A sort of a report on an infection that I've managed to solve

[satyr]

Hello all, I just though that I might let you know about the infection with the "Haxdoor" trojan that I've managed to solve with help of Filemon, Autoruns, but especially Regmon (i.e. with it I noticed the ID of a non-visible process) programs from Sysinternals ...


This were the two Avast's Event Viewer events:

AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of D:\WINDOWS\system32\ydsvgd.dll failed, 00000005.

AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: D:\WINDOWS\system32\ydsvgd.dll (D:\WINDOWS\system32\ydsvgd.dll) returning error, 00000005.


I anyone wants to, please see the "/Fixed: HELP: My computer was probably infected and now I am afraid to reboot" thread: http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/464002950831 that I opened on Ars Technica (or alternatively the one at CastleCops similarly titled "/Fixed: My PC probably infected; now I am afraid to reboot") and in which I described the solution (and varous interesting techniques I used) to this infection in great details, of course, with graphical screenshots added ...


satyr

[Tech]

failed, 00000005

Scan access denied. Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!
You need boot time scanning:

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files.
Choose how to automatically process infected system files.
Click the Schedule button to confirm the settings.

Or just run:
C:\Program Files\ALWIL Software\Avast4\sched.exe /A:*