New to Avast and forum. Greetings! Windows 7 home with Avast Free version with latest updates. Every so aften, usually after boot, Avast pop-up to notify of moving consrv.dll to Virus Chest. Please advise. There are currently 21 copies of that file quarantined.

Update: Microsift Security Essentials pop-up potential threat Trojan:Win64/Sirefef.B. Should I select the “remove” option?

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use Comodo Cleaning Essentials (CCE), or MBAM, or SUPERantispyware to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Read these instructions and provide more info with the logs generated. But, please, do NOT post there, open a NEW thread for your specific problem and help us to help you.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

If the infection avoids booting the computer, take a look here http://forum.avast.com/index.php?topic=79107.0

Update: Microsift Security Essentials pop-up potential threat Trojan:Win64/Sirefef.B. Should I select the "remove" option?

running multiple antivirus programs can/will create all kind of windows errors and false positive detections…

Thanks.
Uninstalled MS Security Essentials.
I have Spy-bot S&D 2 Installed, should I remove?
Going down “Tech”'s list. Currently running Avast Antirootkit(found 2 so far)

Yes.

Consrv.dll…this can be a nasty one if correct

Essexboy is notified and will have a look when he arrive…you should wait for his advice and not remove Consrv.dll

Hi could you run the logs in this thread please and post them here http://forum.avast.com/index.php?topic=53253.0

Thanks. SPybot being uninstalled. Avast Antirootkit found 2 and “error” returned on “fix Now”. Will wait on Essexboy for advisement

Well, see Reply #6…!!

Mbam and OTL logs

It appears to be a partial install of zero access, so lets remove it safely

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Appears to be running better, not a lot of testing yet. Attached Combofix log

Darn, was feelin kinda tough until that last Avast warning popped up. Another consrv.dll computer at risk trojan message:

TROJAN HORSE BLOCKED
C:\windows\systwem32\consrv.dll
Threat: Win32sirefef:JQ[trj]

Hmm it is unusal that CF did not fully kill it

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

THEN

Re-run OTL with the following script in the custom scans and fixes box - then press run scan

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems /s

Good Morning. After running scans as requested, I am still getting the Avast “Trojan Horse” pop-up.

Where is Avast reporting consrv is it in system restore ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2011/07/30 19:50:55 | 000,010,166 | -HS- | C] () -- C:\ProgramData\3q3dj126n4eiqaa1u7p250p14vw626dp2a [2011/07/30 19:50:55 | 000,010,048 | -HS- | C] () -- C:\Users\joe\AppData\Local\3q3dj126n4eiqaa1u7p250p14vw626dp2a [2011/07/30 19:50:55 | 000,000,000 | ---- | C] () -- C:\ProgramData\pehw.exe [2011/07/30 19:50:55 | 000,000,000 | ---- | C] () -- C:\ProgramData\emnh.exe [2011/07/30 19:50:55 | 000,000,000 | ---- | C] () -- C:\ProgramData\cxpy.exe [2011/07/30 19:50:55 | 000,000,000 | ---- | C] () -- C:\ProgramData\aeyq.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Screenshot attached. Please note the time between occurrences 16:03 or 16:04, kinda bizarre. I’ll wait to run your script until you check this out.
Thanks

Run the fix please as the exe files may be regenerating the malware

Fix and scan as requested, log attached. Thanks.

When I just woke the PC from power save, it popped the Avast “Trojan Horse Message” again.