MSE can detect it along with Navihelper, as well as Sirefef.D, E, K, C. After removing all malware, I am unable to start windows. Safe mode gives me a brief blue screen and reboot. I had to use startup repair. That restore it back to infected.
I googled for a bit, noticed that google.com/url requests are being hijacked to mediashifting. Found that "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems" Windows key has a reference to consrv.dll. Removed it, reboot...
Windows not starting again. Startup repair'd again, back to infected state. This time, I checked more carefully, it doesn't matter if I change consrv to winsrv. It resets right back. The malware most be monitoring this registry and won't let me change.
I think this is because windows loads the DLL into memory, so that even when MSE has suspended/removed it, it is still in memory and executing. I cannot use safe mode, as I get BSoD. I can't change the registry as the virus changes it back.
How do I get rid of the malware? Thanks.
EDIT: I have noticed that in system restore there is a new user called ASPNET. I think this might have to do with the malware?
EDIT2: After reading http://www.bleepingcomputer.com/forums/topic400730.html/page__st__15, apparently I need to use Karpersky Virus Removal Tool (paraphrased?) However, MSE already removed the dll, and I'm worried that the tool won't detect it and I have to system restore again. I have a fear of system restore, due to one time where it wiped my data, and I want to do it as least as possible -- what should I do?
EDIT3: ARRGG MSE is conflicting with Karpersky! I forgot to stop the realtime protection and now they are both stuck on the same file.
Edited by gladoscc, 19 December 2011 - 11:24 PM.