consrv.dll virus?

i am using avast free version and it detects a malware as “c:\windows\system32\consrv.dll”
Is it safe to remove consrv.dll since it is in windows folder?please reply soon

can u post a sreenshot for us to get an idea of what is the problem?

http://www.virustotal.com/file-scan/report.html?id=5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f-1310865513

http://threatpost.com/en_us/blogs/zeroaccess-rootkit-latest-line-x64-malware-appear-052411

http://www.securelist.com/en/blog/493/MAX_sets_its_sights_on_x64_platforms

my problem is that threat has been detected and the infected file is “consrv.dll” in "c:\windows\system32" and also "c:\windows\system64" both have severity as high and status as
“Threat:Win32:Malware-gen”.i tried to repair by avast but it don’t got repaired and throws error.then i moved it to avast’s chest, after that the windows is not booting and it prompts to make startup repair.but it can’t repair it and finally i have restored windows by no way.i am using windows 7 ultimate 64 bit

Hi shrawan32,

This could be part of the so-called “ZeroAccess”, 64-bit rootkit dropper.You could have been infected because your Adobe or java software is not fully updated, check with secunia.com/vulnerability_scanning/online/

For the malware to be cleansed I asked essexboy to come and have a look here,

polonus

Looks like it may be a reincarnation of max++ haven’t seen that in a while

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

from the VT scan posted by Dim@rik, click show all

sigcheck:
publisher…: Microsoft Corporation
copyright…: _ Microsoft Corporation. All rights reserved.
product…: Microsoft_ Windows_ Operating System
description…: Windows Server DLL
original name: consrv.dll
internal name: consrv
file version.: 5.2.3790.3959
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

looks legit ??? … or is the info Fake

test the file(s) at www.virustotal.com

I don’t have a copy on my system

verified…: Unsigned Not like MS for 64bit system
file version.: 5.2.3790.3959 XP ?

Hi Pondus,

Not if I and essexboy consider this to be excluded first:
http://www.dataprotectioncenter.com/antivirus/kaspersky/max-sets-its-sights-on-x64-platforms/
and
http://threatpost.com/en_us/blogs/zeroaccess-rootkit-latest-line-x64-malware-appear-052411
There this dll is the body of the dropper. Could also be part of the Google-redirect misery as the victim experiences reboot problems, as an unknown (unsigned dll) process in taskmanager it can be easily been adopted to perform as part of malware, then conserv.dll may appear to be a normal process, but it is not.
Do you think this is a FP? I would certainly not: http://www.virustotal.com/file-scan/report.html?id=5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f-1310865513

polonus

More info here http://www.securelist.com/en/blog/493/MAX_sets_its_sights_on_x64_platforms

Take a note:The body of the dropper is placed in the system32 folder under the name consrv.dll.

Edit:Pol,did we post the same? 8)

No Left123,

No but you gave the same link as Dim@rik. But the info all touches the same dropper. Let’s wait for essexboy to perform his cleansing routines on this new max++ malcreation,

polonus

I also do not have a sample … I’m also searching the internet found a note about this dll, it was necessary to test for VT.

@Essexboy,i found a sample(max++),want to have a look?If so,tell me…

do you have a VT scan of it ?

Give me a second

VT > http://www.virustotal.com/file-scan/report.html?id=d22425d964751152471cca7e8166cc9e03c1a4a2e8846f18b665bb3d350873db-1309397475

Hi Left123,

Can you upload the file to Anubis and give me the Anubis report link,

pol

Here you go Damian ;D
http://anubis.iseclab.org/?action=result&task_id=1d153fa30403842b4a5e79e2817b20f3f&format=html

Hi Left123,

From the info on the mutexes mentioned there, this is “Windows Lifespoof” malware, a backdoor agent. It comes with characteristics that are “exploit kit” related, and is redirecting to a malware site reporting infection status.
Furthermore AcGenral.DLL is found in there, report states that 9ad1_appcompat.txt Object is locked.
The malware will silently install on the victim’s comp and attempts to replace a randomly selected system driver, thereby avoiding certain specific drivers,

polonus

It drops MAX++,doesn’t it?

Hi Left123,

Well sure it reads in the Anubis report:

2. Max++ down.exe
, and it also contains this attack code:
“system32\drwtsn32 -p 1576 -e 124 -g”
, so Fake AV…

pol