ZeroAccess "consrv"

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Anyone had success fighting the "consrv" Zero Access pain on a Win
Vista 64bit?

User already deleted the consrv and it went BSOD (as its designed).  
Turns out there's supposed to be a Registry fix that goes along with
it.
But the Registry still points at winsrv, not consrv, yet it's still
BSOD saying consrv is missing.

Have searched and scoured numerous forums for a week and run everything
the system would allow (no network support, installers blocked, lots of
other stuff blocked).  Avira found the dropper, and an ancient Win95
antivirus product called IRIS Cure found some more, but it's still
looking like the damage is done and Factory Restore image is where
we're headed (no disks on this HP model).

The Kaspersky Virus Removal Tool recommended in many forums didn't work
- possibly because the consrv was removed by user previously???

--
-There are some who call me...
Jim


"Distrust any enterprise that requires new clothes."
- Henry David Thoreau (1817-1862)



Re: ZeroAccess "consrv"

On 11/7/2011 3:03 AM, James D Andrews wrote:
Quoted text here. Click to load it


  If it's the same variant as the one I cleaned up last week from a Win7
64bit, there's a second file (rdo.dll) that is a part of it. Remove
either one of them by themselves and you get a blue screen. I used
system restore to recover from the BSODs. I ran Avira, KAV, NOD32,
Avast, MBAM, SAS, Spybot S&D, CureIt, and a variety of other scanners
against it. Some found nothing, a couple found one or the other but not
both. The only one that finally found and cleaned both was HitmanPro.

  I'd never used that product before and I'm still undecided about
adding it to my normal toolkit, but I have to admit that it did take
care of this particular problem.


--
Are we having fun yet?

Re: ZeroAccess "consrv"

Whoever embroidered on the monitor :
Quoted text here. Click to load it

Thanks Whoever.  I'll look into it.
I, too, have gone through an arsenal of products against it.

I didn't know about the rdo.dll, though.
Is there an associated registry entry on it I should look for?

--
-There are some who call me...
Jim


"You got to be careful if you don't know where you're going, because
you might not get there."
- Yogi Berra



Re: ZeroAccess "consrv"

On 11/7/2011 4:50 PM, James D Andrews wrote:
Quoted text here. Click to load it


  I'm afraid I can't help you there. HitmanPro cleared it up and I
didn't go digging too deep to see exactly what other files/registry
entries it cleaned up. I do recall the two dll's (consrv & rdo) because
of the way the system crashed if either of them was removed by itself.
IIRC - Avira found and removed/renamed consrv but missed rdo. Avast
found rdo but missed consrv.


--
Are we having fun yet?

Re: ZeroAccess "consrv"

Whoever banged his head on his keyboard to write :
Quoted text here. Click to load it

Thanks.  I'll give that a try and see what I get.

--
-There are some who call me...
Jim


"What do you mean?" he said. "Do you wish me a good morning, or mean
that it is a good morning whether I want it or not; or that you feel
good this morning; or that it is a morning to be good on?"
-Gandalf, after Bilbo Baggins says "Good Morning"



Re: ZeroAccess "consrv"


Quoted text here. Click to load it

Hi James..

Should you find a viable sample of this, it would be a good idea to submit
it to virustotal.org. This will increase the speed with which other AV/ and
AM programs can detect and eliminate this for you.


--
Walking on a Razor's edge, so hard for me to find my way home. How could it
have come to this? So hard to pick the right from the wrong. I can't try to
hide behind myself anymore. I can't try to reason with the pain and the
torture. So I will grab hold to forever and walk right through this open
door. Walking on this lonely road, the heartbreaking pain at my side.
Without two arms to hold me, nothing but the chain of goodbyes.

Re: ZeroAccess "consrv"

Dustin was thinking very hard and all he could come up with was:
Quoted text here. Click to load it

That's sort of out of my league of understanding.  The more I learn the
more I learn I don't know.

However, I believe I read it was submitted by someone from an Avast or
Malwarebytes forum awhile back.

There are a few reports about it circling around, also, and some of the
products out there were able to fix the problem for other people.

I suspect maybe what's making this so hard is that the user removed the
consrv first but the rest of the virus and any other associated
problems remained (of course, I don't really know - I'm just shooting
in the dark).

I'm going to try Hitman Pro and a GData disk and see if that helps in
this case, as well as hunt around for the rdo.dll

--
-There are some who call me...
Jim


"Facts are the enemy of truth."
- Don Quixote - "Man of La Mancha"



Re: ZeroAccess "consrv"


Quoted text here. Click to load it

Okay. Please let me know the results of your efforts if it isn't too much
trouble. I'd appreciate it greatly.


--
Walking on a Razor's edge, so hard for me to find my way home. How could it
have come to this? So hard to pick the right from the wrong. I can't try to
hide behind myself anymore. I can't try to reason with the pain and the
torture. So I will grab hold to forever and walk right through this open
door. Walking on this lonely road, the heartbreaking pain at my side. Without
two arms to hold me, nothing but the chain of goodbyes.

Re: ZeroAccess "consrv"

Dustin embroidered on the monitor :
Quoted text here. Click to load it

I ended up bailing it after the monitor screen locked up during the
GData run.  I couldn't get back to it for a couple days, and today had
to diagnose that problem before continuing (turned out that monitor
finally died).

By that time, I actually forgot all about the Hitman.  Totally escaped
my overcluttered mind.

After a couple weeks of fighting with this, I finally just gave up,
copied the user's personal files, then did a Factory Restore.

Sorry I failed to produce results, but thanks to everyone for all their
guidance.

--
-There are some who call me...
Jim


"Facts are the enemy of truth."
- Don Quixote - "Man of La Mancha"



Re: ZeroAccess "consrv"

email.me:

Quoted text here. Click to load it

That's okay. Sounds like you have a lot going on. I know the feeling. :)
Thanks for getting back to me in any event!


--
Character is doing the right thing when nobody's looking. There are too many
people who think that the only thing that's right is to get by, and the only
thing that's wrong is to get caught. - J.C. Watts

Re: ZeroAccess "consrv"

email.me:

Quoted text here. Click to load it

Treid trend micro sysclean? :)


--
Walking on a Razor's edge, so hard for me to find my way home. How could it
have come to this? So hard to pick the right from the wrong. I can't try to
hide behind myself anymore. I can't try to reason with the pain and the
torture. So I will grab hold to forever and walk right through this open
door. Walking on this lonely road, the heartbreaking pain at my side. Without
two arms to hold me, nothing but the chain of goodbyes.

Re: ZeroAccess "consrv"

Dustin banged his head on his keyboard to write :
Quoted text here. Click to load it

yep.

--
-There are some who call me...
Jim


It's a dangerous business, going out your door. You step onto the road,
and if you don't keep your feet, there's no knowing where you might be
swept off to.
-Samwise Gamgee quoting Bilbo Baggins, edited



Site Timeline