IPB

Welcome Guest ( Log In | Register )

2 Pages V   1 2 >  
Reply to this topicStart new topic
> HEUR:Backdoor.Win64.Generic
ckerscher
post 8.02.2012 17:58
Post #1


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




Computer is Win 7 Home Edition 64-bit
Kaspersky finds that c:\windows\system32\consrv.dll is infected with HEUR:Backdoor.Win64.Generic virus. I have updated Kaspersky, run scans in normal and SAFE mode but virus is not fixed. Continuously get the Kaspersky message about this virus and while I've run the special disinfection procedure numerous times as will as the second option the virus remains.
I've included the GetSystemInfo zip file.
What recommendations do you have?
Thanks,
Charlie


Attached File(s)
 
Go to the top of the page
 
+Quote Post
richbuff
post 9.02.2012 03:59
Post #2


Are You Kidding?
*****************

Group: Moderators
Posts: 1000080
Joined: 14.06.2007




Welcome. Please post the full, complete detection details. Post screenshot of Reports > Detailed Report > Detected threats.
Right click the Detected bar, and select Path. Right click the Detected bar again and select File.
Then post the screenshot with columns widened to show full detected and name and object and path/location details.

How to take and post screenshot: PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or
png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.


Reports > Detailed Report > lower left > Save button > please attach the saved text.

Also, please attach your AVZ .zip


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
ckerscher
post 9.02.2012 17:37
Post #3


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




I hope that I have complied with your request; it certainly is my intention to have.
Thank you,
Charlie

Attached File(s)
Attached File  KasperskyVirusDetection.png ( 63,98K ) Number of downloads: 57
Attached File  FileLocation.png ( 20,69K ) Number of downloads: 39
Attached File  virusinfo_syscure.zip ( 44,14K ) Number of downloads: 3
 
Go to the top of the page
 
+Quote Post
richbuff
post 10.02.2012 05:24
Post #4


Are You Kidding?
*****************

Group: Moderators
Posts: 1000080
Joined: 14.06.2007




You're welcome. Attach a Combofix log, please review these instructions carefully before downloading Combofix, and follow these instructions carefully after downloading Combofix.

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the Combofix file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

--------------------
The instructions posted here are for the original poster Only. If you have same or other issue, please see the first Important read me topic, and then open a New Topic for yourself.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
ckerscher
post 10.02.2012 19:09
Post #5


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




>Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Apparently ComboFix has changed as to where they save the log files and the names of the files. Therefore I've attached the file that was displayed as well as a second file that was saved upon the completion of running ComboFix.

Thanks again for helping me. Please let me know what else you need for me to do.
Charlie



Attached File(s)
Attached File  ComboFixLog.txt ( 16,19K ) Number of downloads: 5
Attached File  ComboFix_quarantined_files.txt ( 1,25K ) Number of downloads: 3
 
Go to the top of the page
 
+Quote Post
richbuff
post 11.02.2012 05:46
Post #6


Are You Kidding?
*****************

Group: Moderators
Posts: 1000080
Joined: 14.06.2007




You're welcome. It looks like Combofix was ran three times recently. Please search and attach your other combofix logs: ComboFix2.txt 2012-02-08 17:23 and ComboFix3.txt 2012-02-08 14:28

After that, please zip up C:\qoobox\quarantine and upload it to a filehost such as http://www.mediafire.com/
Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause Kaspersky > Start > run >
type combofix /uninstall > ok. Or Start > run > type 123 /uninstall > ok. Restart Kaspersky.

Also, please follow this Tech Article to run tdsskiller: http://support.kaspersky.com/viruses/solutions?qid=208280684
Please attach the tdsskiller log. Located at: C:\TDSSKiller.~~~~~log.txt


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
ckerscher
post 11.02.2012 19:02
Post #7


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




I've attached the two files. Am doing the other steps you requested.
Thanks
Charlie

edit: del broken quote.

This post has been edited by richbuff: 12.02.2012 04:07
Attached File(s)
Attached File  ComboFix2.txt ( 14,14K ) Number of downloads: 2
Attached File  ComboFix3.txt ( 11,75K ) Number of downloads: 2
 
Go to the top of the page
 
+Quote Post
ckerscher
post 11.02.2012 19:22
Post #8


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




I attached the file.
Charlie

edit: del broken quote.

This post has been edited by richbuff: 12.02.2012 04:07
Attached File(s)
Attached File  TDSSKiller.2.7.11.0_11.02.2012_10.16.26_log.txt ( 75,91K ) Number of downloads: 4
 
Go to the top of the page
 
+Quote Post
richbuff
post 12.02.2012 04:21
Post #9


Are You Kidding?
*****************

Group: Moderators
Posts: 1000080
Joined: 14.06.2007




Thank you for the link, and you're welcome. Also, scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
ckerscher
post 12.02.2012 14:50
Post #10


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




I've attached the malwarebytes log.
Thank you,
Charlie
Attached File(s)
Attached File  mbam_log_2012_02_11__20_27_18_.txt ( 1,91K ) Number of downloads: 4
 
Go to the top of the page
 
+Quote Post
richbuff
post 13.02.2012 04:05
Post #11


Are You Kidding?
*****************

Group: Moderators
Posts: 1000080
Joined: 14.06.2007




You're welcome. Please scan again with Kaspersky. Are you still receiving the detection?


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
ckerscher
post 13.02.2012 05:24
Post #12


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




Are you still receiving the detection?

Yes I am!
Charlie
Go to the top of the page
 
+Quote Post
richbuff
post 13.02.2012 05:30
Post #13


Are You Kidding?
*****************

Group: Moderators
Posts: 1000080
Joined: 14.06.2007




Please inform Virus Tech Support of this issue: https://my.kaspersky.com/en/support/viruslab


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
driverx
post 13.02.2012 14:20
Post #14


Newbie
*

Group: Members
Posts: 6
Joined: 18.01.2012




Also,

You are infected with a new version of sirefef/zeroaccess.
Go to Control panel/services/administrative tools/services and look for the following service : "Safety Settings Service". I had also a new version of zeroaccess and this service was the "secondary" launcher of the virus.
If the service is not there, you can do a registry scan with RegScanner and find what services were created around the date you've found that you're infected

Alternatively, you can scan consrv.dll on VirusTotal and find what antivirus program is detecting corectly your version of zeroaccess and try an online scan with that antivirus solution.

edit: del VT link, and del link to disinfection topic on other forum. and preface with Also,

This post has been edited by richbuff: 13.02.2012 14:30
Go to the top of the page
 
+Quote Post
ckerscher
post 13.02.2012 15:38
Post #15


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




I tried to inform the viruslab. But when I click Upload the search does not locate the infected file. Windows Explorer shows the file.
I tried zipping the file and I am told the file doesn't exist.
How am I going to be able to get the file to the viruslab?
The file is c:\windows\system32\consrv.dll.

May I add that early in the process of dealing with this situation I booted to SAFE mode command line (prompt). I found the file and was able to rename it. Kaspersky put the 'renamed' file into storage when I rebooted and ran Kaspersky scan; but I don't know how to send it to the lab from storage. I had thought that fixed my problem but shortly afterward the file reappeared.

I could try renaming it and see if the 'Upload' will find the renamed file.

Thank you,
Charlie
Go to the top of the page
 
+Quote Post
ckerscher
post 13.02.2012 15:53
Post #16


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




Go to Control panel/services/administrative tools/services and look for the following service : "Safety Settings Service".

Did not find that service.

and find what services were created around the date you've found that you're infected

The date of the file 7/13/2009 has 10000 items listed when I run the registry scan for that date. Now I don't know when the problem actually started as the computer is used by one of my employees. She has complained for at least a month that the computer has been 'acting up'. But the file that Kaspersky is saying is infected (consrv.dll) is dated 7/13/09.


"https://www.virustotal.com/"]VirusTotal
Unfortunately the Upload (file browsing) doesn't find the file; just like above when I tried to upload the file to the viruslab.

Don't know what to do next!
Charlie



Go to the top of the page
 
+Quote Post
richbuff
post 13.02.2012 16:09
Post #17


Are You Kidding?
*****************

Group: Moderators
Posts: 1000080
Joined: 14.06.2007




Please inform Virus Tech Support of this issue: https://my.kaspersky.com/en/support/viruslab


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
driverx
post 13.02.2012 16:10
Post #18


Newbie
*

Group: Members
Posts: 6
Joined: 18.01.2012




Also

The date 7/13/2009 is not the date of the infection, it's a fake date created by the virus so a newbie would belive that is a legit file (the date is almost similar to many of win7 64bit system files).
To reveal the consrv.dll try this : go to Control Panel/folderOptions/view/ and make shure "Show hidden files, folders and drives" radio is selected and the checkbox "Hide protected operating system files" is unchecked. Click "Apply" and go to windows/system32 and look for consrv.dll. If you can find it, scan it at VirusTotal or send it at kaspersky viruslab.

This post has been edited by driverx: 13.02.2012 16:12
Go to the top of the page
 
+Quote Post
ckerscher
post 13.02.2012 16:24
Post #19


Member
**

Group: Members
Posts: 18
Joined: 7.06.2009




Did as requested; but neither total virus or Kaspersky find the file when I browse from clicking the Upload button.
Go to the top of the page
 
+Quote Post
Baz^^
post 13.02.2012 16:28
Post #20


Wrestling Champion
**************

Group: Gold beta testers
Posts: 8799
Joined: 10.03.2007




QUOTE(ckerscher @ 13.02.2012 12:24) *
Did as requested; but neither total virus or Kaspersky find the file when I browse from clicking the Upload button.



Hi,

You are definitely better off working with the viruslab specialists as per richbuffs link. They will be able to extract any new unknown malware and help to create detections/removal routines for it.


--------------------
Kind Regards,

Baz
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 25.10.2014 01:17