Some people are getting issues with system stuck on launch startup repair and loss of connectivity after using Hitman pro to remove a file called consrv.dll detected as malware. I included instructions which worked for me. Good luck using these. Needless to say you have to remove all other malware before proceeding with these instructions
Google redirect: consrv.dll Nobelsearchsystem.com, get-fast-answers.com, surveyprizecenter Consrv.dll deletion causing loss of internet connectivity and No boot on 64 bit windows.
Consrv.dll is an infected dropper for zeroaccess MAXSS to corrupt DNS settings and redirect searches. Deleting the file using hitman pro will remove the file but alerts the Zaccess tripwire and hence does not let the computer go beyond the boot screen without launching startup repair in windows vista and 7. If the tripwire fails internet connectivity is lost. Using the Kaspersky Virus removal tool in full scan has proved effective. To fix it manually however, we will need to first disable the tripwire by resetting its autostart.
The driver runs off the registry key
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows”
Heres a screeshot taken off an infected machine.
On opening the windows entry the infected machine had the data.
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=consrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Whereas a clean machine has the data %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Therefore should you happen to notice a consrv.dll showing up in Hitman Pro.
First change the ServerDll entry to winsrv if it is Windows vista
And sxssrv if it is windows 7.
Then use Kaspersky virus removal tool to do a full scan and remove it.
The infected modules have been found by researchers to be stored in the windir\system32\config folder and
The windir\assembly folder.
Use an effective antivirus to scan all modules thoroughly and double check before falling for false positives.
Update Java and Flash player to avoid further exploits.
For more info and detailed analysis: http://www.dataprotectioncenter.com/antivirus/kaspersky/max-sets-its-sights-on-x64-platforms/
http://weirdwindowsfixes.blogspot.com
Tausif
Google redirect: consrv.dll Nobelsearchsystem.com, get-fast-answers.com, surveyprizecenter Consrv.dll deletion causing loss of internet connectivity and No boot on 64 bit windows.
Consrv.dll is an infected dropper for zeroaccess MAXSS to corrupt DNS settings and redirect searches. Deleting the file using hitman pro will remove the file but alerts the Zaccess tripwire and hence does not let the computer go beyond the boot screen without launching startup repair in windows vista and 7. If the tripwire fails internet connectivity is lost. Using the Kaspersky Virus removal tool in full scan has proved effective. To fix it manually however, we will need to first disable the tripwire by resetting its autostart.
The driver runs off the registry key
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows”
Heres a screeshot taken off an infected machine.
On opening the windows entry the infected machine had the data.
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=consrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Whereas a clean machine has the data %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Therefore should you happen to notice a consrv.dll showing up in Hitman Pro.
First change the ServerDll entry to winsrv if it is Windows vista
And sxssrv if it is windows 7.
Then use Kaspersky virus removal tool to do a full scan and remove it.
The infected modules have been found by researchers to be stored in the windir\system32\config folder and
The windir\assembly folder.
Use an effective antivirus to scan all modules thoroughly and double check before falling for false positives.
Update Java and Flash player to avoid further exploits.
For more info and detailed analysis: http://www.dataprotectioncenter.com/antivirus/kaspersky/max-sets-its-sights-on-x64-platforms/
http://weirdwindowsfixes.blogspot.com
Tausif
No comments:
Post a Comment