consrv.dll ZeroAccess?

Hi, I’ve a laptop with windows 7 and i think i’ve trojan MAX++ (zeroAccess)

I’ve tried with various tools and antivirus but it is impossible clean consrv.dll

I can not modify the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Sub Systems\ and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems

If i delete consrv.dll, windows7 not boot and i´ve to restore it.

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

consrv.dll
you should not remove this on your own...if you do it wrong you may have a none working comp

you need help fom Essexboy on this so follow the guide Asyn gave you

Thanks very much

Attach actual log Malwarebytes and another (2012-01-19) with the problem.

Atttach OTL log

Sorry, but i lost extra.log and if i run again OTL, it only appears OTL.txt

Sorry, but i lost extra.log and if i run again OTL, it only appears OTL.txt
the extra is only produced at first run....just some extra technical info. OTL.txt is the important one

From that log it seems you have TrendMicro AV and not avast…is this correct?

dont worry, Essexboy will fix it anyway…just curious ;D

It is a corporative laptop :-X I don´t like Trend Micro.
Attach aswMBR

And RogueKiller report.

Essexboy is usually in here around 08:00pm - 11:59pm UK time

Thanks very much

I see that you have run combofix - could you post that log please

Yes, but after it runs, i’ve to restore windows.
Attach the log.

That would suggest that it is not replacing the registry key so I will need to have a look at that

[*]Run OTL.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystem /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Here it’s OTL’s log

OK there does not appear to be a subsystem key which is a tad weird

So could you go to my site https://skydrive.live.com/?cid=32d8666f4048075b#cid=32D8666F4048075B&id=32D8666F4048075B!117
Locate and download subsystem.reg to your desktop

Once done I will use OTL to kill all processes and delete the offending file

OTL FIX

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:PROCESSES KILLALLPROCESSES

:Files
c:\windows\system32\consrv.dll
c:\windows\assembly\tmp\U


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered.

Do not reboot

Right click the reg file and select merge
Accept the warnings
Run an Avast quick scan

When i’ve started the laptop, the redirection of google’s search has come back again
I’ve run OTL, but it does not found consrv.dll (log attach), but actually, consrv.dll is still in windows/system32
The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems has consrv instead of winsrv.
I think that i’ve the same Driverx’s variant (consrv.dll+95p).
Attach the new Malwarebytes’s log.

[list]So far you two are the only ones I have come across

Do the following:

[*]Click on the Start button and then choose Control Panel.
[*]Click on the System and Security link.

Note: If you’re viewing the Large icons or Small icons view of Control Panel, you won’t see this link so just click on the Administrative Tools icon and skip to Step 4.
[*]In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
[*]In the Administrative Tools window, double-click on the Computer Management icon.
[*]When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.

After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.

Note: If you don’t see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.
Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

Attach screen shot

OK I would ike you to update and try Combofix one more time please as I really need to see what is going on

If you need to restore again then run OTL with this script in the custom scans box as I will look at an area that has been unused for a while

/md5start
consrv.*
/md5stop
c:\windows*. /RP /s

Attach combofix´s log.
I have restored windows 7, so i attach OTL’s log too.