You are not logged in.

Monday, April 21st 2014, 6:32am

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

  • "gclunsf" started this thread

Date of registration:
Aug 20th 2007

  • Send private message

1

Thursday, January 5th 2012, 6:05am

TR/ATRAPS.Gen2 Trojan consrv.dll - Nasty son of a gun

Hello. I've been working on a friend's son's Toshiba Satellite L655 laptop, running Win 7 Home Premium 64-bit pre-SP1, which had gotten infected with a rootkit as well as a number of different viruses and malware. The particular problem with which I'm working now is the TR/ATRAPS.Gen2 Trojan where a module, consrv.dll, is involved. After a week of trying and trying to remove this thing after reading forum entry upon forum entry and trying a lot of different actions to manually remove it, I'm yelling calf-rope! I need your help, folks.

After I got the laptop from my friend, I looked at what it was doing. The box would boot into Windows but wouldn't do much more than that. This laptop had no firewall, antivirus, or anti-malware program protection of any kind, so it was wide open to infection. Rather than putting it on my home network, I connected its hard drive to my own system as an external USB-connected HDD, drive G:, and ran Avira Antivir 2012 Premium as well as Malwarebytes AntiMalware and SUPERAntiSpyware against it. Here were the findings of each:

Avira:
1) G:\Downloads\setup686724.exe' contained a virus or unwanted program 'TR/Crypt.ULPM.Gen' [trojan]
2) G:\Downloads\setup686724(1).exe' contained a virus or unwanted program 'TR/Crypt.ULPM.Gen' [trojan]
3) G:\Downloads\Software\FLVBlaster.exe' contained a virus or unwanted program 'TR/Spy.Gen4' [trojan]
4) G:\Downloads\Software\XvidSetup.exe' contained a virus or unwanted program 'TR/Spy.Gen4' [trojan]
5) G:\Program Files (x86)\Gamevance\gvtl.dll' contained a virus or unwanted program 'ADWARE/GameVance.A.242' [adware]
6) G:\Windows\assembly\GAC_32\Desktop.ini' contained a virus or unwanted program 'TR/ATRAPS.Gen2' [trojan]
7) G:\Windows\assembly\GAC_64\Desktop.ini' contained a virus or unwanted program 'TR/ATRAPS.Gen2' [trojan]
8) G:\Windows\assembly\temp\U\000000cf.@' contained a virus or unwanted program 'TR/Conedex.A' [trojan]
9) G:\Windows\System32\consrv.dll' contained a virus or unwanted program 'TR/ATRAPS.Gen2' [trojan]
All of the above files except those referenced in 6) and 7) were quarantined and removed. Avira couldn't remove the 2 desktop.ini files, so I manually deleted them.

Malwarebytes AntiMalware:
1) G:\Users\Owner\AppData\Local\Temp\2838.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
2) G:\Users\Owner\AppData\Local\Temp\42AC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
3) G:\Users\Owner\AppData\Local\Temp\FLVBlaster.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
4) G:\Users\Owner\AppData\Local\Temp\msimg32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
5) G:\Users\Owner\AppData\Local\Temp\nnnv0.2221524618338756.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
6) G:\Users\Owner\AppData\Local\Temp\ywx.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
7) G:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\786848a3-51e4d98c (Trojan.FakeAlert) -> Quarantined and deleted successfully.
8) G:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\2a521178-2cfbf33e (Rootkit.0Access) -> Quarantined and deleted successfully.
9) G:\Users\Owner\AppData\Roaming\privacy.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
10) G:\Users\Owner\Documents\mcsOGao.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
11) G:\Users\Owner\Downloads\Zwinky.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
12) G:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

SUPERAntiSpyware:
1) Adware.Zugo - G:\PROGRAM FILES (X86)\SEARCH TOOLBAR\SEARCHTOOLBAR.DLL
2) Trojan.Agent/Gen-Koobface[Bonkers] -
G:\USERS\OWNER\APPDATA\LOCAL\TEMP\TEMP1_DAROWSMINECRAFTBETA1.2_01[1].ZIP\DAROWSMINECRAFTINSTALLERV3.EXE
Both of these files were removed.

After running all of this, I disconnected the laptop's HDD from my system and reinstalled it into the laptop. I then tried to boot it, but it wouldn't come up neither normally nor in safe mode. It would get past the Windows logo and then the screen, including the cursor, would blank out and stay that way with no disk activity. I did try launching Win 7's startup repair facility as opposed to starting up Windows normally. The facility would get part of the way during its "loading Windows files" stage and then lock up. Given this was happening during boot, I had a suspicion the problem had to do with the Windows\System32\consrv.dll module. So I booted a Linux CD distribution on the laptop and restored the consrv.dll module. Sure enough the machine booted right up. And this leads me to the problem I'm now having and for which I need serious help.

Though the machine boots up, both normally as well as in safe mode, I cannot execute any ".exe" apps. The system shows them all as having a ".6Ep" type. When I try to execute an exe app, I get a window saying "This file does not have a program associated with it for performing this action. Please install a program or, if one is already installed, create an association in the Default Programs control panel." As you can guess, this is pretty limiting. I can't run regedit. I can't run taskmgr. Thankfully, I can get Windows Explorer to come up as there's a Libraries icon on the desktop. I can also get Control Panel and some of its options to come up. However, if it needs an exe app to do a particular function, no dice.

I've read through the "[Solved] TR/Atraps.gen2 infected consrv.dll and desktop.ini" and "[Solved] TR/Atraps.gen2 infected conserv.dll" threads. Those seem to follow step by step instructions with interactions between you and the customer. So, what's my next step , guys? Should I start by downloading DDS and SystemLook and posting the results back into pastebin.com? Any help you can give me will be very gratefully appreciated.
Regards,
George Lunsford

marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

2

Thursday, January 5th 2012, 1:34pm

Hi gclunsf,

The main question here is that you're trying to fix a laptop of third parties who were not using any products from Avira and using your own Avira. The purpose of the Avira Support Forum is to offer users of Avira Free Antivirus, Avira Antivirus Premium, Avira Internet Security, Avira Mobile and Avira Tools a free platform for help with technical problems. Sometimes, Avira seems a malware removal forum but it is not. So, I really recommend you a malware removal forum like Bleeping, Geeks to Go!, TechGuy etc.. to address your problem. If the infection were on your own computer or a computer that already have installed Avira, would agree with the proposal of Avira Support Forum.

Marco
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

  • "gclunsf" started this thread

Date of registration:
Aug 20th 2007

  • Send private message

3

Friday, January 6th 2012, 9:50pm

Marfabilis, thank you so much for your prompt reply. I must confess that I'm disappointed with the answer you gave, but I certainly understand that you are trying to abide by the forum terms of use. So am I. You are absolutely correct that the laptop on which this problem occurred does not have any security software installed to protect it, thus it has not been running an Avira product. I can also understand your concern that this forum may be perceived as a malware removal forum. I certainly appreciate your volunteering the names of other forums you consider more appropriate for handling the problem I reported. I, too, am familiar with them as well as others. Your answer seems to me to be appropriate for what any moderator should express given their concentration on working with people whose problems are within the forum's scope. I can also appreciate you may not be in the employ of Avira, and are giving your own time to help others. Thank you for doing so.

However, I do have a few points to enunciate as to why I opened this thread in this forum and in this part of the forum:

1) While my friend's son's laptop was not running Avira at the time of the infection nor is yet running it, I did run my own copy of Avira Premium 2012 against that laptop's HDD as a first step toward correcting the issues the infection was causing. The Avira product was the product on my machine that dealt with the Trojan and module highlighted in this thread. Though I will not say the Avira product "mis-handled" the Trojan and the recovery process, the operating situation for the laptop did noticeably change as a result of the handling of the consrv.dll file. I will not repeat here how that went as that is already mentioned in my initial message. My point, though, is that the Avira product was involved in the current problem I'm now having. Whether Avira was present at the very beginning of the problem or it was involved in trying to correct the problem doesn't seem to me to be pertinent. The important thing is that it was involved.

2) As I understand the purpose of this "Viruses and other security risks" subforum to which I posted my thread, it is "All about Viruses, Trojans, Dialer, Ad- and Spyware". I'm failing to see that this was an inappropriate forum for the problem I'm having.

3) Reviewing the initial post of the "TR/Atraps.gen2 infected consrv.dll and desktop.ini" thread, which was one of the two threads I mentioned in my own initial post, belonging to the user Habsfan and which was worked with the moderator Farger, it reads as follows:

"I am trying to fix a computer for a friend. They had no virus scanners and no protection from spyware/malware installed. It is a Windows Vista 64bit PC. When I first got it, I suspected malware and ran rkill, tdskiller, and Malware Bytes which found and removed over 500 entries. I then installed Avira and that found 27 entries which I can't remember what it found. I can try to search my history to find it if you need it.

Now as to where I'm at now. I ran avira again after cleaning up everything and it found tr/atraps.gen2 which infected desktop.ini in 2 places and c:\windows\system32\consrv.dll. This has been causing quite a headache. I tried deleting the 3 files but after reboot, Windows does a repair which fails and then does a restore and I can finally get back to Windows, but re-infected.

I tried replacing the consrv registry entry with winsrv but it keeps coming back immediately (not even after a reboot). I tried it in safe mode also. I also ran rkill, tdskiller, and Avira prior to editing the registry after Avira deletes the files. The consrv entry keeps coming back. Also, every time I delete these files, and reboot, Windows attempts a repair which always fails, then it does a restore which also says it failed, but then it does ultimately load after a reboot."

In the reply by Farger there was no hesitation to help this user. Farger immediately gave Habsfan instructions as to how to proceed collecting the data necessary to start the problem correction process. Perhaps I'm misreading Habsfan's initial post, but I'm failing to see how the situation and the conditions under which this user reported their problem differed appreciably from my own. Habsfan received the help needed to correct the problem. Yet, I'm being told I am to receive no help. This seems inconsistent.

4) I'm a very conscientious user of forums. In my time of involvement in computing, which goes back many, many years, I have never posted to any forum unless I could either help someone or I could not fix the problems I was handling myself. I doubt I have posted to any forum more than 3 or 4 times including this thread. My practice is always to consult several forums, knowledgebases and vendor sites to try to find the solution and use it as posted while not bothering forum users, moderators, etc. by a useless thread when the answer is already there. In this particular case after having run many, many searches over about a week's time, I came to the conclusion I needed to post in this forum because it contained 2 threads for very similar problems which were solved. Having read those threads carefully before I posted, it was obvious that the solutions were not one particular set of instructions for running a procedure to fix the problem. Rather each thread was solved using unique interactions between the user and the moderator where certain programs needed to be installed and run to collect data which the moderator needed to determine the next course of action.

In conclusion I have turned to that resource on the Internet which I believed could help me most. I turned to this forum because of the help I saw two other users, with very similar problems, receive to successfully correct the problem. I also turned to this forum due to the expertise I saw clearly demonstrated by the moderators, you being one of them, in assisting these users. I did not see entries in other forums that better matched the problem I'm having. I would very much appreciate if you would reconsider my request for help. I can assure you I'm very knowledgeable and can promptly perform those instructions I expect you will give me to correct the problem.
Regards,
George Lunsford

marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

4

Friday, January 6th 2012, 10:28pm

Hi gclunsf,

1) Actually, you're not having a problem, you're trying to fix a computer just moving the HDD to your machine, which significantly reduces the disinfection process and consequently also the registry repair process.

2) The forum purpose is very clear. This is the Avira Support forum to Avira's users and the infected machine even had installed any product from Avira.

3) If you find another thread whose help was provided by me under conditions, please let me know. I'm consistent about this matter.

4) Similar issues doesn't mean similar solutions. So, please contact a malware removal forum to solve your question.

Marco
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::