Author Topic: consrv.dll virus?  (Read 46819 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Re: consrv.dll virus?
« Reply #15 on: July 17, 2011, 10:57:14 PM »
Hi Left123,

Can you upload the file to Anubis and give me the Anubis report link,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: consrv.dll virus?
« Reply #16 on: July 17, 2011, 10:59:50 PM »
Hi Left123,

Can you upload the file to Anubis and give me the Anubis report link,

pol
Here you go Damian ;D
http://anubis.iseclab.org/?action=result&task_id=1d153fa30403842b4a5e79e2817b20f3f&format=html
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Re: consrv.dll virus?
« Reply #17 on: July 17, 2011, 11:19:11 PM »
Hi Left123,

From the info on the mutexes mentioned there, this is "Windows Lifespoof" malware, a backdoor agent. It comes with characteristics that are "exploit kit" related, and is redirecting to a malware site reporting infection status.
Furthermore AcGenral.DLL is found in there, report states that 9ad1_appcompat.txt Object is locked.
The malware will silently install on the victim's comp and attempts to replace a randomly selected system driver, thereby avoiding certain specific drivers,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: consrv.dll virus?
« Reply #18 on: July 17, 2011, 11:22:01 PM »
Hi Left123,

From the info on the mutexes mentioned there, this is "Windows Lifespoof" malware, a backdoor agent. It comes with characteristics that are "exploit kit" related, and is redirecting to a malware site reporting infection status.
Furthermore AcGenral.DLL is found in there, report states that 9ad1_appcompat.txt Object is locked.
The malware will silently install on the victim's comp and attempts to replace a randomly selected system driver, thereby avoiding certain specific drivers,

polonus
It drops MAX++,doesn't it?
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Re: consrv.dll virus?
« Reply #19 on: July 17, 2011, 11:36:45 PM »
Hi Left123,

Well sure it reads in the Anubis report:
Quote
2. Max++ down.exe
, and it also contains this attack code:
Quote
"system32\drwtsn32 -p 1576 -e 124 -g"
, so Fake AV...


pol
« Last Edit: July 18, 2011, 12:02:09 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: consrv.dll virus?
« Reply #20 on: July 17, 2011, 11:39:23 PM »
Looks like an old version

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Re: consrv.dll virus?
« Reply #21 on: July 17, 2011, 11:48:04 PM »
Hi essexboy,

We did not like to spoil the fun for ye, did we?   ;D 
Left123 found it. So then does it have any resemblance with a more recent variant?

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: consrv.dll virus?
« Reply #22 on: July 18, 2011, 08:44:03 AM »
Max++ is a "rare" kind of infection,that makes it hard to find samples.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

shrawan32

  • Guest
Re: consrv.dll virus?
« Reply #23 on: July 18, 2011, 10:33:38 AM »
@essexboy: i have uploaded OTS result log in http://www.mediafire.com/?6v64tinp3f2ra5l  take a look and get me soon

shrawan32

  • Guest
Re: consrv.dll virus?
« Reply #24 on: July 18, 2011, 03:30:20 PM »
@essexboy: i have uploaded OTS result log in http://www.mediafire.com/?6v64tinp3f2ra5l  take a look and get me soon

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89210
  • No support PMs thanks
Re: consrv.dll virus?
« Reply #25 on: July 18, 2011, 03:41:37 PM »
Well essexboy will still be at work 14:40pm in the UK, so it will be a few hours before he is back home and on the forums. So bumping the topic won't change that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Re: consrv.dll virus?
« Reply #26 on: July 18, 2011, 06:04:50 PM »
Attached I give an image of the alert I get from the Malware Script Detector extension I installed in the Google Chrome browser. Wwhen I give in this particular query, see attached gif image, I am alerted for malware attack code...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: consrv.dll virus?
« Reply #27 on: July 18, 2011, 08:27:36 PM »
It is not showing at all on the log, but there are none of the classic max++ signs either which is good

So lets use a deeper searching tool

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

shrawan32

  • Guest
Re: consrv.dll virus?
« Reply #28 on: July 19, 2011, 07:01:29 AM »
I tried combofix but it automatically deleted that consrv.dll and it reboots the os.After, the startup error occured similar to as i said earlier in the post when i tried with avast.eventually i restored by no way since startup repair also failed...i attached below the result log of combofix.

psw

  • Guest
Re: consrv.dll virus?
« Reply #29 on: July 19, 2011, 08:52:19 AM »
I found the following method of consrv problem fixing
http://www.bleepingcomputer.com/forums/topic400730.html/page__st__15__p__2271737#entry2271737

It is required to restore the original winsrv: occurence instead malicious consrv: