Virus file can't be deleted: access denied

[Mr.Sparkle]

I'm very happy thusfar with avast.  However, a certain file with the Win32 Trojan-gen virus can't be deleted, repaired, or moved: it say's access denied and file cann't be accessed (yesterday it said that the file may be in use).  What do you suggest I do?  Thanks!

[DavidR]

You should find this and the info below of use:

User's FAQ

HTH David

General Virus Removal Help - courtesy of whocares

What WIN do you have? Are all ServicePacks and Windowsupdates applied?
Have you managed to repair/reinstqll avast? so that the resident protection is working again?
-> test with harmless testfile EICAR.COM from www.eicar.com

What were the exact names avast gives the trojans?

Sometimes it's enough to
- clear all TEMP-folders (via drive CleanUp AND best also manually)
- empty Temporary Internet Files folder(s) (via IE->Tools > Options > General - Temporary

Internet files ->Delete files, including OFFLINE files) and
- empty java-Cache or
- disable System Restore on Win ME/XP INCLUDING a REBOOT!! to get rid of it..

Test the file with OnlineScanners e.g. from Trend, RAV & KAV (see below) to get a more specific name (you need to temporarily pause AV-Resident Shield/Monitor/Guard to be able to scan the file online)

(If they all don't show it as infected, please send it in a password-protected zip-file to virus (at) asw (dot) cz Include the Zip-password and a link to this posting in the mailtext)

Spybot, Ad-Aware and CWshredder might also help see www.lurkhere.com ->nicefiles and www.lavasoft.de

-remove the Virus/Malware and it's system modifications according to VirusInfos from Avast, VGREP, TrendMicro, Kaspersky,
AV-Boot-Disks; you might also try searching for the virus name or filename with google, see link in signature below.

General removal procedure:
- disable system restore on Win ME/XP
- kill respective Backdoor/Trojan process with task manager
- search for the file/process names in the registry; remove the malware's startup entries in

The Registry
- disinfect or (if disinfection is not possible) delete the file; this may be possible only after a reboot

If you still can't remove it, you could post a logfile of Hijackthis here:
http//hjt.klaffke.de/en & read this first:

http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html

- Secure your system:
  Change passwords, secure shares, install patches/updates for WIN&IE;
  disable ActiveX and Scripting in IE except for know secure sites - and better use a secure browser like Opera or Mozilla
- Scan your whole system with updated avast and maybe a 2nd scanner ,e.g. TrendMicro/RAV to check whether your PC is clean
- If needed, reenable system restore on Win ME/XP

Further Details and Links via the Forum Search

[whocares]

Have you managed to repair/reinstqll avast? so that the resident protection is working again?
-> test with harmless testfile EICAR.COM from www.eicar.com

@David,

the above is not part of my usual advice, but was for a specific problem where a User's avast installation was damaged/not working properly anymore.

*

@Mr.Sparkle,

more important in this case is:
"Where exactly was the infected File found (full path/folder/filename, e.g. c:\Windows\system32\virusfile.exe) ?"

 

[DavidR]

Thanks for pointing that out.

Perhaps you could post your General Virus Removal Help/Advice as a thread (one of the moderators could pin it to keep it at the top) in one of the forums.

We could then point people to it or people would be able to reference it on a browse of the forums? Teach people to use the tools and the vast amount of information available on the forums.

This would save it having to be posted repeatedly in different posts and the thread could be updated as avast changes.

[RejZoR]

Haha boys,you know how to complicate stuff

All we need is a full file path and filename with extension.
For everything else there is a Boot-Time scan

[Mr.Sparkle]

Thanks for all the advice!  I'm not the most computer literate guy ever; I'm kind of learning on the job.  Here's the file:
c:\_Restore\TEMP\A0454621.CPY

It's funny though, yesterday it said the virus was Win32 Trojan-gen and today it says the virus is Win32 Jeet.

I'm going to go ahead and try some of the other advice as well.  Thanks again, and I look forward to hearing what you have to say.

[DavidR]

Thanks for all the advice!  I'm not the most computer literate guy ever; I'm kind of learning on the job.  Here's the file:
c:\_Restore\TEMP\A0454621.CPY

Try the enable boot time scan in avast settings or try the enable boot time scan with RajZors avast_external_control tool (in his signature).

If that is not successful, you may need to disable system restore to root it out from there as its windows protected area.

WinXP ME - How to disable System Restore

[Mr.Sparkle]

In the menu, the boot time scan is shaded for some reason so that I can't click it.  I tried the help menu but to no avail.  Ideas?

[softwareguy]

Have you tried disabling System Restore as suggested?
These files in the restore file are locked by Windows to prevent tamper of System Restore by other programs.

[DavidR]

In the menu, the boot time scan is shaded for some reason so that I can't click it.  I tried the help menu but to no avail.  Ideas?

Which of the two options that I mentioned did you try that the boot time scan is greyed out (option not available). Was it from the 'start avast anti-virus', Menu, 'Schedule Boot Time Scan' or in RajZor avast External Control Tool?

Please answer questions, it is the only way we can offer a suggestion - Help us to Help you.

You haven't said what OS you use? I beleive the boot time scan may only be available to XP users (confirmation required here, RajZor does ECT, check OS for active menu choices). If that is the case then the option being shaded as you say would be valid.

Did you disable system restore as we have suggested? We need feedback to confirm what we suggest you tried, did it work, etc. if not were there any errors dd the virus come back, where was it this time, etc., etc. We need you input to help you otherwise we are wasting our time.

[whocares]

c:\_Restore\TEMP\A0454621.CPY

--> "C:\_RESTORE" means that Mr.Sparkle seems to use Windows ME, and imho there's no Boot-Time scan there (only in Win NT/2000XP)

 

[DavidR]

--> "C:\_RESTORE" means that Mr.Sparkle seems to use Windows ME, and imho there's no Boot-Time scan there (only in Win NT/2000XP)
 

Wasn't aware that C:\_Restore was ME (never used it), you learn more everyday.

That's is what I thought, only available in XP, now confirmed.

[RejZoR]

Actually its available under all NT system (Win2000/XP/2003).
Boot with the Windows startup floppy/CD and delete those files manually. You can try disabling System Restore if the upper option is too hard for you. I'm not quiet sure if the System Restore folder is entirely purged as in WinXP when you turn off System Restore...

[softwareguy]

What path does XP uses for it's System Restore?  

[Mr.Sparkle]

Yup I use ME, so that would explain things.  Sorry about the lack of info, but I did disable system restore and the virus didn't even appear in the scan.  So maybe I'll just leave system restore off, I never use it anyway.

"Which of the two options that I mentioned did you try that the boot time scan is greyed out (option not available). Was it from the 'start avast anti-virus', Menu, 'Schedule Boot Time Scan' or in RajZor avast External Control Tool?"
 - It was the first one, the 'start avast menu.'  I couldn't find RajZor external control menu.  As for the OS, I'm not really sure what that means (which windows maybe, which we now know is ME).  lack of answers basically has come from me not really knowing what I'm talking about.  
Thanks again guys for the help!