I’ve recently fixed a mean virus called ZAccess, which places a consrv.dll file in your Windows\System64 sub-directory. Simply renaming or deleting this file, will cause a Windows 7 machine to fail to restart, because evidently this virus has built a ‘Tripwire’ into the system, so that it’s harder to remove.
A couple of things I tried before finding the solution:
Malwarebytes wasn’t able to detect the virus, but Microsoft Security Essentials did. However, repairing the virus with MSE ‘tripped the wire’ and the whole computer exploded. (actually it just failed to boot, until the system was restored to a previous point). AVG and Avira both also discovered the consrv.dll file, but not the tripwire. I tried a couple more things, such as booting into safe-mode and renaming the file, using regedit to fix the entry it created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Sub Systems
A clean copy of the key looks like this:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
An infected key looks like this:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
But because I didn’t first remove the tripwire, the issue remained.
How to fix it:
So the solution came through Kapersky’s Free Removal Tool which knew enough about this virus to remove the tripwire as well as the consrv.dll file. A quick scan with this tool followed by a reboot, and the consrv.dll file is gone. The other files that it deleted are:
Now you can reinstall your favorite Anti-Virus app, and scan your computer once more to make sure all other viruses that this trojan may have invited are gone.