BleepingComputer.com: Google Redirect won't die

Jump to content

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Google Redirect won't die

#1 User is offline   Breadman 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 12-July 11

Posted 12 July 2011 - 01:28 PM

Hello everyone! I've been a bleepingcomputer reader for a couple years now, following your excellent advice offered to other users. This is my first time asking directly for help. I am at my wit's end!

Running Windows 7 64 bit.

Recently contracted the google redirect virus. Performing any search on Google, Yahoo, Bing, etc and then clicking on a link will redirect me, displaying "100ksearches.com" in the bottom right corner of firefox, after which, a spam site loads. I am able to work around the virus by copying the link location and pasting it into my address bar. No other symptoms, just an irritating inconvenience.

After 2 days of searching, reading, and trying to fix my system, I have narrowed it down to a single issue. Using rkill, malwarebytes, cclean, spybot s&d, adaware, kaspersky, hijackthis, or tdsskiller all return no results and claim my system is fine. Using Avast, I am able to find three "consrv.dll" files, two in the System32 file (seemingly the same file returning two results?), and one in System64. In order for Avast to delete these files, it requests a reboot. However, after rebooting, my computer displays the windows 7 loading screen (with the colored orbs morphing into the windows logo), then turns black, and restarts. I am then able to enter repair services from the f8 boot menu, and perform a system restore, which also brings back the redirect virus.

In an earlier thread on this forum, someone posted a path to a windows registry key (I know you're not supposed to post them on this forum, but he was on to something!). In this key, the virus changed a line which reads "winsrv" to "consrv". The person said that upon changing the "consrv" back to "winsrv" in the string, they were finally able to successfully reboot after deleting the consrv.dll infection. However, I am unable to change the value on the string - after clicking "ok" on the value entry field, everything seems to work, but upon inspecting the value again, the one section has changed back to "consrv"! I am able to rename, change values, permissions, etc, on any other key, just not this one! I have tried editing the value in safe mode, as well as safe mode and using regedt32 "as an administrator", and no luck. Any ideas? Pulling my hair out on this one - so much effort just to remove an inconvenience :( I would greatly appreciate any advice anyone may have.

This post has been edited by Breadman: 12 July 2011 - 01:42 PM

#2 User is offline   Djwhisky 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 12-July 11

Posted 12 July 2011 - 04:33 PM

Just had the same problem my end... Luckily i hadn't restarted the computer since the redirects were happening. On restarting computer wouldn't load past the orbs... Safe mode wouldn't work and nor would the repair tool but the Last Known Good Configuration did work!!

#3 User is offline   Breadman 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 12-July 11

Posted 12 July 2011 - 04:36 PM

Thanks for the reply - just came back to this to post I DID get it fixed!!!

I ran rkiller (no results), followed by running TDSSkiller from the desktop as administrator. Then I ran the LATEST (just installed a new version 7 mins ago) of the Kaspersky Virus Removal Tool - it detected the consrv.dll, deleted it, and the registry key magically reverted itself to the correct value!

#4 User is offline   Ben Seeman 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 12-July 11

Posted 13 July 2011 - 12:09 AM

thanks for this! i ran rkill and then tdsskiller a couple of times each and this annoying bug is now gone. it just showed up today.

#5 User is offline   02befree 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 03-September 11

Posted 03 September 2011 - 12:16 PM

Been working on this for a day or so now. Much the same problem on Win 7 64bit PC

Started out with Security Protection Fake AV and removed it with MBAM (I think I had to do it in Safe Mode)
The AV software was expired so I ran Microsoft Security Essentials and it found the consrv.dll and removed it -- of course as many have found, when it's deleted it won't reboot and you have to do a System Restore to get it up and running and then you're back in the same boat.
I did the registry tweak regarding the winsrv/consrv swap and when I couldn't change the registry entry, I deleted consrv.dll from the system32 folder, then it let me make the change. Rebooted and it again, no boot and had to system restore.
Downloaded the latest Kaspersky Virus Removal Tool and ran it - found another file desktop.ini in the GAC folder (that's a new one) and again, wouldn't reboot.
This is painful. Wish the Kaspersky would work for me like it did for you. Will try a few things I've seen on other BleepingComputer posts.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users