Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


consrv.dll, Google Redirects, Removal = Unable to boot

  • Please log in to reply
2 replies to this topic

#1 gladoscc


  • Members
  • 1 posts
  • Local time:03:00 AM

Posted 19 December 2011 - 11:05 PM

I have got the consrv.dll malware (MSE calls it sirefef.B). It's from Microsofto <_<

MSE can detect it along with Navihelper, as well as Sirefef.D, E, K, C. After removing all malware, I am unable to start windows. Safe mode gives me a brief blue screen and reboot. I had to use startup repair. That restore it back to infected.

I googled for a bit, noticed that google.com/url requests are being hijacked to mediashifting. Found that "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems" Windows key has a reference to consrv.dll. Removed it, reboot...

Windows not starting again. Startup repair'd again, back to infected state. This time, I checked more carefully, it doesn't matter if I change consrv to winsrv. It resets right back. The malware most be monitoring this registry and won't let me change.

I think this is because windows loads the DLL into memory, so that even when MSE has suspended/removed it, it is still in memory and executing. I cannot use safe mode, as I get BSoD. I can't change the registry as the virus changes it back.

How do I get rid of the malware? Thanks.

EDIT: I have noticed that in system restore there is a new user called ASPNET. I think this might have to do with the malware?

EDIT2: After reading http://www.bleepingcomputer.com/forums/topic400730.html/page__st__15, apparently I need to use Karpersky Virus Removal Tool (paraphrased?) However, MSE already removed the dll, and I'm worried that the tool won't detect it and I have to system restore again. I have a fear of system restore, due to one time where it wiped my data, and I want to do it as least as possible -- what should I do?

EDIT3: ARRGG MSE is conflicting with Karpersky! I forgot to stop the realtime protection and now they are both stuck on the same file. :(

Edited by gladoscc, 19 December 2011 - 11:24 PM.

BC AdBot (Login to Remove)


#2 tva


  • Members
  • 1 posts
  • Local time:03:00 AM

Posted 24 December 2011 - 09:52 AM

Did you find a solution in the meantime?
I'm having more or less the same problem.
It began with my laptop taking ages to start up.
After a couple of days Endpoint started showing infected files which it identified as Trojan Gen. Quarantined and removed, only to have more of the same coming back. Eventually i my laptop failed to find any wifi network and I got a black screen and had to use system restore to get it running agaon. Now the Trojan Gen. warnings have stopped (end point now says its file system autoprotect is not working properly anymore)and the mediashifting thing is going on.

#3 jerricho


  • Members
  • 1 posts
  • Local time:02:00 AM

Posted 05 January 2012 - 01:49 PM

I found a solution for this problem.

the problem is that the malware writes itself to the registry key named above:

The subkey it modifies is "Windows"

Posted Image

The fix was to copy the binary string from an non infected computer and paste it into the registry with a remote registry editor (like Barts PE)

Once I fixed that registry key the system would boot and everything was back to normal.

This the correct Key for Windows 7 64bit:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Edited by jerricho, 05 January 2012 - 01:54 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users