{"id":72,"date":"2011-10-14T03:20:11","date_gmt":"2011-10-14T03:20:11","guid":{"rendered":"http:\/\/triplescomputers.com\/blog\/?p=72"},"modified":"2012-07-29T21:52:59","modified_gmt":"2012-07-30T02:52:59","slug":"stop-c0000135-the-program-can%e2%80%99t-start-because-consrv-is-missing-try-resintalling-the-program","status":"publish","type":"post","link":"https:\/\/triplescomputers.com\/blog\/casestudies\/stop-c0000135-the-program-can%e2%80%99t-start-because-consrv-is-missing-try-resintalling-the-program\/","title":{"rendered":"STOP: c0000135 &#8211; The program can\u2019t start because consrv is missing. Try resintalling the program."},"content":{"rendered":"<p>Getting this error? \u00a0Wouldn&#8217;t you know, it&#8217;s actually the product of a nasty little rootkit called ZeroAccess MAX++ of which you might be familiar. \u00a0The particular variant that causes this error actually uses the consrv.dll file to ensure it is able to load at boot on 64-bit systems. \u00a0As such, among other items, this rootkit drops a file called <strong>consrv.dll <\/strong>into the %SYSTEMROOT%\\system32 folder. \u00a0It&#8217;s the reference to this file in the registry which wreaks said havoc once the file is removed by any means (antivirus, offline deletion, etc.).<\/p>\n<p>To rectify the problem, you will need to gain access to the <em>%SYSTEMROOT%\\system32\\config\\SYSTEM<\/em> registry hive remotely (whether by Recovery Console&#8217;s <strong>regedit<\/strong>\u00a0and the <strong>Load Hive&#8230; <\/strong>command or by booting to another operating system and loading the hive in similar manner) and change an entry modified by the rootkit back to its default value.<\/p>\n<p>The infected machine will have a modified string (REG_EXPAND_SZ) data of the <strong>Windows <\/strong>registry value in\u00a0<strong>HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SubSystems <\/strong>which looks like this:<\/p>\n<blockquote>\n<div>%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=<strong>consrv<\/strong>:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16<\/div>\n<\/blockquote>\n<div>This value is wrong, and it&#8217;s the reference to consrv which is generating your c0000135 stop error. \u00a0Instead, change it to:<\/div>\n<blockquote>\n<div>%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=<strong>winsrv<\/strong>:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16<\/div>\n<\/blockquote>\n<p>This will solve the problem and enable the machine to boot. \u00a0Please note that you should also modify the same value in\u00a0<strong>HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\&#8230; <\/strong>for completeness.<\/p>\n<p>For a little more background\/ancillary info, on the machine I was repairing which experienced this issue, the rootkit was accompanied by an additional MBR bootkit of the family\u00a0<strong>Rootkit.boot.Pihar.a<\/strong>. \u00a0TDSSKiller actually took care of this one and restored the clean MBR. \u00a0In addition, plenty of other malware was along for the ride (all of it predictably hidden by the rootkit combo). \u00a0It was a nasty situation, but nothing I couldn&#8217;t handle. \ud83d\ude09<br \/>\nI hope you have found this case study useful. \u00a0<em>Please let me know if it has helped you!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Getting this error? \u00a0Wouldn&#8217;t you know, it&#8217;s actually the product of a nasty little rootkit called ZeroAccess MAX++ of which you might be familiar. \u00a0The particular variant that causes this error actually uses the consrv.dll file to ensure it is &hellip; <a href=\"https:\/\/triplescomputers.com\/blog\/casestudies\/stop-c0000135-the-program-can%e2%80%99t-start-because-consrv-is-missing-try-resintalling-the-program\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[27,11,89,8,32,26,88],"class_list":["post-72","post","type-post","status-publish","format-standard","hentry","category-casestudies","category-security","tag-blue-screen","tag-malware","tag-offline","tag-registry","tag-rootkit","tag-stop-error","tag-zeroaccess"],"_links":{"self":[{"href":"https:\/\/triplescomputers.com\/blog\/wp-json\/wp\/v2\/posts\/72","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/triplescomputers.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/triplescomputers.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/triplescomputers.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/triplescomputers.com\/blog\/wp-json\/wp\/v2\/comments?post=72"}],"version-history":[{"count":0,"href":"https:\/\/triplescomputers.com\/blog\/wp-json\/wp\/v2\/posts\/72\/revisions"}],"wp:attachment":[{"href":"https:\/\/triplescomputers.com\/blog\/wp-json\/wp\/v2\/media?parent=72"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/triplescomputers.com\/blog\/wp-json\/wp\/v2\/categories?post=72"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/triplescomputers.com\/blog\/wp-json\/wp\/v2\/tags?post=72"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}