ZeroAccess "consrv"

  • Thread starter Thread starter James D Andrews
  • Start date Start date
J

James D Andrews

Anyone had success fighting the "consrv" Zero Access pain on a Win
Vista 64bit?

User already deleted the consrv and it went BSOD (as its designed).
Turns out there's supposed to be a Registry fix that goes along with
it.
But the Registry still points at winsrv, not consrv, yet it's still
BSOD saying consrv is missing.

Have searched and scoured numerous forums for a week and run everything
the system would allow (no network support, installers blocked, lots of
other stuff blocked). Avira found the dropper, and an ancient Win95
antivirus product called IRIS Cure found some more, but it's still
looking like the damage is done and Factory Restore image is where
we're headed (no disks on this HP model).

The Kaspersky Virus Removal Tool recommended in many forums didn't work
- possibly because the consrv was removed by user previously???

--
-There are some who call me...
Jim


"Distrust any enterprise that requires new clothes."
- Henry David Thoreau (1817-1862)
 
Anyone had success fighting the "consrv" Zero Access pain on a Win Vista
64bit?

User already deleted the consrv and it went BSOD (as its designed).
Turns out there's supposed to be a Registry fix that goes along with it.
But the Registry still points at winsrv, not consrv, yet it's still BSOD
saying consrv is missing.
Click to expand...


If it's the same variant as the one I cleaned up last week from a Win7
64bit, there's a second file (rdo.dll) that is a part of it. Remove
either one of them by themselves and you get a blue screen. I used
system restore to recover from the BSODs. I ran Avira, KAV, NOD32,
Avast, MBAM, SAS, Spybot S&D, CureIt, and a variety of other scanners
against it. Some found nothing, a couple found one or the other but not
both. The only one that finally found and cleaned both was HitmanPro.

I'd never used that product before and I'm still undecided about
adding it to my normal toolkit, but I have to admit that it did take
care of this particular problem.
 
Whoever embroidered on the monitor :
If it's the same variant as the one I cleaned up last week from a Win7
64bit, there's a second file (rdo.dll) that is a part of it. Remove either
one of them by themselves and you get a blue screen. I used system restore to
recover from the BSODs. I ran Avira, KAV, NOD32, Avast, MBAM, SAS, Spybot
S&D, CureIt, and a variety of other scanners against it. Some found nothing,
a couple found one or the other but not both. The only one that finally found
and cleaned both was HitmanPro.

I'd never used that product before and I'm still undecided about adding it
to my normal toolkit, but I have to admit that it did take care of this
particular problem.
Click to expand...

Thanks Whoever. I'll look into it.
I, too, have gone through an arsenal of products against it.

I didn't know about the rdo.dll, though.
Is there an associated registry entry on it I should look for?

--
-There are some who call me...
Jim


"You got to be careful if you don't know where you're going, because
you might not get there."
- Yogi Berra
 
I didn't know about the rdo.dll, though.
Is there an associated registry entry on it I should look for?
Click to expand...


I'm afraid I can't help you there. HitmanPro cleared it up and I
didn't go digging too deep to see exactly what other files/registry
entries it cleaned up. I do recall the two dll's (consrv & rdo) because
of the way the system crashed if either of them was removed by itself.
IIRC - Avira found and removed/renamed consrv but missed rdo. Avast
found rdo but missed consrv.
 
Anyone had success fighting the "consrv" Zero Access pain on a Win
Vista 64bit?

User already deleted the consrv and it went BSOD (as its designed).
Turns out there's supposed to be a Registry fix that goes along with
it.
But the Registry still points at winsrv, not consrv, yet it's still
BSOD saying consrv is missing.

Have searched and scoured numerous forums for a week and run everything
the system would allow (no network support, installers blocked, lots of
other stuff blocked). Avira found the dropper, and an ancient Win95
antivirus product called IRIS Cure found some more, but it's still
looking like the damage is done and Factory Restore image is where
we're headed (no disks on this HP model).

The Kaspersky Virus Removal Tool recommended in many forums didn't work
- possibly because the consrv was removed by user previously???
Click to expand...

Treid trend micro sysclean? :)


--
Walking on a Razor's edge, so hard for me to find my way home. How could it
have come to this? So hard to pick the right from the wrong. I can't try to
hide behind myself anymore. I can't try to reason with the pain and the
torture. So I will grab hold to forever and walk right through this open
door. Walking on this lonely road, the heartbreaking pain at my side. Without
two arms to hold me, nothing but the chain of goodbyes.
 
Whoever embroidered on the monitor :

Thanks Whoever. I'll look into it.
I, too, have gone through an arsenal of products against it.

I didn't know about the rdo.dll, though.
Is there an associated registry entry on it I should look for?
Click to expand...

Hi James..

Should you find a viable sample of this, it would be a good idea to submit
it to virustotal.org. This will increase the speed with which other AV/ and
AM programs can detect and eliminate this for you.


--
Walking on a Razor's edge, so hard for me to find my way home. How could it
have come to this? So hard to pick the right from the wrong. I can't try to
hide behind myself anymore. I can't try to reason with the pain and the
torture. So I will grab hold to forever and walk right through this open
door. Walking on this lonely road, the heartbreaking pain at my side.
Without two arms to hold me, nothing but the chain of goodbyes.
 
Dustin banged his head on his keyboard to write :
Treid trend micro sysclean? :)
Click to expand...

yep.

--
-There are some who call me...
Jim


It's a dangerous business, going out your door. You step onto the road,
and if you don't keep your feet, there's no knowing where you might be
swept off to.
-Samwise Gamgee quoting Bilbo Baggins, edited
 
Dustin was thinking very hard and all he could come up with was:
Hi James..

Should you find a viable sample of this, it would be a good idea to submit
it to virustotal.org. This will increase the speed with which other AV/ and
AM programs can detect and eliminate this for you.
Click to expand...

That's sort of out of my league of understanding. The more I learn the
more I learn I don't know.

However, I believe I read it was submitted by someone from an Avast or
Malwarebytes forum awhile back.

There are a few reports about it circling around, also, and some of the
products out there were able to fix the problem for other people.

I suspect maybe what's making this so hard is that the user removed the
consrv first but the rest of the virus and any other associated
problems remained (of course, I don't really know - I'm just shooting
in the dark).

I'm going to try Hitman Pro and a GData disk and see if that helps in
this case, as well as hunt around for the rdo.dll

--
-There are some who call me...
Jim


"Facts are the enemy of truth."
- Don Quixote - "Man of La Mancha"
 
Whoever banged his head on his keyboard to write :
I'm afraid I can't help you there. HitmanPro cleared it up and I didn't go
digging too deep to see exactly what other files/registry entries it cleaned
up. I do recall the two dll's (consrv & rdo) because of the way the system
crashed if either of them was removed by itself. IIRC - Avira found and
removed/renamed consrv but missed rdo. Avast found rdo but missed consrv.
Click to expand...

Thanks. I'll give that a try and see what I get.

--
-There are some who call me...
Jim


"What do you mean?" he said. "Do you wish me a good morning, or mean
that it is a good morning whether I want it or not; or that you feel
good this morning; or that it is a morning to be good on?"
-Gandalf, after Bilbo Baggins says "Good Morning"
 
I'm going to try Hitman Pro and a GData disk and see if that helps in
this case, as well as hunt around for the rdo.dll
Click to expand...

Okay. Please let me know the results of your efforts if it isn't too much
trouble. I'd appreciate it greatly.


--
Walking on a Razor's edge, so hard for me to find my way home. How could it
have come to this? So hard to pick the right from the wrong. I can't try to
hide behind myself anymore. I can't try to reason with the pain and the
torture. So I will grab hold to forever and walk right through this open
door. Walking on this lonely road, the heartbreaking pain at my side. Without
two arms to hold me, nothing but the chain of goodbyes.
 
Dustin embroidered on the monitor :
Okay. Please let me know the results of your efforts if it isn't too much
trouble. I'd appreciate it greatly.
Click to expand...

I ended up bailing it after the monitor screen locked up during the
GData run. I couldn't get back to it for a couple days, and today had
to diagnose that problem before continuing (turned out that monitor
finally died).

By that time, I actually forgot all about the Hitman. Totally escaped
my overcluttered mind.

After a couple weeks of fighting with this, I finally just gave up,
copied the user's personal files, then did a Factory Restore.

Sorry I failed to produce results, but thanks to everyone for all their
guidance.

--
-There are some who call me...
Jim


"Facts are the enemy of truth."
- Don Quixote - "Man of La Mancha"
 
Sorry I failed to produce results, but thanks to everyone for all their
guidance.
Click to expand...

That's okay. Sounds like you have a lot going on. I know the feeling. :)
Thanks for getting back to me in any event!
 
Back
Top