consrv.dll ZeroAccess?

[lotorien]

Hi, I've a laptop with windows 7 and i think i've trojan MAX++ (zeroAccess)

I've tried with various tools and antivirus but it is impossible clean consrv.dll

I can not modify the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Sub Systems\ and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems

If i delete consrv.dll, windows7 not boot and i´ve to restore it.

[Asyn]

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

[Pondus]

consrv.dll

you should not remove this on your own...if you do it wrong you may have a none working comp

you need help fom Essexboy on this so follow the guide Asyn gave you

[lotorien]

Thanks very much

Attach actual log Malwarebytes and another (2012-01-19) with the problem.

[lotorien]

Atttach OTL log

Sorry, but i lost extra.log and if i run again OTL, it only appears OTL.txt

[Pondus]

Sorry, but i lost extra.log and if i run again OTL, it only appears OTL.txt

the extra is only produced at first run....just some extra technical info. OTL.txt is the important one

From that log it seems you have TrendMicro AV and not avast...is this correct?

dont worry, Essexboy will fix it anyway....just curious   

[lotorien]

It is a corporative laptop  I don´t like Trend Micro.
Attach aswMBR

[lotorien]

And RogueKiller report.

[Pondus]

Essexboy is usually in here around 08:00pm - 11:59pm UK time

[lotorien]

Thanks very much

[essexboy]

I see that you have run combofix - could you post that log please

[lotorien]

Yes, but after it runs, i've to restore windows.
Attach the log.

[essexboy]

That would suggest that it is not replacing the registry key so I will need to have a look at that

• Run OTL.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystem /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[lotorien]

Here it's OTL's log

[essexboy]

OK there does not appear to be a subsystem key which is a tad weird

So could you go to my site https://skydrive.live.com/?cid=32d8666f4048075b#cid=32D8666F4048075B&id=32D8666F4048075B%21117
Locate and download subsystem.reg to your desktop

Once done I will use OTL to kill all processes and delete the offending file


OTL FIX

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :PROCESSES
  KILLALLPROCESSES
  
  :Files
  c:\windows\system32\consrv.dll
  c:\windows\assembly\tmp\U
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered.

Do not reboot

Right click the reg file and select merge
Accept the warnings
Run an Avast quick scan