How to remove Consrv.dll

Hello,

I follow Pondus advice and I post a new topic.

I have consrv.dll removed by avast but then a bluescreen at reboot, I had to restore at a previous point with consrv.dll restored also >:( . I modified registry keys so that the “%hs not found” blue screen don’t appear at reboot. (found there http://blog.crosbydrive.com/?p=245).

But now, sometimes (between 10/20 times a day) avast finds “consrv.dll” and delete it. I tried to run combofix to delete it once and for all but after the reboot : blue screen with the same “%hs not found”.

I followed the topic "Topic: Logs to assist in cleaning malware "

I ran MBAM and it found nothing.

I ran OTL and I attached the logs (OTL and extras)

I ran aswMBR.exe but it crashes everytime I run it so I don’t have any logs.

When you had the problem with combofix what was the sequence of events ?

Download a fresh copy of combofix to your desktop

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\StkASSrv.dll C:\Windows\SysWOW64\config\systemprofile\AppData\Local\opretuq.dll C:\Windows\SysNative\dds_trash_log.cmd

NetSvc::
lvusbsta

Driver::
lvusbsta

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Combofix ran itself good, did the 50 steps, reboots, produced a log but when I clicked on a random program (firefox, notepad or whatever), it tells me that the program had registry keys deleted.

I think it was because of combofix because all the programs seems to be affected so I tried to reboot and that’s where I had the blue screen.

But I stopped avast during the combofix scan, I will try to run combofix with an avast exception and see what happens, I will attach the log if I can.

here is the Combofix log. Reboot was fine.

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C} AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116} AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
This may be part of your problem - with regards to AV's more is not better. You need to uninstall two of the three antivirus programmes

Second run to beat it into submission

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wyedax.exe C:\Windows\SysNative\StkASSrv.dll

NetSvc::
lvusbsta

Driver::
lvusbsta

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks for the reply,

I know I have too many AVs, Norton was native with the computer and i don’t know how to get rid of it.
I thought Ad aware was more specialized in Ad-ware, spyware, I uninstalled it since I have now Malwarebytes.

the log from Combofix is attached.

OK this run should kill it

Run combofix again with the same script as before please

Here is the log of the last scan from Combofix with the same script :slight_smile:

EDIT : I just found out that the access to “documents and settings” is now denied… I can still access most of my folders using “c:/users” but it’s still weird…

hey here you have the uninstall tool for norton https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?lg=english&ct=united+states&docid=20080710133834EN&product=home&version=1&pvid=f-home.

OK nearly there, when you try to access the folder what is the error

Re-run an OTL quick scan please ensuring all users is selected with the following script in the custom scan box

netsvcs
%SYSTEMDRIVE%*.exe
CREATERESTOREPOINT