Author Topic: WinXP... can't delete or repair bad files  (Read 5363 times)

0 Members and 1 Guest are viewing this topic.

WayneC

  • Guest
WinXP... can't delete or repair bad files
« on: March 12, 2004, 09:09:37 AM »
I got hit with a bunch of trojans today. Each time Avast! Home found a bad file, it would tell me the file was in use and/or could not be deleted, repaired, etc. Sometimes it offered me the option of scheduling a scan at startup. If I took that option, it would shut WinXP down and restart the system, but after the initial WinXP Pro logo (with the moving dashes in the bar below it) I just get a blank dark grey screen and WinXP never comes up. Tried this 4 different times.

The most troublesome file was a trojan called "Back Door": C:\windows\system32\ewdlhqd.dll

It was a hidden file, and in use, and I could not figure out how to delete it manually, either. I finally downloaded and used Norton AV trial version of Internet Security and it succeeded in getting rid of it.

I would like to stay with Avast! Home, but I don't know what to do when it tells me it cannot delete or repair or rename or quarantine a bad file... what is one supposed to do?

whocares

  • Guest
Re:WinXP... can't delete or repair bad files
« Reply #1 on: March 12, 2004, 09:27:32 AM »
Hi,

please tell us the full, exact name of the trojan as avast and/or Norton reported it (see reports/logs)

it might not be something with AFCORE in it ?

Well...: General Instructions ->

test the file with OnlineScanners e.g. from Trend & KAV (see below) to get a more specific name
(you need to temporarily disable AV-Resident Shields/Monitors to be able to scan the file online)


-remove the Virus/Malware and it's system modifications according to VirusInfos
from Avast, VGREP, TrendMicro, Kaspersky;
you might also try searching for the virus name or filename with google

general removal procedure:
- disable system restore on Win ME/XP
- kill respective Backdoor/Trojan process with task manager
- search for the file/process names in the registry; remove the malware's startup entries in the registry
- disinfect or (if disinfection is not possible) delete the file; this may be possible only after a reboot

WayneC

  • Guest
Re:WinXP... can't delete or repair bad files
« Reply #2 on: March 12, 2004, 10:04:43 AM »
You're giving me credit for being much smarter than I am...

- I don't know how to "disable system restore" or what it does
- I don't think Avast Home has a "task manager"
- I'm not smart enough to fool with registries
- what is "disinfect"

In looking for logs, I didn't find much, but here are recent entries from a couple I did find:

from Resident Protection log:

* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Thursday, March 11, 2004 6:11:03 PM
* VPS: 0403-7, 03/11/2004
*

C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
During the file delete, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
During the file repair, error occurred: The process cannot access the file because it is being used by another process
During the file repair, error occurred: The process cannot access the file because it is being used by another process
During the file repair, error occurred: The process cannot access the file because it is being used by another process
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
During the file rename/move, error occurred: The process cannot access the file because it is being used by another process
During the file rename/move, error occurred: The process cannot access the file because it is being used by another process
During the file rename/move, error occurred: The process cannot access the file because it is being used by another process
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)

*
* Task stopped: Thursday, March 11, 2004 7:07:09 PM
* Run-time was 56 minute(s), 6 second(s)

Note: multiple entries above are because Avast! continually bugged me about that file and wouldn't delete it so I had to stop Avast! in order to do anything else with the computer.
*********************************************************************************************

from ASW Boot log:

11/03/2004 11:10
Scan of all local drives

File C:\Documents and Settings\Me\Local Settings\Temp\arcebxe.dll is infected by Win32:Trojan-gen. {Other}
----------------------------------------
11/03/2004 11:13
Scan of all local drives

File C:\Documents and Settings\Me\Local Settings\Temp\arcebxe.dll is infected by Win32:Trojan-gen. {Other}
----------------------------------------
11/03/2004 11:21
Scan of all local drives


11/03/2004 19:08
Scan of all local drives

File C:\Documents and Settings\Me\Local Settings\Temp\arcebxe.dll is infected by Win32:Trojan-gen. {Other}


Note: entries above appear to have been generated whilst the system was rebooting after I asked for a scan on restart; none of those scans on restart seemed to finish as I only got a blank screen after the initial WinXP logo, and WinXP never came back up.
**********************************************************************************************

My questions, though, are a bit more generic:

1. Why doesn't Avast! run a scan on WinXP startup as it says it will and seems to try to do? (ie, something is failing there)

2. If Avast! can't delete a file because it is hidden or in use, and the scan on startup doesn't work, then how DO you get rid of the file?

« Last Edit: March 12, 2004, 10:20:47 AM by WayneC »

whocares

  • Guest
Re:WinXP... can't delete or repair bad files
« Reply #3 on: March 12, 2004, 10:17:12 AM »
Hi,

I thought your system is clean again ?
just some generel info for next time  ;)

google.com and the board search above will help you search for any expressions you don't understand..

I suspect it would be this one:
http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=afcore&product=2
-> AFcore probably the "Q"-variant

Don't believe the "Avast: undetected" in some entries, VGREP is usually outdated by a good 1-2 months

 ;)

whocares

  • Guest
Re:WinXP... can't delete or repair bad files
« Reply #4 on: March 12, 2004, 10:21:28 AM »
1) don't know; you'd have to ask the developers (never neded a bootscan so far). Could be that the dll-file gets recreated only AFTER the boot; then you'd have some other malware on your PC
-> read above VGREP-Link, and tell us, what Symantec scanner said about the file

2) you get informnation about the virus/trojan, and then remove it according to the instructions.. (if avast or its special virus Cleaner doesn't pick it up) ;)

whocares

  • Guest
Re:WinXP... can't delete or repair bad files
« Reply #5 on: March 12, 2004, 10:30:00 AM »
You maybe had an active Backdoor on your PC:
you should scan thoruoghly with uptodate avast, and onlinescanners from www.trendmicro.com and www.ravantivirus.com

- also go to www.lurkhere.com -> nicefiles
- download HIJACKTHIS from there und unzip it into a new empty folder
- run it, click scan, then Save logfile ... copy the contents of the logfile here
« Last Edit: March 12, 2004, 01:40:15 PM by whocares »

WayneC

  • Guest
Re:WinXP... can't delete or repair bad files
« Reply #6 on: March 12, 2004, 10:39:04 AM »

I thought your system is clean again ?


It is relatively clean (at least I did get rid of the trojan in the logs of my previous reply that was driving me nuts with Avast! virus alert windows every 10 seconds) but I had to use Norton Internet Security trial download to get rid of it, and Norton is scanning and finding more bad guys even as I write this... so is the answer to pay for Norton rather than hope/expect Avast! Home can do the job?

WayneC

  • Guest
Re:WinXP... can't delete or repair bad files
« Reply #7 on: March 12, 2004, 10:56:25 AM »
You maybe had an active Backdoor on your PC:
you should scan thoruoghly with uptodate avast, and onlinescanners from www.trendmicro.com and www.ravantivirus.com

- also go to ww.lurkhere.com -> nicefiles
- download HIJACKTHIS from there und unzip it into a new empty folder
- run it, clcik scan, then Save logfile ... copy the contents of the logfile here


Yes, I think I did have an active backdoor... I was trying to close it.

Thanks for the other sites, I've bookmarked them. I'll try online scanning tomorrow, it's way past my bedtime.