching the internet found a note about this dll, it was necessary to test for VT.
-
@Essexboy,i found a sample(max++),want to have a look?If so,tell me..
-
@Essexboy,i found a sample(max++),want to have a look?If so,tell me..
do you have a VT scan of it ?
-
@Essexboy,i found a sample(max++),want to have a look?If so,tell me..
do you have a VT scan of it ?
Give me a second
VT > http://www.virustotal.com/file-scan/report.html?id=d22425d964751152471cca7e8166cc9e03c1a4a2e8846f18b665bb3d350873db-1309397475
-
Hi Left123,
Can you upload the file to Anubis and give me the Anubis report link,
pol
-
Hi Left123,
Can you upload the file to Anubis and give me the Anubis report link,
pol
Here you go Damian ;D
http://anubis.iseclab.org/?action=result&task_id=1d153fa30403842b4a5e79e2817b20f3f&format=html
-
Hi Left123,
From the info on the mutexes mentioned there, this is "Windows Lifespoof" malware, a backdoor agent. It comes with characteristics that are "exploit kit" related, and is redirecting to a malware site reporting infection status.
Furthermore AcGenral.DLL is found in there, report states that 9ad1_appcompat.txt Object is locked.
The malware will silently install on the victim's comp and attempts to replace a randomly selected system driver, thereby avoiding certain specific drivers,
polonus
-
Hi Left123,
From the info on the mutexes mentioned there, this is "Windows Lifespoof" malware, a backdoor agent. It comes with characteristics that are "exploit kit" related, and is redirecting to a malware site reporting infection status.
Furthermore AcGenral.DLL is found in there, report states that 9ad1_appcompat.txt Object is locked.
The malware will silently install on the victim's comp and attempts to replace a randomly selected system driver, thereby avoiding certain specific drivers,
polonus
It drops MAX++,doesn't it?
-
Hi Left123,
Well sure it reads in the Anubis report: 2. Max++ down.exe
, and it also contains this attack code: "system32\drwtsn32 -p 1576 -e 124 -g"
, so Fake AV...
pol
-
Looks like an old version
-
Hi essexboy,
We did not like to spoil the fun for ye, did we? ;D
Left123 found it. So then does it have any resemblance with a more recent variant?
pol
-
Max++ is a "rare" kind of infection,that makes it hard to find samples.
-
@essexboy: i have uploaded OTS result log in http://www.mediafire.com/?6v64tinp3f2ra5l take a look and get me soon
-
@essexboy: i have uploaded OTS result log in http://www.mediafire.com/?6v64tinp3f2ra5l take a look and get me soon
-
Well essexboy will still be at work 14:40pm in the UK, so it will be a few hours before he is back home and on the forums. So bumping the topic won't change that.
-
Attached I give an image of the alert I get from the Malware Script Detector extension I installed in the Google Chrome browser. Wwhen I give in this particular query, see attached gif image, I am alerted for malware attack code...
polonus
-
It is not showing at all on the log, but there are none of the classic max++ signs either which is good
So lets use a deeper searching tool
Download ComboFix from one of these locations:
Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-
I tried combofix but it automatically deleted that consrv.dll and it reboots the os.After, the startup error occured similar to as i said earlier in the post when i tried with avast.eventually i restored by no way since startup repair also failed...i attached below the result log of combofix.
-
I found the following method of consrv problem fixing
http://www.bleepingcomputer.com/forums/topic400730.html/page__st__15__p__2271737#entry2271737
It is required to restore the original winsrv: occurence instead malicious consrv:
-
Found a brand new sample(winrar archive),contains:
A decrypted bin
2 Drivers
The dropper
2 .dat files
Dropper> http://anubis.iseclab.org/?action=result&task_id=19f31026086ee2fe499dc12254f693871&format=html
Driver no 1 > http://anubis.iseclab.org/?action=result&task_id=10673535ddc76b904c51339b6f820e626&format=html
Driver no 2 > http://anubis.iseclab.org/?action=result&task_id=16c75f59ab9a993f459d0032ce42c8a74&format=html
-
Hi folks,
Let us first give some details on the first Anubis report, that Left123 provided for us.
This is what I got on that, please correct or comment.
The analysis of the first Anubis report.
There is a known weakness in ntdll.dll, which later was patched with Q815021_WXP_SP2_x86_NLD.exe as far back as 2003.
Malware creates a copy of the file %System%\ADVAPI32.DLL later to modify and remove the legit ADVAPI32.DLL section object.
Extensive description found here: http://www.f-secure.com/v-descs/backdoor_w32_tdss.shtml
But this is for the complete malware, so what we discuss here is just the Backdoor.Win32.ZAccess (Sig-Id:61936921) part of the malware.
A bug in ATI Multimedia center is being used, as we read about e.g. "msacm.iac2", good for a generic find of this Subtype-N/A type of malware.
Device Control Communication - KsecDD = the security device server, it lives in c:\winnt\system32\drivers
About Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
Dialog does not display the specific version of comctl32.dll, it causes Windows Explorer to crash repeatedly,
and is making an access violation when closing tabs,
the Common-Controls etc. is also found with Virtumonde and other fraudLoad trojan malware,
DRMClien.DLL is being used in malware for effective camouflage, it is used for managing content,
programmed to appear as a legit file as it may infect computers via dubious file-sharing tools.
msvfw32.dll could also appear to be a camouflage file.
tapi32.dll files may end up becoming corrupted as malware runs amoc on your comp.
WMASF.DLL is part of Windows Media Files and is also being used in attack code.
A a patched WS2_32.dll as part of Windows Socket is no fun issue, webpage loading slows up and many redirects found,
Non-system processes like msdmo.dll originate from malware you installed on your system, leads to errors that can be harmful.
urlmon.dll can get corrupted from this malware.
rtutils.dll is a camouflage file.
wmidx.dll in malware is also used to pose as a legit file.
wmvcore.dll is an application that does NOT appear to be a security risk, is the Windows Media Playback/Authoring Dll,
polonus
-
As pondus requested:
http://www.virustotal.com/file-scan/report.html?id=5d1b9a07c21fc00cb9f4d88fefe1c258c08196fd0f1bc7eae943acd790b92987-1311089386
http://www.virustotal.com/file-scan/report.html?id=486969453280d4a9540de9a0a0c7c0474646fed5bac271cca308d06bf13c8429-1311088867
http://www.virustotal.com/file-scan/report.html?id=1f02744074c0f315519abe9ea727ec98f8201bfd697b1b68254999b8046aaf20-1311089402
http://www.virustotal.com/file-scan/report.html?id=2ec172f8ef9b6d4d719071c7b14bb81e1caf47926a7e6c7bdc6f2d26d7ee539f-1311089413
-
Let us first give some details on the first Anubis report, that Left123 provided for us.
This is what I got on that, please correct or comment.
The analysis of the first Anubis report.
...
I'm sorry, but this report says nothing about consrv.dll which is really the important thing for topic starter. So probably this report should deal with some different kind of max++ malware. So what is the reason for discussing this matter in this topic? I think that is it worth to start a new one and leave this for discussing concrete consvr.dll variant.
-
Hi Pondus,
For the last VT result Left123 gave, this corresponds with these:
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~ZAccess-F/detailed-analysis.aspx
and also this scan has that MD5 hash: http://file.virscan.org/report/2118da91d8f2b6414da618cd1de3645c.html
pol
P.S. Essexboy is right we should get out of his cleansing thread and take this discussion elsewhere....
-
Concur the op will get lost amongst all this - could you break it off please guys
shrawan32
Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront-1.jpg)
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
(http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg)
-
Hi essexboy,
I will stay out of this thread now and hope the others do likewise,
polonus
-
:)
-
guyz i exhausted........i have reinstalled my OS at last.but still if you find the concrete fix for that problem do remind by post....thanks for all for ur attentions........ :)
-
guyz i exhausted........i have reinstalled my OS at last.but still if you find the concrete fix for that problem do remind by post....thanks for all for ur attentions........ :)
Here it is
http://forum.avast.com/index.php?topic=81720.msg668450#msg668450
consrv: prefix in the registry key value should be substituted by original winsrv: one.
-
Yep the AVP tool is quite good for the cleanup as the analysis report enables me to catch the weird ones
-
Just in case anybody is reading this like I was. Please avoid the combofix method of fixing this
google redirect. I ran combofix, it deleted consrv.dll and \windows\system64\ and now I have lost the following services
Base Filtering Engine (BFE)
IP Helper
Security Center
Windows Defender
Windows Firewall
Also having next to no luck in getting them back. Tried all the usual stuff. Stopping/Starting services (command line too) cant stop or start something that does not exist in services. Guess the old pc could use a fresh install :)
EDIT
Forgot i still had the file, so threw it up for anybody that cared.
http://anubis.iseclab.org/?action=result&task_id=1e512a0e6c08f7c846dc91ccfabb4986a&call=first (http://anubis.iseclab.org/?action=result&task_id=1e512a0e6c08f7c846dc91ccfabb4986a&call=first)
-
Just in case anybody is reading this like I was. Please avoid the combofix method of fixing this
google redirect. I ran combofix, it deleted consrv.dll and \windows\system64\ and now I have lost the following services
Base Filtering Engine (BFE)
IP Helper
Security Center
Windows Defender
Windows Firewall
Also having next to no luck in getting them back. Tried all the usual stuff. Stopping/Starting services (command line too) cant stop or start something that does not exist in services. Guess the old pc could use a fresh install :)
Well you are only supposed to run these tools under the supervision and instructions by a trained malware specialest like essexboy, some people like to play with the fire and wonder why they get burned :o if you can wait a couple of hours essexboy may be able to help you repair when he comes on later.
-
Well you are only supposed to run these tools under the supervision and instructions by a trained malware specialest like essexboy, some people like to play with the fire and wonder why they get burned :o
+1
Also you did reply to a rather outdated topic. ;)
If you need help, please start a new thread.
-
I don't need help but thank you, didn't want somebody else making the same booboo I did. In response to being 'Burned' Isn't it the burning that makes us better users ? ;)
Ctrl + Alt + 1 and 10 minutes is all it took for a nice fresh install of Windows.
"Chance favors the prepared mind"
Have A Great Day All :)