HEUR:Backdoor.Win64.Generic Options

[ckerscher]

Computer is Win 7 Home Edition 64-bit
Kaspersky finds that c:\windows\system32\consrv.dll is infected with HEUR:Backdoor.Win64.Generic virus. I have updated Kaspersky, run scans in normal and SAFE mode but virus is not fixed. Continuously get the Kaspersky message about this virus and while I've run the special disinfection procedure numerous times as will as the second option the virus remains.
I've included the GetSystemInfo zip file.
What recommendations do you have?
Thanks,
Charlie

Attached File(s)

 GetSystemInfo_SOPHIA_EMACHINE_Sophia_2012_02_07_18_51_24.zip ( 92.7K ) Number of downloads: 6

 

[richbuff]

Welcome. Please post the full, complete detection details. Post screenshot of Reports > Detailed Report > Detected threats.
Right click the Detected bar, and select Path. Right click the Detected bar again and select File.
Then post the screenshot with columns widened to show full detected and name and object and path/location details.

How to take and post screenshot: PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or
png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.

Reports > Detailed Report > lower left > Save button > please attach the saved text.

Also, please attach your AVZ .zip

[ckerscher]

I hope that I have complied with your request; it certainly is my intention to have.
Thank you,
Charlie

Attached File(s)

 KasperskyVirusDetection.png ( 63.98K ) Number of downloads: 57
 FileLocation.png ( 20.69K ) Number of downloads: 39
 virusinfo_syscure.zip ( 44.14K ) Number of downloads: 3

 

[richbuff]

You're welcome. Attach a Combofix log, please review these instructions carefully before downloading Combofix, and follow these instructions carefully after downloading Combofix.

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the Combofix file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

--------------------
The instructions posted here are for the original poster Only. If you have same or other issue, please see the first Important read me topic, and then open a New Topic for yourself.

[ckerscher]

>Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Apparently ComboFix has changed as to where they save the log files and the names of the files. Therefore I've attached the file that was displayed as well as a second file that was saved upon the completion of running ComboFix.

Thanks again for helping me. Please let me know what else you need for me to do.
Charlie

Attached File(s)

 ComboFixLog.txt ( 16.19K ) Number of downloads: 5
 ComboFix_quarantined_files.txt ( 1.25K ) Number of downloads: 3

 

[richbuff]

You're welcome. It looks like Combofix was ran three times recently. Please search and attach your other combofix logs: ComboFix2.txt 2012-02-08 17:23 and ComboFix3.txt 2012-02-08 14:28

After that, please zip up C:\qoobox\quarantine and upload it to a filehost such as http://www.mediafire.com/
Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause Kaspersky > Start > run >
type combofix /uninstall > ok. Or Start > run > type 123 /uninstall > ok. Restart Kaspersky.

Also, please follow this Tech Article to run tdsskiller: http://support.kaspersky.com/viruses/solutions?qid=208280684
Please attach the tdsskiller log. Located at: C:\TDSSKiller.~~~~~log.txt

[ckerscher]

I've attached the two files. Am doing the other steps you requested.
Thanks
Charlie

_{edit: del broken quote.}

This post has been edited by richbuff: 12.02.2012 04:07

Attached File(s)

 ComboFix2.txt ( 14.14K ) Number of downloads: 2
 ComboFix3.txt ( 11.75K ) Number of downloads: 2

 

[ckerscher]

I attached the file.
Charlie

_{edit: del broken quote.}

This post has been edited by richbuff: 12.02.2012 04:07

Attached File(s)

 TDSSKiller.2.7.11.0_11.02.2012_10.16.26_log.txt ( 75.91K ) Number of downloads: 4

 

[richbuff]

Thank you for the link, and you're welcome. Also, scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.

[ckerscher]

I've attached the malwarebytes log.
Thank you,
Charlie

Attached File(s)

 mbam_log_2012_02_11__20_27_18_.txt ( 1.91K ) Number of downloads: 4

 

[richbuff]

You're welcome. Please scan again with Kaspersky. Are you still receiving the detection?

[ckerscher]

Are you still receiving the detection?

Yes I am!
Charlie

[richbuff]

Please inform Virus Tech Support of this issue: https://my.kaspersky.com/en/support/viruslab

[driverx]

Also,

You are infected with a new version of sirefef/zeroaccess.
Go to Control panel/services/administrative tools/services and look for the following service : "Safety Settings Service". I had also a new version of zeroaccess and this service was the "secondary" launcher of the virus.
If the service is not there, you can do a registry scan with RegScanner and find what services were created around the date you've found that you're infected

Alternatively, you can scan consrv.dll on VirusTotal and find what antivirus program is detecting corectly your version of zeroaccess and try an online scan with that antivirus solution.

_{edit: del VT link, and del link to disinfection topic on other forum. and preface with Also,}

This post has been edited by richbuff: 13.02.2012 14:30

[ckerscher]

I tried to inform the viruslab. But when I click Upload the search does not locate the infected file. Windows Explorer shows the file.
I tried zipping the file and I am told the file doesn't exist.
How am I going to be able to get the file to the viruslab?
The file is c:\windows\system32\consrv.dll.

May I add that early in the process of dealing with this situation I booted to SAFE mode command line (prompt). I found the file and was able to rename it. Kaspersky put the 'renamed' file into storage when I rebooted and ran Kaspersky scan; but I don't know how to send it to the lab from storage. I had thought that fixed my problem but shortly afterward the file reappeared.

I could try renaming it and see if the 'Upload' will find the renamed file.

Thank you,
Charlie

[ckerscher]

Go to Control panel/services/administrative tools/services and look for the following service : "Safety Settings Service".

Did not find that service.

and find what services were created around the date you've found that you're infected

The date of the file 7/13/2009 has 10000 items listed when I run the registry scan for that date. Now I don't know when the problem actually started as the computer is used by one of my employees. She has complained for at least a month that the computer has been 'acting up'. But the file that Kaspersky is saying is infected (consrv.dll) is dated 7/13/09.


"https://www.virustotal.com/"]VirusTotal
Unfortunately the Upload (file browsing) doesn't find the file; just like above when I tried to upload the file to the viruslab.

Don't know what to do next!
Charlie

[richbuff]

Please inform Virus Tech Support of this issue: https://my.kaspersky.com/en/support/viruslab

[driverx]

Also

The date 7/13/2009 is not the date of the infection, it's a fake date created by the virus so a newbie would belive that is a legit file (the date is almost similar to many of win7 64bit system files).
To reveal the consrv.dll try this : go to Control Panel/folderOptions/view/ and make shure "Show hidden files, folders and drives" radio is selected and the checkbox "Hide protected operating system files" is unchecked. Click "Apply" and go to windows/system32 and look for consrv.dll. If you can find it, scan it at VirusTotal or send it at kaspersky viruslab.

This post has been edited by driverx: 13.02.2012 16:12

[ckerscher]

Did as requested; but neither total virus or Kaspersky find the file when I browse from clicking the Upload button.

[Baz^^]

Did as requested; but neither total virus or Kaspersky find the file when I browse from clicking the Upload button.

Hi,

You are definitely better off working with the viruslab specialists as per richbuffs link. They will be able to extract any new unknown malware and help to create detections/removal routines for it.