Author Topic: consrv.dll virus?  (Read 46848 times)

0 Members and 1 Guest are viewing this topic.

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: consrv.dll virus?
« Reply #31 on: July 19, 2011, 04:38:17 PM »
Hi folks,

Let us first give some details on the first Anubis report, that Left123 provided for us.
This is what I got on that, please correct or comment.

The analysis of the first Anubis report.
There is a known weakness in ntdll.dll, which later was patched with Q815021_WXP_SP2_x86_NLD.exe as far back as 2003.
Malware creates a copy of the file %System%\ADVAPI32.DLL later to modify and remove the legit ADVAPI32.DLL section object.
Extensive description found here: http://www.f-secure.com/v-descs/backdoor_w32_tdss.shtml
But this is for the complete malware, so what we discuss here is just the Backdoor.Win32.ZAccess (Sig-Id:61936921) part of the malware.
A bug in ATI Multimedia center is being used, as we read about e.g. "msacm.iac2", good for a generic find of this Subtype-N/A type of malware.
Device Control Communication - KsecDD = the security device server, it lives in c:\winnt\system32\drivers
About Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
Dialog does not display the specific version of comctl32.dll, it causes Windows Explorer to crash repeatedly,
and is making an access violation when closing tabs,
the Common-Controls etc. is also found with Virtumonde and other fraudLoad trojan malware,
DRMClien.DLL is being used in malware for effective camouflage, it is used for managing content,
programmed to appear as a legit file as it may infect computers via dubious file-sharing tools.
msvfw32.dll could also appear to be a camouflage file.
tapi32.dll files may end up becoming corrupted as malware runs amoc on your comp.
WMASF.DLL is part of Windows Media Files and is also being used in attack code.
A a patched WS2_32.dll as part of Windows Socket is no fun issue, webpage loading slows up and many redirects found,
Non-system processes like msdmo.dll originate from malware you installed on your system, leads to errors that can be harmful.
urlmon.dll can get corrupted from this malware.
rtutils.dll is a camouflage file.
wmidx.dll in malware is also used to pose as a legit file.
wmvcore.dll is an application that does NOT appear to be a security risk, is the Windows Media Playback/Authoring Dll,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


psw

  • Guest
Re: consrv.dll virus?
« Reply #33 on: July 19, 2011, 06:09:33 PM »
Let us first give some details on the first Anubis report, that Left123 provided for us.
This is what I got on that, please correct or comment.

The analysis of the first Anubis report.
...

I'm sorry, but this report says nothing about consrv.dll which is really the important thing for topic starter. So probably this report should deal with some different kind of max++ malware. So what is the reason for discussing this matter in this topic? I think that is it worth to start a new one and leave this for discussing concrete consvr.dll variant.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: consrv.dll virus?
« Reply #34 on: July 19, 2011, 06:10:50 PM »
Hi Pondus,

For the last VT result Left123 gave, this corresponds with these:
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~ZAccess-F/detailed-analysis.aspx
and also this scan has that MD5 hash: http://file.virscan.org/report/2118da91d8f2b6414da618cd1de3645c.html

pol

P.S. Essexboy is right we should get out of his cleansing thread and take this discussion elsewhere....
« Last Edit: July 19, 2011, 10:24:49 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: consrv.dll virus?
« Reply #35 on: July 19, 2011, 08:29:43 PM »
Concur the op will get lost amongst all this - could you break it off please guys

shrawan32

Download AVPTool from Here to your desktop
 
Run the programme you have just downloaded to your desktop (it will be randomly named )
 
First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan 
Once it has finished select report and post that.
 

 
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
 
Now an analysis scan
Select the Manual Disinfection tab 
Press the Gather System Information button 
Once done Open the last report saved folder  then attach the zip file to your next post zip 
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
 


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: consrv.dll virus?
« Reply #36 on: July 19, 2011, 10:31:43 PM »
Hi essexboy,

I will stay out of this thread now and hope the others do likewise,

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

shrawan32

  • Guest
Re: consrv.dll virus?
« Reply #37 on: July 21, 2011, 06:31:35 PM »
 :)
« Last Edit: July 21, 2011, 06:34:36 PM by shrawan32 »

shrawan32

  • Guest
Re: consrv.dll virus?
« Reply #38 on: July 21, 2011, 06:33:21 PM »
guyz i exhausted........i have reinstalled my OS at last.but still if you find the concrete fix for that problem do remind by post....thanks for all for ur attentions........ :)

psw

  • Guest
Re: consrv.dll virus?
« Reply #39 on: July 21, 2011, 08:56:24 PM »
guyz i exhausted........i have reinstalled my OS at last.but still if you find the concrete fix for that problem do remind by post....thanks for all for ur attentions........ :)
Here it is
http://forum.avast.com/index.php?topic=81720.msg668450#msg668450
consrv: prefix in the registry key value should be substituted by original winsrv: one.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: consrv.dll virus?
« Reply #40 on: August 01, 2011, 07:32:44 PM »
Yep the AVP tool is quite good for the cleanup as the analysis report enables me to catch the weird ones

Skiptomaloo

  • Guest
Re: consrv.dll virus?
« Reply #41 on: December 05, 2011, 01:07:35 PM »
Just in case anybody is reading this like I was. Please avoid the combofix method of fixing this
google redirect. I ran combofix, it deleted consrv.dll and \windows\system64\ and now I have lost the following services

Base Filtering Engine (BFE)
IP Helper
Security Center
Windows Defender
Windows Firewall

Also having next to no luck in getting them back. Tried all the usual stuff. Stopping/Starting services (command line too) cant stop or start something that does not exist in services. Guess the old pc could use a fresh install :)

EDIT
Forgot i still had the file, so threw it up for anybody that cared.
http://anubis.iseclab.org/?action=result&task_id=1e512a0e6c08f7c846dc91ccfabb4986a&call=first
« Last Edit: December 05, 2011, 01:13:26 PM by Skiptomaloo »

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11241
  • No support PM's thanks
Re: consrv.dll virus?
« Reply #42 on: December 05, 2011, 01:17:53 PM »
Just in case anybody is reading this like I was. Please avoid the combofix method of fixing this
google redirect. I ran combofix, it deleted consrv.dll and \windows\system64\ and now I have lost the following services

Base Filtering Engine (BFE)
IP Helper
Security Center
Windows Defender
Windows Firewall

Also having next to no luck in getting them back. Tried all the usual stuff. Stopping/Starting services (command line too) cant stop or start something that does not exist in services. Guess the old pc could use a fresh install :)
Well you are only supposed to run these tools under the supervision and instructions by a trained malware specialest like essexboy, some people like to play with the fire and wonder why they get burned  :o if you can wait a couple of hours essexboy may be able to help you repair when he comes on later.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76034
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: consrv.dll virus?
« Reply #43 on: December 05, 2011, 01:36:44 PM »
Well you are only supposed to run these tools under the supervision and instructions by a trained malware specialest like essexboy, some people like to play with the fire and wonder why they get burned  :o

+1
Also you did reply to a rather outdated topic. ;)
If you need help, please start a new thread.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Skiptomaloo

  • Guest
Re: consrv.dll virus?
« Reply #44 on: December 05, 2011, 10:01:20 PM »
I don't need help but thank you, didn't want somebody else making the same booboo I did. In response to being 'Burned' Isn't it the burning that makes us better users ?  ;)

Ctrl + Alt + 1 and 10 minutes is all it took for a nice fresh install of Windows.

"Chance favors the prepared mind"

Have A Great Day All :)