Jump to content
ckerscher

HEUR:Backdoor.Win64.Generic

Recommended Posts

Computer is Win 7 Home Edition 64-bit

Kaspersky finds that c:\windows\system32\consrv.dll is infected with HEUR:Backdoor.Win64.Generic virus. I have updated Kaspersky, run scans in normal and SAFE mode but virus is not fixed. Continuously get the Kaspersky message about this virus and while I've run the special disinfection procedure numerous times as will as the second option the virus remains.

I've included the GetSystemInfo zip file.

What recommendations do you have?

Thanks,

Charlie

 

GetSystemInfo_SOPHIA_EMACHINE_Sophia_2012_02_07_18_51_24.zip

Share this post


Link to post
Share on other sites
richbuff   

Welcome. Please post the full, complete detection details. Post screenshot of Reports > Detailed Report > Detected threats.

Right click the Detected bar, and select Path. Right click the Detected bar again and select File.

Then post the screenshot with columns widened to show full detected and name and object and path/location details.

 

How to take and post screenshot: PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or

png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.

 

Reports > Detailed Report > lower left > Save button > please attach the saved text.

 

Also, please attach your AVZ .zip

Share this post


Link to post
Share on other sites
richbuff   

You're welcome. Attach a Combofix log, please review these instructions carefully before downloading Combofix, and follow these instructions carefully after downloading Combofix.

 

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

 

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the

option "resume manually" if still active) until after the scanning and removal process has taken place.

 

Please double click on the Combofix file you downloaded. Follow the onscreen prompts to start the scan.

Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.

It may take a while to complete scanning and this is normal.

 

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after

scanning has completed.

 

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't

forget to resume the Kaspersky that you paused.

 

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

--------------------

The instructions posted here are for the original poster Only. If you have same or other issue, please see the first Important read me topic, and then open a New Topic for yourself.

Share this post


Link to post
Share on other sites

>Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't

forget to resume the Kaspersky that you paused.

 

Apparently ComboFix has changed as to where they save the log files and the names of the files. Therefore I've attached the file that was displayed as well as a second file that was saved upon the completion of running ComboFix.

 

Thanks again for helping me. Please let me know what else you need for me to do.

Charlie

 

 

ComboFixLog.txt

ComboFix_quarantined_files.txt

Share this post


Link to post
Share on other sites
richbuff   

You're welcome. It looks like Combofix was ran three times recently. Please search and attach your other combofix logs: ComboFix2.txt 2012-02-08 17:23 and ComboFix3.txt 2012-02-08 14:28

 

After that, please zip up C:\qoobox\quarantine and upload it to a filehost such as http://www.mediafire.com/

Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause Kaspersky > Start > run >

type combofix /uninstall > ok. Or Start > run > type 123 /uninstall > ok. Restart Kaspersky.

 

Also, please follow this Tech Article to run tdsskiller: http://support.kaspersky.com/viruses/solutions?qid=208280684

Please attach the tdsskiller log. Located at: C:\TDSSKiller.~~~~~log.txt

Share this post


Link to post
Share on other sites
driverx   

Also,

 

You are infected with a new version of sirefef/zeroaccess.

Go to Control panel/services/administrative tools/services and look for the following service : "Safety Settings Service". I had also a new version of zeroaccess and this service was the "secondary" launcher of the virus.

If the service is not there, you can do a registry scan with RegScanner and find what services were created around the date you've found that you're infected

 

Alternatively, you can scan consrv.dll on VirusTotal and find what antivirus program is detecting corectly your version of zeroaccess and try an online scan with that antivirus solution.

 

edit: del VT link, and del link to disinfection topic on other forum. and preface with Also,

Edited by richbuff

Share this post


Link to post
Share on other sites

I tried to inform the viruslab. But when I click Upload the search does not locate the infected file. Windows Explorer shows the file.

I tried zipping the file and I am told the file doesn't exist.

How am I going to be able to get the file to the viruslab?

The file is c:\windows\system32\consrv.dll.

 

May I add that early in the process of dealing with this situation I booted to SAFE mode command line (prompt). I found the file and was able to rename it. Kaspersky put the 'renamed' file into storage when I rebooted and ran Kaspersky scan; but I don't know how to send it to the lab from storage. I had thought that fixed my problem but shortly afterward the file reappeared.

 

I could try renaming it and see if the 'Upload' will find the renamed file.

 

Thank you,

Charlie

Share this post


Link to post
Share on other sites

Go to Control panel/services/administrative tools/services and look for the following service : "Safety Settings Service".

 

Did not find that service.

 

and find what services were created around the date you've found that you're infected

 

The date of the file 7/13/2009 has 10000 items listed when I run the registry scan for that date. Now I don't know when the problem actually started as the computer is used by one of my employees. She has complained for at least a month that the computer has been 'acting up'. But the file that Kaspersky is saying is infected (consrv.dll) is dated 7/13/09.

 

"https://www.virustotal.com/"]VirusTotal

Unfortunately the Upload (file browsing) doesn't find the file; just like above when I tried to upload the file to the viruslab.

 

Don't know what to do next!

Charlie

 

 

 

 

Share this post


Link to post
Share on other sites
driverx   

Also

 

The date 7/13/2009 is not the date of the infection, it's a fake date created by the virus so a newbie would belive that is a legit file (the date is almost similar to many of win7 64bit system files).

To reveal the consrv.dll try this : go to Control Panel/folderOptions/view/ and make shure "Show hidden files, folders and drives" radio is selected and the checkbox "Hide protected operating system files" is unchecked. Click "Apply" and go to windows/system32 and look for consrv.dll. If you can find it, scan it at VirusTotal or send it at kaspersky viruslab.

Edited by driverx

Share this post


Link to post
Share on other sites
Baz^^   
Did as requested; but neither total virus or Kaspersky find the file when I browse from clicking the Upload button.

 

 

Hi,

 

You are definitely better off working with the viruslab specialists as per richbuffs link. They will be able to extract any new unknown malware and help to create detections/removal routines for it.

Share this post


Link to post
Share on other sites
Hi,

 

You are definitely better off working with the viruslab specialists as per richbuffs link. They will be able to extract any new unknown malware and help to create detections/removal routines for it.

 

 

Thank you,

Charlie

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×