cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

I also uploaded c:\windows\system32\consrv.dll to Virus Total.   Here are the results:

URL:  http://www.virustotal.com/file-scan/report.html?id=c9173337e91ef6a59658dd60f713517eddd8cb43196dcc970...

AntivirusVersionLast UpdateResult
AhnLab-V32011.10.10.002011.10.10-
AntiVir7.11.15.2102011.10.11RKIT/ZeroAccess.A
Antiy-AVL2.0.3.72011.10.11-
Avast6.0.1289.02011.10.11Win32:Malware-gen
AVG10.0.0.11902011.10.07Dropper.Agent.ARYN
BitDefender7.22011.10.11-
ByteHero1.0.0.12011.09.23-
CAT-QuickHeal11.002011.10.11-
ClamAV0.97.0.02011.10.11-
Commtouch5.3.2.62011.10.11-
Comodo104182011.10.11-
DrWeb5.0.2.033002011.10.11-
Emsisoft5.1.0.112011.10.11Trojan.Win64!IK
eSafe7.0.17.02011.10.10-
eTrust-Vet36.1.86112011.10.11-
F-Prot4.6.5.1412011.10.11-
F-Secure9.0.16440.02011.10.11-
Fortinet4.3.370.02011.10.11-
GData222011.10.11Win32:Malware-gen
IkarusT3.1.1.107.02011.10.11Trojan.Win64
Jiangmin13.0.9002011.10.10-
K7AntiVirus9.115.52672011.10.10-
Kaspersky9.0.0.8372011.10.11-
McAfee5.400.0.11582011.10.11ZeroAccess.e
McAfee-GW-Edition2010.1D2011.10.11-
Microsoft1.77022011.10.11Trojan:Win64/Sirefef.B
NOD3265332011.10.11-
Norman6.07.112011.10.11-
nProtect2011-10-11.012011.10.11-
Panda10.0.3.52011.10.11Generic Malware
PCTools8.0.0.52011.10.11-
Prevx3.02011.10.11-
Rising23.79.01.042011.10.11-
Sophos4.70.02011.10.11-
SUPERAntiSpyware4.40.0.10062011.10.11-
Symantec20111.2.0.822011.10.11WS.Reputation.1
TheHacker6.7.0.1.3182011.10.09-
TrendMicro9.500.0.10082011.10.11TROJ_SIREFEF.BX
TrendMicro-HouseCall9.500.0.10082011.10.11TROJ_SIREFEF.BX
VBA323.12.16.42011.10.11-
VIPRE107302011.10.11Trojan.Win32.Generic!BT
ViRobot2011.10.11.47132011.10.11-
VirusBuster14.1.5.02011.10.10-

Additional information

              

           
MD5   : 1812577ddfa736694a8dbad896d329d7
SHA1  : a6831421aa2c04b93078df35d4bd2eed62985060
SHA256: c9173337e91ef6a59658dd60f713517eddd8cb43196dcc970266cbc12c33d5df
spykou
Level 7
Report Inappropriate Content
Message 62 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

I have removed ZeroAccess manually without help of Mcafee or big security society finally , this "consrv.dl" is the body of the threat but he can't do deleted without cleaned before the windows's registry key associate with him. This key is protected by the infection and must be modified with a Boot Live CD. It's not easy or secure for everyone...

Or simply use a restoration point create before the infection if you have the luck to have one and delete after the "consrv.dll"

Be carefull if you delete the file 'consrv.dll" without have a registry safe and cleaned, the windows don't start anymore and you will have a BSOD with a reboot of the computer.

on 11/10/11 12:13:55 CDT
McAfee Employee dmeier
McAfee Employee
Report Inappropriate Content
Message 63 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

Thanks Beagle123, you've been very positive and helpful in your posts.  I've gathered several samples from posters, and research has added them to the dats.  They should show up today/tomorrow. The challenge is to get a scan going.  If the product is still up and running, I'd do a full system scan, and see what it picks up.  If the product is down, we can use the daily Stinger, as I've ensured the signatures are included into that as well.

I'll be trying to test it out today as well.

Highlighted

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

I ran a full scan last night.  In c:\Program Files\McAfee\VirusScan\dat I have a 6497.0 folder.  I'm guessing that is the version of the data files.  In c:\Program Files\McAfee\VirusScan\Engine I have 5400.1158.

The scan may have been interrupted by a reboot caused by a Windows update. 

The scan removed the following:

10/12/2011  08:44:41 PM  Real Time   Artemis!56C9EF26F88B(Trojan)    Repaired(removed)  File: C:\windows\assembly\tmp\U\80000032.$  Process:  c:\windows\system32\svchost.exe

10/12/2011  09:07:56 PM  Real Time   DNSChanger!fa(Trojan)   Repaired(removed)   File:  C:\windows\assembly\tmp\U\80000032.@ Process  c:\Program Files(x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

   

The scan quarantined the following:

10/12/2011  10:09:29 PM  Full   DNSChanger!fa(Trojan)  Quarantined   File:  C:\Temp\80000032.@  (this is a copy that I made earlier to send the files to this discussion)

10/12/2011  10:09:39 PM  Full   Generic.dx!bbbg(Trojan)  Quarantined  File:  C:\windows\assembly\tmp\kwrd.dll

10/12/2011  10:09:39 PM  Full   DNSChanger!fa(Trojan)  Quarantined  File:   C:\Temp\Windows_assembly_tmp_U.zip  (this was also used to send the files to this discussion)

10/13/2011  0553:12 AM   Scheduled  Generic.dx!bbbg(Trojan)  Quarantined  File:  C:\windows\assembly\tmp\kwrd.dll

Conspicuously absent from these lists is the contaminated c:\windows\system32\consrv.dll that I submitted to Virus Total.  It looks like the scan missed it.

jdl
Level 7
Report Inappropriate Content
Message 65 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

just ran the scan.  Files found:

freqdpcobn in ...\appdata\Local\temp\

nrv.dll in ...\appdata\Local\temp\

kwrd.dll in \windows\assembly\tmp\

However, the Firewall still is having the same issues, so I don't believe the computer is clean.

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

I ran another full scan on Friday using the automatically downloaded updates.  Zeroaccess.e and two other viruses were reported to be detected and quarantined (whatever that means).  The next time that I rebooted the machine, Windows failed to start.  It tried to repair itself, but it was unsuccessful.  This led me to do what I knew was inevitable anyway.  I wiped out everything and reloaded Windows.  At least I KNOW that it's gone now.

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 67 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

Marking this thread as 'Correctly Answered' and locking it as well, as it is over (4) years old.

Cliff

Moderator

Cliff
McAfee Volunteer
moukie
Level 7
Report Inappropriate Content
Message 68 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

Just an FYI for the Engineers:  Without the FIREWALL the virus came back with a vengenance.  McAfee still DID NOT detect it , my other programs gave off warnings in an attempt to clean...my laptop finally crashed.   The only thing left for me to do was to reformat the hard drive and reinstall all the programs.  At least the firewall is back up.

I am currently looking for more powerful security programs, because McAfee isn't even recognizing there is a problem.  Right now, McAfee is running - and I am not sure what type of protection I am receiving from it.  I'm counting my losses  and going back to freeware - which I know works.

Oh and by-the-way  I lost everything!!!  Thanks McAfee!!!

spykou
Level 7
Report Inappropriate Content
Message 69 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

This virus is very malicious, Virus="consrv.dll" He work like a Dropper virus, he try to invit bad friends to live in your computer.

On 32bits operating system he can disable all antivirus and protections, redirected the web search on publicity and expand quickly.. a special removal has been create by an other security company...

On 64Bits operating system the virus processing isn't the same, the removal tool don't work on 64 bits operating system. The virus try infinitely to invit friends on your computer, the firewall block them but if you disable the firewall there are others virus who come on your computer and the infection expand and become more dangerous.

One of antivirus tested have detected the file "consrv.dll" and delete her but after that the computer crash at the starting because this virus have infected the Windows's registry too!

The infection is hide under a primary key in the registry, you must restore this key or modify her out of the Windows with a live operating system with a Boot live CD fo recover a clean registry before delete the file 'consrv.dll".

Or use a restoration point of Windows created before the infection for recover a clean registry and finally delete the file "consrv.dll" after.

The registry key modified by this threat is:

%SystemRoot%system32csrss.exe ObjectDirectory=Windows SharedSection=1024,20480,768 Windows=On

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

Just in case another copy of the files from c:\windows\assembly\tmp\U will help, here are mine.