Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect won't die


  • Please log in to reply
4 replies to this topic

#1 Breadman

Breadman

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 12 July 2011 - 01:28 PM

Hello everyone! I've been a bleepingcomputer reader for a couple years now, following your excellent advice offered to other users. This is my first time asking directly for help. I am at my wit's end!

Running Windows 7 64 bit.

Recently contracted the google redirect virus. Performing any search on Google, Yahoo, Bing, etc and then clicking on a link will redirect me, displaying "100ksearches.com" in the bottom right corner of firefox, after which, a spam site loads. I am able to work around the virus by copying the link location and pasting it into my address bar. No other symptoms, just an irritating inconvenience.

After 2 days of searching, reading, and trying to fix my system, I have narrowed it down to a single issue. Using rkill, malwarebytes, cclean, spybot s&d, adaware, kaspersky, hijackthis, or tdsskiller all return no results and claim my system is fine. Using Avast, I am able to find three "consrv.dll" files, two in the System32 file (seemingly the same file returning two results?), and one in System64. In order for Avast to delete these files, it requests a reboot. However, after rebooting, my computer displays the windows 7 loading screen (with the colored orbs morphing into the windows logo), then turns black, and restarts. I am then able to enter repair services from the f8 boot menu, and perform a system restore, which also brings back the redirect virus.

In an earlier thread on this forum, someone posted a path to a windows registry key (I know you're not supposed to post them on this forum, but he was on to something!). In this key, the virus changed a line which reads "winsrv" to "consrv". The person said that upon changing the "consrv" back to "winsrv" in the string, they were finally able to successfully reboot after deleting the consrv.dll infection. However, I am unable to change the value on the string - after clicking "ok" on the value entry field, everything seems to work, but upon inspecting the value again, the one section has changed back to "consrv"! I am able to rename, change values, permissions, etc, on any other key, just not this one! I have tried editing the value in safe mode, as well as safe mode and using regedt32 "as an administrator", and no luck. Any ideas? Pulling my hair out on this one - so much effort just to remove an inconvenience :( I would greatly appreciate any advice anyone may have.

Edited by Breadman, 12 July 2011 - 01:42 PM.


BC AdBot (Login to Remove)

 


#2 Djwhisky

Djwhisky

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 12 July 2011 - 04:33 PM

Just had the same problem my end... Luckily i hadn't restarted the computer since the redirects were happening. On restarting computer wouldn't load past the orbs... Safe mode wouldn't work and nor would the repair tool but the Last Known Good Configuration did work!!

#3 Breadman

Breadman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 12 July 2011 - 04:36 PM

Thanks for the reply - just came back to this to post I DID get it fixed!!!

I ran rkiller (no results), followed by running TDSSkiller from the desktop as administrator. Then I ran the LATEST (just installed a new version 7 mins ago) of the Kaspersky Virus Removal Tool - it detected the consrv.dll, deleted it, and the registry key magically reverted itself to the correct value!

#4 Ben Seeman

Ben Seeman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 13 July 2011 - 12:09 AM

thanks for this! i ran rkill and then tdsskiller a couple of times each and this annoying bug is now gone. it just showed up today.

#5 02befree

02befree

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 03 September 2011 - 12:16 PM

Been working on this for a day or so now. Much the same problem on Win 7 64bit PC

Started out with Security Protection Fake AV and removed it with MBAM (I think I had to do it in Safe Mode)
The AV software was expired so I ran Microsoft Security Essentials and it found the consrv.dll and removed it -- of course as many have found, when it's deleted it won't reboot and you have to do a System Restore to get it up and running and then you're back in the same boat.
I did the registry tweak regarding the winsrv/consrv swap and when I couldn't change the registry entry, I deleted consrv.dll from the system32 folder, then it let me make the change. Rebooted and it again, no boot and had to system restore.
Downloaded the latest Kaspersky Virus Removal Tool and ran it - found another file desktop.ini in the GAC folder (that's a new one) and again, wouldn't reboot.
This is painful. Wish the Kaspersky would work for me like it did for you. Will try a few things I've seen on other BleepingComputer posts.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users