Avast WEBforum
Other => Viruses and worms => Topic started by: Mr.Sparkle on June 19, 2004, 06:44:09 PM
-
I'm very happy thusfar with avast. However, a certain file with the Win32 Trojan-gen virus can't be deleted, repaired, or moved: it say's access denied and file cann't be accessed (yesterday it said that the file may be in use). What do you suggest I do? Thanks!
-
You should find this and the info below of use:
User's FAQ (http://forum.avast.com/index.php?board=9;action=display;threadid=4818)
HTH David
General Virus Removal Help - courtesy of whocares
What WIN do you have? Are all ServicePacks and Windowsupdates applied?
Have you managed to repair/reinstqll avast? so that the resident protection is working again?
-> test with harmless testfile EICAR.COM from www.eicar.com
What were the exact names avast gives the trojans?
Sometimes it's enough to
- clear all TEMP-folders (via drive CleanUp AND best also manually)
- empty Temporary Internet Files folder(s) (via IE->Tools > Options > General - Temporary
Internet files ->Delete files, including OFFLINE files) and
- empty java-Cache or
- disable System Restore (http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) on Win ME/XP INCLUDING a REBOOT!! to get rid of it..
Test the file with OnlineScanners e.g. from Trend, RAV & KAV (see below) to get a more specific name (you need to temporarily pause AV-Resident Shield/Monitor/Guard to be able to scan the file online)
(If they all don't show it as infected, please send it in a password-protected zip-file to virus (at) asw (dot) cz Include the Zip-password and a link to this posting in the mailtext)
Spybot, Ad-Aware and CWshredder might also help see www.lurkhere.com ->nicefiles and www.lavasoft.de
-remove the Virus/Malware and it's system modifications according to VirusInfos from Avast, VGREP (http://www.virusbtn.com/resources/vgrep), TrendMicro (http://housecall.antivirus.com/housecall), Kaspersky (http://www.kaspersky.com/remoteviruschk.html),
AV-Boot-Disks (http://www.f-prot.com/support/dos/fpdos_faq/06.html); you might also try searching for the virus name or filename with google, see link in signature below.
General removal procedure:
- disable system restore on Win ME/XP
- kill respective Backdoor/Trojan process with task manager
- search for the file/process names in the registry; remove the malware's startup entries in
The Registry
- disinfect or (if disinfection is not possible) delete the file; this may be possible only after a reboot
If you still can't remove it, you could post a logfile of Hijackthis here:
http//hjt.klaffke.de/en & read this first:
http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html
- Secure your system:
Change passwords, secure shares, install patches/updates for WIN&IE;
disable ActiveX and Scripting in IE except for know secure sites - and better use a secure browser like Opera or Mozilla
- Scan your whole system with updated avast and maybe a 2nd scanner ,e.g. TrendMicro/RAV to check whether your PC is clean
- If needed, reenable system restore on Win ME/XP
Further Details and Links via the Forum Search
-
Have you managed to repair/reinstqll avast? so that the resident protection is working again?
-> test with harmless testfile EICAR.COM from www.eicar.com
@David,
the above is not part of my usual advice, but was for a specific problem where a User's avast installation was damaged/not working properly anymore.
*
@Mr.Sparkle,
more important in this case is:
"Where exactly was the infected File found (full path/folder/filename, e.g. c:\Windows\system32\virusfile.exe) ?"
;)
-
Thanks for pointing that out.
Perhaps you could post your General Virus Removal Help/Advice as a thread (one of the moderators could pin it to keep it at the top) in one of the forums.
We could then point people to it or people would be able to reference it on a browse of the forums? Teach people to use the tools and the vast amount of information available on the forums.
This would save it having to be posted repeatedly in different posts and the thread could be updated as avast changes.
-
Haha boys,you know how to complicate stuff :D
All we need is a full file path and filename with extension.
For everything else there is a Boot-Time scan :P
-
Thanks for all the advice! I'm not the most computer literate guy ever; I'm kind of learning on the job. Here's the file:
c:\_Restore\TEMP\A0454621.CPY
It's funny though, yesterday it said the virus was Win32 Trojan-gen and today it says the virus is Win32 Jeet.
I'm going to go ahead and try some of the other advice as well. Thanks again, and I look forward to hearing what you have to say.
-
Thanks for all the advice! I'm not the most computer literate guy ever; I'm kind of learning on the job. Here's the file:
c:\_Restore\TEMP\A0454621.CPY
Try the enable boot time scan in avast settings or try the enable boot time scan with RajZors avast_external_control tool (in his signature).
If that is not successful, you may need to disable system restore to root it out from there as its windows protected area.
WinXP ME - How to disable System Restore (http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm)
-
In the menu, the boot time scan is shaded for some reason so that I can't click it. I tried the help menu but to no avail. Ideas?
-
Have you tried disabling System Restore as suggested?
These files in the restore file are locked by Windows to prevent tamper of System Restore by other programs.
-
In the menu, the boot time scan is shaded for some reason so that I can't click it. I tried the help menu but to no avail. Ideas?
Which of the two options that I mentioned did you try that the boot time scan is greyed out (option not available). Was it from the 'start avast anti-virus', Menu, 'Schedule Boot Time Scan' or in RajZor avast External Control Tool?
Please answer questions, it is the only way we can offer a suggestion - Help us to Help you.
You haven't said what OS you use? I beleive the boot time scan may only be available to XP users (confirmation required here, RajZor does ECT, check OS for active menu choices). If that is the case then the option being shaded as you say would be valid.
Did you disable system restore as we have suggested? We need feedback to confirm what we suggest you tried, did it work, etc. if not were there any errors dd the virus come back, where was it this time, etc., etc. We need you input to help you otherwise we are wasting our time.
-
c:\_Restore\TEMP\A0454621.CPY
--> "C:\_RESTORE" means that Mr.Sparkle seems to use Windows ME, and imho there's no Boot-Time scan there (only in Win NT/2000XP)
;)
-
--> "C:\_RESTORE" means that Mr.Sparkle seems to use Windows ME, and imho there's no Boot-Time scan there (only in Win NT/2000XP)
;)
Wasn't aware that C:\_Restore was ME (never used it), you learn more everyday.
That's is what I thought, only available in XP, now confirmed.
-
Actually its available under all NT system (Win2000/XP/2003).
Boot with the Windows startup floppy/CD and delete those files manually. You can try disabling System Restore if the upper option is too hard for you. I'm not quiet sure if the System Restore folder is entirely purged as in WinXP when you turn off System Restore...
-
What path does XP uses for it's System Restore? :-\
-
Yup I use ME, so that would explain things. Sorry about the lack of info, but I did disable system restore and the virus didn't even appear in the scan. So maybe I'll just leave system restore off, I never use it anyway.
"Which of the two options that I mentioned did you try that the boot time scan is greyed out (option not available). Was it from the 'start avast anti-virus', Menu, 'Schedule Boot Time Scan' or in RajZor avast External Control Tool?"
- It was the first one, the 'start avast menu.' I couldn't find RajZor external control menu. As for the OS, I'm not really sure what that means (which windows maybe, which we now know is ME). lack of answers basically has come from me not really knowing what I'm talking about. :P
Thanks again guys for the help!
-
OS = Operating System and as you now said it's ME, which we now know can't be set to perform a boot time scan by avast. This is why the the option is grayed out.
I couldn't find RajZor external control menu.
You need to download the program using the link in RajZors signature (bottom of each of his posts).
lack of answers basically has come from me not really knowing what I'm talking about.
Which is why I gave you the link to the User's FAQ in my first post, if you didn't find it check for the link again (click the text User's FAQ in the post). There is a lot of information that will be useful for you in the future.
Now you know a little more should this happen again.
I wouldn't recommend not having System Restore always disabled. I don't use mine as I use a program that takes an image of my drive and if I have a problem I re-install the previous image, but I still have it enabled on my system.
-
Hi,
I had the exact same problem as Mr.Sparkle and i followed everything you guys said needed to be done. i scanned again and the vrus doesnt show up but i had several other viruses that i deleted as well. The problem is that my computer will get really hot to the touch and then just shut off. This has never happened before so i thought it was just a virus. After doing more scans 2 viruses showed up called terminator.exe. I removed them and the problem still exists even though my virus scanner says that my computer has no viruses. Can someone help me?
-
The temperature thing is totally unrelated to any previous virus activity/infection. As you say your computer is now clear but the heat problem still exists.
You have a hardware problem, possibly a fan (cpu or psu) in its way out and this is usually acompanied by increased noise.
I certainly don't know of any virus (other than human) that will raise the temperature. It may be theoretically possible for a virus program to increase disk and cpu activity, which would raise temperature. But it is down to hardware to cool your system and it would appear to be inadaquate or failing.
I am no hardware expert, just built a couple of my own systems.
This topic should not be continued in this forum but as a new topic in the Off Topic forum. There if anyone can help further they will.
Sorry I can't help further
David