Running Windows 7 64 bit.
Recently contracted the google redirect virus. Performing any search on Google, Yahoo, Bing, etc and then clicking on a link will redirect me, displaying "100ksearches.com" in the bottom right corner of firefox, after which, a spam site loads. I am able to work around the virus by copying the link location and pasting it into my address bar. No other symptoms, just an irritating inconvenience.
After 2 days of searching, reading, and trying to fix my system, I have narrowed it down to a single issue. Using rkill, malwarebytes, cclean, spybot s&d, adaware, kaspersky, hijackthis, or tdsskiller all return no results and claim my system is fine. Using Avast, I am able to find three "consrv.dll" files, two in the System32 file (seemingly the same file returning two results?), and one in System64. In order for Avast to delete these files, it requests a reboot. However, after rebooting, my computer displays the windows 7 loading screen (with the colored orbs morphing into the windows logo), then turns black, and restarts. I am then able to enter repair services from the f8 boot menu, and perform a system restore, which also brings back the redirect virus.
In an earlier thread on this forum, someone posted a path to a windows registry key (I know you're not supposed to post them on this forum, but he was on to something!). In this key, the virus changed a line which reads "winsrv" to "consrv". The person said that upon changing the "consrv" back to "winsrv" in the string, they were finally able to successfully reboot after deleting the consrv.dll infection. However, I am unable to change the value on the string - after clicking "ok" on the value entry field, everything seems to work, but upon inspecting the value again, the one section has changed back to "consrv"! I am able to rename, change values, permissions, etc, on any other key, just not this one! I have tried editing the value in safe mode, as well as safe mode and using regedt32 "as an administrator", and no luck. Any ideas? Pulling my hair out on this one - so much effort just to remove an inconvenience I would greatly appreciate any advice anyone may have.
Edited by Breadman, 12 July 2011 - 01:42 PM.