consrv.dll

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Can someone point me to a good set of instructions on how to remove the
consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
screen is still sitting there waiting for me to quarantine it, but I
don't want to do that until I am sure that it is the correct procedure.

--

Dennis

Re: consrv.dll


Quoted text here. Click to load it

I hope she doesn't need the computer anytime soon. :) You are literally
waiting for someone to tell you what to do eh? How techie.

Here's a small suggestion.. Google.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: consrv.dll

Dennis wrote:
Quoted text here. Click to load it
Quarantine is almost always the correct choice, it allows you a way back
if you 'remove' something legitimate that is really needed.

Re: consrv.dll

On Sun, 08 Jan 2012 13:52:29 -0500, FromTheRafters

Quoted text here. Click to load it

I guess I was concerned because it seems that removing this file has
caused problems with systems not being able to boot.

--

Dennis

Re: consrv.dll

Dennis wrote:

Quoted text here. Click to load it

Where did you find info that said consrv.dll was part of Windows 7?

http://www.cleanpcguide.com/remove-consrv-dll-removal-guide-how-to-remove-consrv-dll /

Did you submit the file to virustotal.com yet?  Here's someone prior
submission of that file:

http://www.virustotal.com/file-scan/report.html?id=5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f-1310865513

The problem with not rebooting after removal is that removal hasn't been
complete.  consrv.dll is just a DLL file storing a library of functions.
Something ELSE has to call the methods (functions) defined in that DLL.
Once it has done its work, it may no longer be needed.  For example, in
the thread below is described how it replaces a random system driver and
once done it's the driver you need to target and not the remnant
file(s).  Once infected, disinfection may not be possible without some
manual work after eradication.  

http://forum.avast.com/index.php?topic=81720.0

In the following thread, the user found the winsrv got replace with the
malicious consrv.dll (so you need the original winsrv.dll file):

http://www.bleepingcomputer.com/forums/topic400730.html/page__st__15__p__2271737#entry2271737

So after eradicating the consrv.dll file, you need to replace the
registry entries that pointed to it and have them use the original
handler program.  Disinfection is an iffy solution as the anti-malware
program may not completely eradicate all changes made by the malware.
They may only target the malware files and not everything they changed.

If the *only* action MBAM will commit is to quarantine a malware file
then that action is incomplete and can render unwanted behavior in apps
or the OS.  You sure the only action MBAM will do is quarantine a file?
You might want to search their forums (http://forums.malwarebytes.org /)
on "consrv" to see what others have encountered when using MBAM.  One
tool is to use HijackThis to look at a scan of key areas of your OS to
find infections.  This requires you (or someone helping you) to decipher
all the information it presents.  Another is to use ComboFix but only
something familiar with it should use it.

www.bleepingcomputer.com/download/anti-virus/combofix
www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.infospyware.net/antimalware/combofix /


http://www.youtube.com/watch?v=7PRWXVD_8-8

(for other YouTube videos, search on "combofix")

Personally I don't waste more than a couple hours trying to eradicate a
pest and any artifacts in behavior left behind after the eradication.
If the disinfection isn't easy, I just restore to an image backup that
isn't infected.  If your daughter is going to just download anything to
install it, perhaps it's time to consider using Returnil.  Configure it
to load on every bootup and password protect its configuration.  On a
reboot, all the changes she made, like installing malware, gets
discarded.  When active, Returnil virtualizes all disk I/O so no changes
are made to the real disk (which you get back on a reboot).  Microsoft
has their SteadyState but I find Returnil easier to use.

Of course, you, er, she is doing periodic image backups to restore her
host not only from malware but also if the hard disk crashes, right?

Re: consrv.dll


Quoted text here. Click to load it

Is there anything I can run that will look for remnants that MBAM did
not remove?

Quoted text here. Click to load it

I have an image from abt 7 months ago just after I first setup her new
PC. I warned her that if she gets infected and it isn't easy to fix that
I will just restore to that image and she will have to deal with it.

--

Dennis

Re: consrv.dll

Dennis wrote:

Quoted text here. Click to load it

Before removing, and if the malware doesn't prevent you from editing the
registry, often I go hunting for references to the file(s) for the
malware.  As with this one, a search on "consrv" will probably show
where it replaced other system files.

I haven't used ComboFix.  Hopefully before doing any cleaning, it shows
you what it plans to do.

A filename really doesn't mandate what malware you have.  You need to
use the identity of the malware as shown my MBAM or after submitting the
file to virustotal.com to see what type of malware is in that file.
Then you can go hunting around for info on how to best eradicate the
pest not only in deleting its files but undoing any registry changes and
replacing any other files it modified.

Quoted text here. Click to load it

Better would be to get another hard disk onto which you can save images
are regular intervals, like weekly.  There are plenty of free imaging
programs: Easeus Todo, Macrium Reflect Free, Paragon Backup & Restore.
Macrium (free) only lets you save full images.  B&R lets you do
differentials to reduce the size of your backups (so you can save more
of them on your backup hard disk).  ToDo does differential or
incrementals (which are even smaller).  You can schedule regular backups
so you have more than just a really old initial image which means you
lose everything since then.  While an initial image is okay, it's not a
whole lot better than just doing a fresh install of the OS and apps.

Re: consrv.dll


Quoted text here. Click to load it

It doesn't. It does it's thing, and if it made a mistake, and you don't
read the logs and you reboot, you're dead in the water. Don't recommend it
to be run by novices. It's automated.
 


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: consrv.dll


Quoted text here. Click to load it

Just let MBAM do its thing which includes quarantining the DLL.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: consrv.dll

On Sun, 8 Jan 2012 13:57:10 -0500, "David H. Lipman"

Quoted text here. Click to load it

OK. I see lots of links to SpywareDoctor for removing this. I vaguely
recall some people saying SpywareDoctor was itself malware. Is this
true?

Thanks, David and FromTheRafters...

--

Dennis

Re: consrv.dll

On Sun, 8 Jan 2012 13:57:10 -0500, "David H. Lipman"

Quoted text here. Click to load it

Just out of curiosity, besides quarantining the dll, will MBAM perform
any other steps icw this malware? For example, will it remove any
malicious registry entries? And other things like that...

--

Dennis

Re: consrv.dll


Quoted text here. Click to load it

Yes.  They too would be quarantined.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: consrv.dll

On Sun, 8 Jan 2012 19:13:15 -0500, "David H. Lipman"

Quoted text here. Click to load it

Well, my daughter finally finished what she was doing on her PC and
turned it over to me. I let MBAM quarantine the file (only gave me the
one message) and then rebooted. The system started up just fine. I then
ran an MBAM quick scan and no problems were reported. I just completed
an SAS complete scan and only tracking cookies were found. I plan on
running an MBAM full scan overnight. I hope that took care of the
problem.

--

Dennis

Re: consrv.dll

Dennis wrote:

Quoted text here. Click to load it

If the pest got onto her host, it's likely to happen again.  Same user,
same behavior, same result.  Time for another image backup.

Re: consrv.dll


Quoted text here. Click to load it

Neither of you seem to be concerned with the potential for malware to be
backed up on those images. Neither of you have recommended he teach his
daughter better computer use practices. I would almost be willing to
wajor that if she isn't practicing safer-hex, she'll find the backups
"inconvenient" and not do them. What do you think?
 



--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: consrv.dll


Quoted text here. Click to load it

Hi Dennis.

I suspect you didn't like my initial post to you. Ignoring me tho, isn't
always in your best interest. The scans you've performed will eliminate
the issue you presently have, but it's not fixing the problem. The
problem is the malware getting on the machine in the first place.

Spend a little time on google looking up "safer hex" and implement those
practices. While I'm a smartass at times, it's really for your benefit.



--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: consrv.dll


Quoted text here. Click to load it

Hi Dennis.

I suspect you didn't like my initial post to you. Ignoring me tho, isn't
always in your best interest. The scans you've performed will eliminate
the issue you presently have, but it's not fixing the problem. The
problem is the malware getting on the machine in the first place.

Spend a little time on google looking up "safer hex" and implement those
practices. While I'm a smartass at times, it's really for your benefit.



--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Site Timeline