c0000135 BSoD but AVG never on system

[gazza]

Imaging is a good point that no-one here has made,

Only that I did mention it in my post!

 

[ZenTree]

That's what I meant Gazza. You can keep those evil eyes away from me!! It was a compliment!

was meant to read "no-one else here has made". that else is important I guess. Maybe change has to had as well. Then again would it be as much fun as poking the grumpy grisly bear?

 

[Jeffk]

First thing you should have done was image the drive before attempting any work on it. That way you can at least go back to the original state if things go wrong which they did.

if i'd done the initial work on this PC i would've done an image, it was already in this state but the first time i saw it.

A couple of things you could do while your waiting,

Invest in a offline boot cd such as ActiveBoot Disk and try manually scanning the registry for malware. I have also found that I get better results with their version of Chkdsk when trying to fix file errors on drives. It would also be a handy tool to have in your trainee toolkit.

Unfortuantely I can't afford it right now & the boss doesn't want to, but good info for in the future – thanks.

A lot people here are going to be straight to the point and may seem a bit "in your face" but, their own way, they are trying to help. From my own personal reading of the forums I would say that Gazza is probably one of the best examples of this.......Whilst on the topic though kudos for sticking up for yourself, I'm sure you kids will get on just fine

he was a bit more than "in my face" but, as you noticed, i'll stand up for myself – thanks for the kudos! it's not that his points were wrong per se, but he was being accusatory without knowing the full picture.

chkdsk would make a difference in your example as it will try to check the disk of the currently selected drive and only that one.

I tried it from C: & it worked, with both the /f & /r switches, but didn't find anything.





It looks like it is gonna have to be an reinstall. A 'defeat' in one sense – I would've liked to know what was going on & actually fix it – but not really: I've learnt a lot & the customer gets a clean machine (if i get hands on it 1st, next time they fill it with junk, i'll be making an image!!), so a win-win in one sense!

cheers for all the help everyone!!

 

[gazza]

Don't worry fella's I have taken a chill pill, I did not mean to offend anyone.

Jeffk, your response and actions with regards to the job that was posted are exactly what I would hope all trainees would do, digging around in the computer dirt is great to see, don't ever stop digging Jeffk.

 

[Jeffk]

Don't worry fella's I have taken a chill pill, I did not mean to offend anyone.

Jeffk, your response and actions with regards to the job that was posted are exactly what I would hope all trainees would do, digging around in the computer dirt is great to see, don't ever stop digging Jeffk.

any offense i took, now let go of! cheers for your comment re my responses. I hope to keep diggin for a few years yet!

 

[MikeLierman]

try this
The fix for this problem requires a registry edit to remove a reference to the consrv.dll file that was a virus and was removed. edit registry offline.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems

Under theses keys, edit the data in the Value Name “Windows”, changing the text “consrv” to “winsrv”. This is a long string so just parse through it and make the one change, here is what a good entry looks like:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

I have bolded the entry that previously said “consrv”
this was a fix a few years ago for a fake av trojan

source a couple weeks ago:
http://blog.crosbydrive.com/?p=245

Yep. Happens when you remove the rootkit behind the malware that hijacks system and kernel startup in windows. Windows throws the bsod when the file consrv no longer exists. Typically if you use ComboFix first you're usually good, because it corrects the registery for you, if you don't, then you are stuck with a bsod. Gotta slave the drive, load the reg hive and correct the startup path.

When I first ran into this a month or two ago, I was about ready to reinstall windows, but that wasn't really an option because the client had 120GB worth of data and work stuff, so it would have taken more time to copy it all than it was worth to just fix the problems at hand (fake av then this bsod) .

Mike

Tapin' the talk from my Droid x2.

 

[Jeffk]

Cheers for that Mike.

Too late for this PC, but good to know for next time!