Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 64 bit eset removed consrv.dll, can't get to login screen


  • Please log in to reply
2 replies to this topic

#1 skyscrapper

skyscrapper

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 11 January 2012 - 08:03 PM

Hello,

I have a windows 7 64bit laptop that had a virus, obviously as it hid all the icons on the desktop and files. I ran unhide and malwarbytes and tdskiller and thought I got rid of it. But a new virus popped up a couple of days later, so I knew there had to be a rootkit that wasn't discovered before. When I ran eset's online virus scanner, I didn't clear the check mark and it removed the virus infected file. Unfortunately, I can't get back into it. I'm certain the registry thinks that file is required to start up. It boots, tries to repair, then boots and tries to repair.

I am able to get in using a Windows PE boot disk and I can get in using the windows 7 startup disk, but I have no idea what I'm looking for. The file that was removed as it shows in the Eset log is C:\Windows\system64\consrv.dll It says it's a Win64/sirefif.e trojan. The file is no longer in that directory. Eset cleaned by deleting - quarantined)

Thanks

BC AdBot (Login to Remove)

 


#2 skyscrapper

skyscrapper
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 17 January 2012 - 05:06 PM

You can close this. I ended up fixing it myself.

Through Windows PE, I was able to load the hive from the laptop's system32\config directory. Windows 7 registry is a little confusing now. There appears to be couple of files named SYSTEM and one named SYSTEM.LOG2. The size of one of the files named SYSTEM is only 1K. The actual registry file is much larger. When loading an external hive, there is no CurrentControlSet, so I had to edit both ControlSet001 and ControlSet002

Open the registry to HKLM\ControlSet001\Control\SessionManager\Subsystems in the key Windows look for the string consrv:ConServerDllInitilization,2 That consrv is calling the consrv.dll virus file. If the consrv.dll file gets removed, you won't be able to get back into the OS. Change consrv to winsrv and reboot. Make sure to change both ControlSets.

Edited by skyscrapper, 18 January 2012 - 04:47 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:33 PM

Posted 17 January 2012 - 09:57 PM

Thank you
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users