Can someone point me to a good set of instructions on how to remove the
consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
screen is still sitting there waiting for me to quarantine it, but I
don't want to do that until I am sure that it is the correct procedure.

--

Dennis

Dennis <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> Can someone point me to a good set of instructions on how to remove the
> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
> screen is still sitting there waiting for me to quarantine it, but I
> don't want to do that until I am sure that it is the correct procedure.
>

I hope she doesn't need the computer anytime soon. You are literally
waiting for someone to tell you what to do eh? How techie.

Here's a small suggestion.. Google.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Dennis wrote:
> Can someone point me to a good set of instructions on how to remove the
> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
> screen is still sitting there waiting for me to quarantine it, but I
> don't want to do that until I am sure that it is the correct procedure.
>
Quarantine is almost always the correct choice, it allows you a way back
if you 'remove' something legitimate that is really needed.

From: "Dennis" <(E-Mail Removed)>

> Can someone point me to a good set of instructions on how to remove the
> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
> screen is still sitting there waiting for me to quarantine it, but I
> don't want to do that until I am sure that it is the correct procedure.

Just let MBAM do its thing which includes quarantining the DLL.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

On Sun, 8 Jan 2012 13:57:10 -0500, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Dennis" <(E-Mail Removed)>
>
>> Can someone point me to a good set of instructions on how to remove the
>> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
>> screen is still sitting there waiting for me to quarantine it, but I
>> don't want to do that until I am sure that it is the correct procedure.
>
>Just let MBAM do its thing which includes quarantining the DLL.

OK. I see lots of links to SpywareDoctor for removing this. I vaguely
recall some people saying SpywareDoctor was itself malware. Is this
true?

Thanks, David and FromTheRafters...

--

Dennis

On Sun, 08 Jan 2012 13:52:29 -0500, FromTheRafters
<(E-Mail Removed)> wrote:

>Dennis wrote:
>> Can someone point me to a good set of instructions on how to remove the
>> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
>> screen is still sitting there waiting for me to quarantine it, but I
>> don't want to do that until I am sure that it is the correct procedure.
>>
>Quarantine is almost always the correct choice, it allows you a way back
>if you 'remove' something legitimate that is really needed.

I guess I was concerned because it seems that removing this file has
caused problems with systems not being able to boot.

--

Dennis

On Sun, 8 Jan 2012 13:57:10 -0500, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Dennis" <(E-Mail Removed)>
>
>> Can someone point me to a good set of instructions on how to remove the
>> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
>> screen is still sitting there waiting for me to quarantine it, but I
>> don't want to do that until I am sure that it is the correct procedure.
>
>Just let MBAM do its thing which includes quarantining the DLL.

Just out of curiosity, besides quarantining the dll, will MBAM perform
any other steps icw this malware? For example, will it remove any
malicious registry entries? And other things like that...

--

Dennis

On 1/8/2012 1:12 PM, Dennis wrote:
> On Sun, 08 Jan 2012 13:52:29 -0500, FromTheRafters
> <(E-Mail Removed)> wrote:
>
>> Dennis wrote:
>>> Can someone point me to a good set of instructions on how to remove the
>>> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
>>> screen is still sitting there waiting for me to quarantine it, but I
>>> don't want to do that until I am sure that it is the correct procedure.
>>>
>> Quarantine is almost always the correct choice, it allows you a way back
>> if you 'remove' something legitimate that is really needed.
>
> I guess I was concerned because it seems that removing this file has
> caused problems with systems not being able to boot.
>
Make an image of the system with EaseUS Todo Backup or Macrium Reflect.
Then try to remove it. If you bork it, you can reinstall the image and
try to clean it again.

You should have a current image of your clean system at any rate and you
wouldn't care if it got infected.

--
Bear
http://bearware.info
Must Do: System image and automatic real-time off-site data backup
Recommended tools: EaseUS Todo Backup and SugarSync

On 1/8/2012 2:02 PM, Dennis wrote:
> On Sun, 8 Jan 2012 13:57:10 -0500, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
>> From: "Dennis"<(E-Mail Removed)>
>>
>>> Can someone point me to a good set of instructions on how to remove the
>>> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
>>> screen is still sitting there waiting for me to quarantine it, but I
>>> don't want to do that until I am sure that it is the correct procedure.
>>
>> Just let MBAM do its thing which includes quarantining the DLL.
>
> Just out of curiosity, besides quarantining the dll, will MBAM perform
> any other steps icw this malware? For example, will it remove any
> malicious registry entries? And other things like that...
>
Go here and read the Comprehensive Security Plan:

http://bearware.info/security.html

--
Bear
http://bearware.info
Must Do: System image and automatic real-time off-site data backup
Recommended tools: EaseUS Todo Backup and SugarSync

Dennis wrote:

> On Sun, 08 Jan 2012 13:52:29 -0500, FromTheRafters
> <(E-Mail Removed)> wrote:
>
>>Dennis wrote:
>>> Can someone point me to a good set of instructions on how to remove the
>>> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
>>> screen is still sitting there waiting for me to quarantine it, but I
>>> don't want to do that until I am sure that it is the correct procedure.
>>>
>>Quarantine is almost always the correct choice, it allows you a way back
>>if you 'remove' something legitimate that is really needed.
>
> I guess I was concerned because it seems that removing this file has
> caused problems with systems not being able to boot.

Where did you find info that said consrv.dll was part of Windows 7?

http://www.cleanpcguide.com/remove-c...ve-consrv-dll/

Did you submit the file to virustotal.com yet? Here's someone prior
submission of that file:

http://www.virustotal.com/file-scan/...46f-1310865513

The problem with not rebooting after removal is that removal hasn't been
complete. consrv.dll is just a DLL file storing a library of functions.
Something ELSE has to call the methods (functions) defined in that DLL.
Once it has done its work, it may no longer be needed. For example, in
the thread below is described how it replaces a random system driver and
once done it's the driver you need to target and not the remnant
file(s). Once infected, disinfection may not be possible without some
manual work after eradication.

http://forum.avast.com/index.php?topic=81720.0

In the following thread, the user found the winsrv got replace with the
malicious consrv.dll (so you need the original winsrv.dll file):

http://www.bleepingcomputer.com/foru...7#entry2271737

So after eradicating the consrv.dll file, you need to replace the
registry entries that pointed to it and have them use the original
handler program. Disinfection is an iffy solution as the anti-malware
program may not completely eradicate all changes made by the malware.
They may only target the malware files and not everything they changed.

If the *only* action MBAM will commit is to quarantine a malware file
then that action is incomplete and can render unwanted behavior in apps
or the OS. You sure the only action MBAM will do is quarantine a file?
You might want to search their forums (http://forums.malwarebytes.org/)
on "consrv" to see what others have encountered when using MBAM. One
tool is to use HijackThis to look at a scan of key areas of your OS to
find infections. This requires you (or someone helping you) to decipher
all the information it presents. Another is to use ComboFix but only
something familiar with it should use it.

http://www.bleepingcomputer.com/down...virus/combofix
http://www.bleepingcomputer.com/comb...o-use-combofix
http://www.infospyware.net/antimalware/combofix/

http://www.youtube.com/watch?v=7PRWXVD_8-8
(for other YouTube videos, search on "combofix")

Personally I don't waste more than a couple hours trying to eradicate a
pest and any artifacts in behavior left behind after the eradication.
If the disinfection isn't easy, I just restore to an image backup that
isn't infected. If your daughter is going to just download anything to
install it, perhaps it's time to consider using Returnil. Configure it
to load on every bootup and password protect its configuration. On a
reboot, all the changes she made, like installing malware, gets
discarded. When active, Returnil virtualizes all disk I/O so no changes
are made to the real disk (which you get back on a reboot). Microsoft
has their SteadyState but I find Returnil easier to use.

Of course, you, er, she is doing periodic image backups to restore her
host not only from malware but also if the hard disk crashes, right?