Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

consrv.dll found Can't run programs.


  • This topic is locked This topic is locked
9 replies to this topic

#1 Thisisb

Thisisb

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 01 February 2012 - 10:39 PM

Hi, I need help with fixing my computer.
While I was using a proxy on Mozilla. Mozilla suddently froze and my computer crash.
When I restarted none of my programs work or run except for a few.
Pictures won't open, internet, mozilla, chrome, installed programs, games.
Programs that opens: Paint, Word doc and microtrend.
I scanned my computer with Microtrend with the latest update but it found nothing.
I tried scanning with window defender but I got an error code 0x80070424
The only way I can open up internet explorer is by clicking on microtrend "renew liscense code" I don't know how they do it but it got explorer to open to their purchase site.
I googled it up and found out that it very possible that I'm infected with consrv.dll I searched Consrv.dll on my computer to see if it exists and it does!
System restore didn't fix anything, I tried at least 3 different restore point and no luck.
Safe mode didn't allow me to run any anti spyware programs.
I even tried removing the the main suspect 'Consrv.dll' Manully. However, it lead to boot failure leading to system restore.

I can't install any new programs like malabye or other anti spyware programs.

Can you help me? This is a big mess.

Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:14 PM

Posted 01 February 2012 - 11:24 PM

Can you open the Task Manager?
Reboot into Safe Mode with Networking
How to start Windows 7 in Safe Mode

Open the Task Manager by pressing Ctrl + Shift + Esc on your keyboard or by right-clicking the Start Menu bar and selecting Task Manager.

Make sure that the Show processes from all users box is selected at the bottom left-hand corner of the window.
Click on Image Name this sorts the column alphabetically. The process at the top of the list should look like this if it's ZeroAccess. 3203397148:3809022017.exe Random numbers
Or one like this
<random name>.exe
Highlight and stop both if there is 2.

Now hopefully we can run these.

Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Thisisb

Thisisb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 01 February 2012 - 11:53 PM

I went logged into safemode and I did exactly what you said about opening up the task manager and proceses but random couldn't be found.
Itook a screenshot of it.
Safemode still didn't allow me to run any program. I would try to run it and nothing happens.
Posted Image

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:14 PM

Posted 02 February 2012 - 12:01 AM

Is there another user account on here that you can log into. Sometimes you can run the tools from there. If so use the FULL not Quick scan with MBAM.

Else we may need to run the Avira AntiVir Rescue System

Please download the Avira AntiVir Rescue System .

Place a blank CD in your burner and double-click on the rescue system package (rescuecd.exe) to burn it to a CD/DVD which you can then use to boot your computer and run a scan. For detailed instructions, refer to the Tutorial for Avira Rescue CD. If you encounter problems running Avira AntiVir Rescue System, you can get further assistance at the Avira Tools Support Forum.


Sorry I have to leave now,but will look back early if I can.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:14 PM

Posted 02 February 2012 - 08:03 AM

Lets give it a try. You will need a USB flash drive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Thisisb

Thisisb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 02 February 2012 - 06:03 PM

Thanks for all the Help.
Trend Micro found it and deleted it, but now it's almost the same as me manually deleting it since I'm unable to restart and have to do system restore again.
I'll try the other methods in an hour or so I'll let you know what happen.
So my computer still crashese after deleting "consrv.dll" with Trendmicro (anti virus program)
Should I still try the other programs?

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:14 PM

Posted 02 February 2012 - 09:27 PM

Let me know what you can't understand on Post 5.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Thisisb

Thisisb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 02 February 2012 - 10:48 PM

I don't have a thumb drive or any blank CD's. I'm srry that I'm asking for help when I don't have the appropriate tools to make it easier.
I know what I have it's consrv.dll
I tried deleting it and even editing the registry. The problem is consrv.dll attach it values to windows subsystem so when I delete it it won't let me boot.
I tried changing the registry but it changes itself back.
this:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

This value is wrong, and itís the reference to consrv which is generating your c0000135 stop error. Instead, change it to:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

but it still changing back after I check
I'm sorry about not following the directions givin so far, because I can't do any of them at this point.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:14 PM

Posted 03 February 2012 - 01:17 AM

You have a difficult infection to handle. It is called ZeroAccess. I you continue to fiddle with the registry and file system, I wont be able to help you. Pretty soon your computer will become unbootable. A flash drive is unexpensive if you value your system.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:14 PM

Posted 10 March 2012 - 07:22 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users