It started about a week ago. It comes up randomly. Sometimes it will or wont come up. For example: it will come up if I open Internet Explorer or Mircosoft Word, or any other program on my computer, sometimes Skype as well. Then it says do a boot-scan right after it disapears or I click off of it.

It does ot on its own. I have reported it false many times, but it keeps showing up and sometimes prevets things from opening right away because of it. I have scan with diff softwares including Avast over and over and I do the boot-scan, but it keeps happening.

Does anyone know what this is or how to help? I will provide more in-depth details if needed. Also a side note: it all derives from one file that apparently can only be found in avast, because when I go to the actual folder, I cant find it or maybe I’m going to the wrong thing. Thanks in advance!

But the all derive from the same source: C:\Windows\assembly\tmp\U\80000032.@

I don’t believe this is a false positive but the noaccess (if I remembered the name correctly) malware - This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic and attach the logs there, not in the LOGS topic.

Obviously you won’t have to run the aswMBR tool again. From my limited knowledge of this tool it looks clean. So if you post the other OTL logs, etc. we can have someone take a look at them.

Correct it is either zero access or conserv.dll

Thanks for the correct name essexboy. Hopefully the OP won’t be long in getting the OTL logs posted.

Here is the Malwarebytes log:
Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7938

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/13/2011 8:51:40 PM
mbam-log-2011-10-13 (20-51-40).txt

Scan type: Quick scan
Objects scanned: 185154
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

It will not let me upload the OTL file. Every time I place it in there for the Browse option and click post it clears it. It is under the allowed KB, I dont know why it wont post.

Use the Additional Options link in the Reply window, that will let you attach your OTL log file/s if they are under 200KB. If larger then they can be uploaded to a file share site:

• You can use a file sharing site such as Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.

Here is the OTL: http://www.mediafire.com/?kx12btmiywr6kwj

OK, you will be playing a bit of time zone ping pong, it is now 2:42am in the UK so essexboy will be in bed now. He should be back on-line later this evening.

Ok. Thanks. I cant wait to hear the solution.

This is the conserve variant

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Everything seems to be fine now. I will let you know if anything occurs in teh next few days or so. Thanks a lot. Do I need to continue to keep the Combo Fix on my desktop or can I delete it? Also, is there any way to avoid this from happening again, since Avast couldn’t stop it the first time?

Here’s the Combo Fix Log: http://www.mediafire.com/?0qngicnb8nsmu6v

Give it a day or so and if no problem report back; then essexboy will give instructions on how to remove the tools and any other general advice.

Not really as to date this one bypasses all AV’s

Could you open Avast
Select the virus chest
Right click in the blank space and select add
Navigate to c:\Qoobox\c:\windows\system32\consrv.dll
Select that file and then once it is in the chest
Right click and select send to virus labs
Fill in the form and select potential malware
Manually update Avast to send it

If all is well tomorrow - let me know and I will remove my tools

Everything seems to be back to normal. The only thing I notice is that when run a full scan with Avast, it still pops as they found it even though I am no longer having any problems with anything. I assume this is normal? If so, I believe everything else is fine and I am ready to remove your wonderful tools.

Do you mean you ars still getting these detections, in C:\Windows\assembly\tmp\U\80000032.@ ?

Or is it something else, can you give more details, file name, location and malware name and location, etc.

You say you are doing a full scan is that the default Full System Scan or a custom one you created ?

Does it detect it within the qoobox folder only ?

No I am no longer getting the detections. Its just when I run the standard full scan with Avast, it comes up as one of the threats when it is finished.

I have none of the same problems I had before you helped me, it just shows up in the Avast, ONLY when I run a quick or full scan.

Here are the files that show up - C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir
and the other is - C:\Windows\assembly\tmp\kwrd.dll

Other than it showing up in the scan, as far as I can tell everything with my computer runs just fine.

Ok lets kill the one not in qoobox

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c C:\Windows\assembly\tmp\kwrd.dll

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Did everything you said. Here is the OTL Log you asked for: http://www.megaupload.com/?d=IP470BWQ

How is the system bahaving now ?