Skip to main content

Google Redirect removal Consrv.dll Zeroaccess on 64 bit systems

     Some people are getting issues with system stuck on launch startup repair and loss of connectivity after using Hitman pro to remove a file called consrv.dll detected as malware. I included instructions which worked for me. Good luck using these. Needless to say you have to remove all other malware before proceeding with these instructions
Google redirect: consrv.dll Nobelsearchsystem.com, get-fast-answers.com, surveyprizecenter  Consrv.dll deletion causing loss of internet connectivity and No boot on 64 bit windows.
Consrv.dll is an infected dropper for zeroaccess MAXSS to corrupt DNS settings and redirect searches. Deleting the file using hitman pro will remove the file but alerts the Zaccess tripwire and hence does not let the computer go beyond the boot screen without launching startup repair in windows vista and 7. If the tripwire fails internet connectivity is lost. Using the Kaspersky Virus removal tool in full scan has proved effective. To fix it manually however, we will need to first disable the tripwire by resetting its autostart.
The driver runs off the registry key
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows”
Heres a screeshot taken off an infected machine.
clip_image001 
On opening the windows entry the infected machine had the data.
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=consrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
clip_image002
Whereas a clean machine has the data %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Therefore should you happen to notice a consrv.dll showing up in Hitman Pro.
First change the ServerDll entry to winsrv if it is Windows vista
And sxssrv if it is windows 7.
Then use Kaspersky virus removal tool to do a full scan and remove it.
The infected modules have been found by researchers to be stored in the windir\system32\config folder and
The windir\assembly folder.
Use an effective antivirus to scan all modules thoroughly and double check before falling for false positives.
Update Java and Flash player to avoid further exploits.
For more info and detailed analysis: http://www.dataprotectioncenter.com/antivirus/kaspersky/max-sets-its-sights-on-x64-platforms/
http://weirdwindowsfixes.blogspot.com
Tausif
clip_image003

Comments

Popular posts from this blog

Removing corporate wireless restrictions completely : "The policies of your network prevent the creation of ad hoc (computer-to-computer) networks. For more information, contact your system administrator."

So i was recently tasked with removing wireless restrictions from a VP's windows 7 laptop that some infrastructure company had placed while contracted with our network, since he needed to enable setting up of adhoc connections on his laptop and he always got

"The policies of your network prevent the creation of ad hoc (computer-to-computer) networks. For more information, contact your system administrator."


A little bit of probing revealed that adhoc and peer to peer connections were blocked as evidenced by the the command 

netsh wlan show filter on an  elevated command prompt revealed that adhoc network type was blocked by group policy:

I removed the restrictions by:

1: open services.msc as administrator, scroll down to WLAN AutoConfig:

Migrating Outlook Profile to Office 365

We had a migration from Hosted Exchange to Office 365 and i was tasked with automating the local Outloook profile migration for Users:

I Created a GUI utility using powershell which would allow users to create an Office365 Profile and set it as default, I prepared PRF files for each version of office and an autodiscover.xml to be used for local autodiscover and uploaded them to a hosted site:

The PRF file to set settings for Office 365 are hard to find: i used the below entries:


;AutomaticallygeneratedPRFfilefromtheMicrosoftOfficeCustomizationandInstallationWizard;**************************************************************;Section1-ProfileDefaults;**************************************************************[General]Custom=1ProfileName=%UserName%-O365DefaultProfile=YesOverwriteProfile=YesModifyDefaultProfileIfPresent=false;**************************************************************;Section2-ServicesinProfile;**************************************************************[Service…

To Unlock Windows Update locked due to group policy.

To Unlock Windows Update locked due to group policy.




Open gpedit.msc and browse to the location /Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication Settings and double click "turn off access to all windows update features" and set it to disabled.