Hello All,
It seems my box got infected with the variant of MAX++ ( I realized this too late, otherwise I would not have deleted consrv.dll)

System: Vista Ultimate 64 bit, Avast, Comodo firewall only

Symptoms:

1. Existence of windows\system32\consrv.dll
2. During full scan Avast found C:\Windows\assembly\TMP\kwrd.dll
3. svchost was trying to get some URL, which was blocked by Avast on several occasions

I deleted consrv.dll and setup for the boot-up scan.

At boot up scan Avast found:file C:\Windows\assembly\tmp\U\80000032.@ is infected by Win32:DNSChanger-VJ [Trj] and moved to chest
also : File C:\Windows\assembly\tmp\U\00000002.@|>[Embedded_R#00290] is infected by Win32:Malware-gen and moved to chest

After restart - cannot start OS. I tried safe mode - hangs after crcdisk, BartPE - throws BSoD. Was not able to repair installation as well.

Is there any way the system can be restored with the virus removed, short of wiping out the disk and doing new install?

Thanks for the help…

Did you try Vista System recovery options start up repair on disc
Or you can try the command prompt in recovery paste chkdsk then enter

Also if you can get command prompt in safe mode or recovery disc paste this sfc /checknow

Unfortunately that files replaces a system service within the registry - so if you do not change the registry key as well then the system will fail to boot

If none of the system recovery options work then let me know and I wil try a repair outside of windows

I am not able to get to the safe mode - system reboots. Tried to get to repair using original installation disk - got the error: Invalid Disk.

Tried to undelete consrv.dll using TestDisk from UltimateBootCD. TestDisk did not find consrv.dll file. All it found was C:\Windows\assembly\tmp\U\80000032

essexboy, if I am able to get to registry from outside of windows, what do I need to fix? Is there any other way to fix it?

Thanks

Yep. But, you will need to burn a CD

OK next we will work outside of windows then Please print these instruction out so that you know what you are doing
[*]Download OTLPENet.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created.Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
[*]Your system should now display a Reatogo desktop.Note : as you are running from CD it is not exactly speedy [*]Double-click on the OTLPE icon.[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start
[*]Drag and drop this attached scan.txt into the Custom scans and fixes box, or double click the scan box
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.

I forgot to mention that I renamed windows/system64 file as well. I guess it did not work out

The log is too big. I split it in two and attached

OK lets reset the registry key and hopefully you will be back in windows

Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB

[*]Insert your USB drive with fix.txt on it
[*]Start OTLPE
[*]Drag and drop fix.txt into the Custom scans and fixes box
[*]If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done to normal mode if possible
[*]Then post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

After running fix cannot start windows in normal and safe modes - box reboots

OK one more go with a slightly amended reg key - I have taken this directly from my windows 7 64 bit

Follow the same routine to run this from OTLPE

On attempt to drag and drop OTLPE responded " not a valid fix file". I copied and pasted the text. It seems now, the fix stuck in processing registry data "Debug=hex(2):00,00

OK just testing th efix on my system

Back in a mo

OK for some reason OTL does not like hex 2

:Reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems] "Windows" = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Download the rewritten one in English ;D

And run this as before

Registry updated successfully, but same thing - reboots after crcdisk.sys

OK that is the point where windows carries out a disc check …

Do you have the windows CD ?

As we can try two different things from the command prompt

Boot from the CD

When you reboot you will see this . Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following

chkdsk /r

[*]Run this twice
[*]Then
.
SFC /Scannow

[*]Once finished type Exit

Then retry

If you do not have the disc then download this iso from here http://download.digiex.net/Apps/WindowsRecovery/WindowsVista64bitRecoveryDisc.zip

Using your burning software burn it to a bootable disc

I have the disk.It’s just that chkdsk is extremely slow

CRCDISK.SYS identifies itself as a "Disk Block Verification Filter Driver" and was written by Microsoft. It does CRC checking on data being read off the disk.

ran chkdsk twice, but sfc /scannow give an error - windows resource protection could not perform requested operation.

reboot, tried again, - same error. I tried to restart box in safe mode - restarts again after crcdisk

I just checked and there is still windows/system64 directory exists ( which I renamed to rename_system64_rename ). It has files with the identical names to the files in system32 and syswow64, but different timestamp. Can this prevent me from running sfc /scannow?