Author Topic: consrv.dll virus?  (Read 31910 times)

Offline shrawan32

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
consrv.dll virus?
« on: July 17, 2011, 06:32:38 AM »
i am using avast free version and it detects a malware as "c:\windows\system32\consrv.dll"
Is it safe to remove consrv.dll since it is in windows folder?please reply soon

Offline com155

  • Full Member
  • ***
  • Posts: 188
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #1 on: July 17, 2011, 06:49:04 AM »
can u post a sreenshot for us to get an idea of what is the problem?
Compaq prescario CQ41,Windows 7,SP1,Internet explorer 9,google chrome,IDT HD Audio,Avast! free antivirus 6.0.1203,comodo firewall with defence+.

Offline Dim@rik

  • Poster
  • *
  • Posts: 663
  • Gender: Male
    • Personal Message (Offline)

Offline shrawan32

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #3 on: July 17, 2011, 02:04:51 PM »
my problem is that threat has been detected and the infected file is "consrv.dll" in "c:\windows\system32\" and also "c:\windows\system64\" both have severity as high and status as
"Threat:Win32:Malware-gen".i tried to repair by avast but it don't got repaired and throws error.then i moved it to avast's chest, after that the windows is not booting and it prompts to make startup repair.but it can't repair it and finally i have restored windows by no way.i am using windows 7 ultimate 64 bit
« Last Edit: July 17, 2011, 02:28:44 PM by shrawan32 »

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20126
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #4 on: July 17, 2011, 02:19:37 PM »
Hi shrawan32,

This could be part of the so-called "ZeroAccess", 64-bit rootkit dropper.You could have been infected because your Adobe or java software is not fully updated, check with secunia.com/vulnerability_scanning/online/

For the malware to be cleansed I asked essexboy to come and have a look here,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28962
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #5 on: July 17, 2011, 02:21:27 PM »
Looks like it may be a reincarnation of max++ haven't seen that in a while

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

  • Under the Custom Scan box paste this in

%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT


  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21671
  • Gender: Male
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #6 on: July 17, 2011, 02:23:59 PM »
from the VT scan posted by Dim@rik, click show all


sigcheck:
publisher....: Microsoft Corporation
copyright....: _ Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Server DLL
original name: consrv.dll
internal name: consrv
file version.: 5.2.3790.3959
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


looks legit   ??? ..... or is the info Fake


test the file(s) at www.virustotal.com



« Last Edit: July 17, 2011, 02:33:06 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28962
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #7 on: July 17, 2011, 02:27:06 PM »
I don't have a copy on my system

verified.....: Unsigned Not like MS for 64bit system
file version.: 5.2.3790.3959 XP ?

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20126
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #8 on: July 17, 2011, 02:32:44 PM »
Hi Pondus,

Not if I and essexboy consider this to be excluded first:
http://www.dataprotectioncenter.com/antivirus/kaspersky/max-sets-its-sights-on-x64-platforms/
and
http://threatpost.com/en_us/blogs/zeroaccess-rootkit-latest-line-x64-malware-appear-052411
There this dll is the body of the dropper. Could also be part of the Google-redirect misery as the victim experiences reboot problems, as an unknown (unsigned dll) process in taskmanager it can be easily been adopted to perform as part of malware, then conserv.dll may appear to be a normal process, but it is not.
Do you think this is a FP? I would certainly not: http://www.virustotal.com/file-scan/report.html?id=5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f-1310865513

polonus
« Last Edit: July 17, 2011, 02:34:37 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1052
  • Gender: Male
  • Proud Community Member&Helper.
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #9 on: July 17, 2011, 02:40:32 PM »
More info here http://www.securelist.com/en/blog/493/MAX_sets_its_sights_on_x64_platforms

Take a note:The body of the dropper is placed in the system32 folder under the name consrv.dll.


Edit:Pol,did we post the same? 8)
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20126
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #10 on: July 17, 2011, 02:47:29 PM »
No Left123,

No but you gave the same link as Dim@rik. But the info all touches the same dropper. Let's wait for essexboy to perform his cleansing routines on this new max++ malcreation,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Dim@rik

  • Poster
  • *
  • Posts: 663
  • Gender: Male
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #11 on: July 17, 2011, 05:58:49 PM »
I don't have a copy on my system

verified.....: Unsigned Not like MS for 64bit system
file version.: 5.2.3790.3959 XP ?



I also do not have a sample ... I'm also searching the internet found a note about this dll, it was necessary to test for VT.

Offline Left123

  • There Is No Patch For Human Stupidity.
  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1052
  • Gender: Male
  • Proud Community Member&Helper.
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #12 on: July 17, 2011, 08:42:57 PM »
@Essexboy,i found a sample(max++),want to have a look?If so,tell me..
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21671
  • Gender: Male
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #13 on: July 17, 2011, 08:47:37 PM »
@Essexboy,i found a sample(max++),want to have a look?If so,tell me..
do you have a VT scan of it ?
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Left123

  • There Is No Patch For Human Stupidity.
  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1052
  • Gender: Male
  • Proud Community Member&Helper.
    • Personal Message (Offline)
Re: consrv.dll virus?
« Reply #14 on: July 17, 2011, 08:52:49 PM »
« Last Edit: July 17, 2011, 08:54:29 PM by Left123 »
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now