Hi. I’ve been infected with the Consrv.dll issue that others have recently had in other topics, and I need some help with removing it.
The problems it’s been causing is that Google (and other search engines) will redirect to AbNow.com, Windows Firewall is deactivated and I can’t change any settings, and Windows Defender is also deactivated. I’ve also had Pidgin (an instant messaging program) start to ask me about accepting unverified certificates when I sign-in, though I believe this is unrelated and just coincidentally having issues too. I’m not too worried about that, but thought I should mention that in case it’s important. I use a gmail account with it, with the protocol set to MSN.
I’ve run Avast which did detect the infected files and removed them, but like others, it would result in Windows being unable to startup and then needing a system restore, which brings me back to having the infected files. I have also tried other anti-viruses (AVG, BitDefender, and others), and the ones that picked up on the infected files did the same thing.
Due to multiple system restores, I may have several anti-virus programs around on my computer (I know this is important for logs). I’ve also installed Comodo Firewall for now in place of Windows Firewall, and I’m not sure if any of the anti-viruses are currently active.
I’m not sure where or how I got the virus, as I haven’t done anything unusual lately. I do have utorrent which could be the cause, but I haven’t used it for anything since I’ve got the virus.
I hope that’s enough information. I’m in no rush to get this fixed, but I’m not comfortable with doing manual fixes. Also, I am usually busy between things, so I may not be able to respond as quickly as possible, just to let anyone know. Any help with this will be greatly appreciated, thanks!
Are you sure you do not have conflicting AV solutions running side by side on that computer. Two residential av solutions on one computer is a bad idea. However non-resident av and specific anti-malware solutions can be combined. Wait here until a qualified remover will look into your apparent infection,
I’ve gone through several one-by-one, always uninstalling the previous anti-virus, but due to going through several system restores, the leftover folders are still on my computer. They’re mostly empty, and I currently have no anti-virus in use, but I thought it might be an important detail to mention.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\SysNative\HWSCtrl.dll
NetSvc::
tdrpman
Driver::
tdrpman
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
I did the procedure for Combofix, and while the program seemed to run fine, it didn’t produce a log anywhere. I’ve done a full search on my computer for the log, and couldn’t find it.
I have tried several times, and also re-downloaded Combofix, but no log is being created.
However, a file called “32788R22FWJFW” has appeared on my C Drive, and it links to My Computer, for whatever reason (ie, I can go back and forth by clicking C Drive and this file).
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in netsvcs
%SYSTEMDRIVE%*.exe
Drives
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
I ran OTL and it created the OTL file, but not the Extras one. Since CREATERESTOREPOINT disappears from the bottom during the quick scan, I thought I had mis-pasted, so I ran OTL a second time, and still no Extras file. I don’t seem to be having any luck with this, heh.
If it helps at all, here are the two OTL logs I made:
OK most of it has gone, now I can fix the rest with combofix
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
I ran Combofix, but still no log. I checked my C drive and there’s still the “32788R22FWJFW” file/folder thing, so I tried deleting it and then re-running Combofix, which created a new one.
There’s no apparent changes with my computer’s ability since running Combofix if that information helps.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
I didn’t do the boot scan since I’m not sure if I’m supposed to now.
Edit: After having turned off my computer and using it later, I got a black screen (ie, Explorer wouldn’t start), though I was still able to use it via Task Manager. After running in safe mode and then normally, it seems to be fine with that issue. Just for informational purposes.
To enter System Recovery Options from the Advanced Boot Options:
[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select English as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select English as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.