Did something stupid.

[AestheticAthlete]

My avast detected a Trogan a few days ago.  I ran avast which found the Trogan, and I DELETED IT.  Which I now realise was the wrong thing to do.  After looking on the forum today, I realise I should have cleaned it or moved it to chest if I couldn't clean it.

So now I have an error file that appears every time I start my PC that reads;

Could not run xxx, can not find file; c:/users/xxx/application/xxx.dll (which was the one that had the Trogan)

So basically I need to recover this file (i think).  I'm running a recovery program now, and hopefully I'll be able to recover this file, and everything will be OK.  But something tells me that the recovery program (file scavenger) will not find it, because it was deleted by the avast program and not via the recycle bin/empty recycle bin method.

Is there any way I can fix this or find a way to replace this file to stop the error message from coming up?

BTW the system seems to be running fine apart from the error messages, but I can't be sure.

Thanks in advance for any replies.

[DavidR]

Yes you have learnt a lesson - Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

First we really need to know the file name and the malware name given by avast ?

avast doesn't do anything special when you tell it to delete, but it doesn't send it to the recycle bin, as guess what, avast would alert with it in the recycle bin. Recovery programs should be able to recover files even if they weren't sent to the recycle bin, but the sooner you use it the more chance of success. However on recovery, guess what, yes avast will alert.

It isn't unusual to get errors such as "Could not run xxx, can not find file; c:/users/xxx/application/xxx.dll" because there may simply be a registry entry left behind that is trying to run that file, but we need to know more about the detection to make any determination.

[AestheticAthlete]

I don't know it this is right, but in the Scan Log folder, the name of the file deleted was;

C:\Users\xxx\AppData\Local\Temp\exe1.exe

Severity = High

Status = Threat: Win32: Hilot [Trj]

My reasoning is that once I recovery the file, Avast can detect it again, and then I can Clean, or Repair it, or move to chest instead of deleting it, and maybe this will stop the error messages I get.

Thanks again.

[essexboy]

That is a bad file, Avast deleted it but does not appear to have removed the run key.  If you wish I can do that for you

 

OTL - Download or alternative link here and here to your desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please attach the contents of these files.

[DavidR]

I don't know it this is right, but in the Scan Log folder, the name of the file deleted was;

C:\Users\xxx\AppData\Local\Temp\exe1.exe
Status = Threat: Win32: Hilot [Trj]

My reasoning is that once I recovery the file, Avast can detect it again, and then I can Clean, or Repair it, or move to chest instead of deleting it, and maybe this will stop the error messages I get.

You're welcome.

Yes it looks like a good detection by avast, follow essexboy's instructions to remove the remaining run command.

However, your hope to be able to recover the file and repair it is flawed. Only for true virus infections can a repair even be attempted. First this doesn't appear to be a legit file given a) its file name, b) its Temp location and c) this isn't a virus infection but a Trojan Trj].

Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that virus is one that avast's repair routines covers, then it may be possible to repair the file to its uninfected state.

However, for the most part, trojans (adware/spyware/malware, etc.) can't be repaired because the complete content of the file is malicious.

[AestheticAthlete]

You're welcome.

Yes it looks like a good detection by avast, follow essexboy's instructions to remove the remaining run command.

However, your hope to be able to recover the file and repair it is flawed. Only for true virus infections can a repair even be attempted. First this doesn't appear to be a legit file given a) its file name, b) its Temp location and c) this isn't a virus infection but a Trojan Trj].

So me running a recovery program is pretty much pointless as well.  Thanks for explaining it as well.  It's good that I learnt something from all of this.

So me running the above link will display what files from the Trojan are left?
Or there are files commanding a Trojan to start running when my PC starts, and they need to be removed?

Thanks again guys, i'll do that ASAP.

[AestheticAthlete]

Here it is.

Seems like there's a lot of stuff.

[DavidR]

<snip>
So me running a recovery program is pretty much pointless as well.  Thanks for explaining it as well.  It's good that I learnt something from all of this.

So me running the above link will display what files from the Trojan are left?

In this case yes as there wouldn't be any possibility of a repair by avast as the complete content of the file is malicious. Though having such a program I'm sure will come in handy for other use.

Or there are files commanding a Trojan to start running when my PC starts, and they need to be removed?

Thanks again guys, i'll do that ASAP.

When malware is removed there may be registry entries that originally ran it on boot, and because the file has been removed you get the error message. If there were other such commands to run other things then it would be hoped that avast would also detect those, but no single security application will give 100% detections.

But besides hunting out the entry that was responsible for this particular issue it will give lots of other information (not all of this is suspicious), which may be helpful.

[essexboy]

Here you go this should kill it

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
O4 - HKCU..\Run: [Nbofakevad] C:\Users\Mish\AppData\Local\insder.DLL File not found
O4 - HKCU..\Run: [Bwarasamoqixates] C:\Users\Mish\AppData\Local\oyowotev.DLL File not found
[2010/07/31 20:15:53 | 000,000,120 | ---- | M] () -- C:\Users\Mish\AppData\Local\Wbesubizebufisaw.dat
[2010/07/31 16:02:39 | 000,000,000 | ---- | M] () -- C:\Users\Mish\AppData\Local\Vdodurifucipisoz.bin
[2010/07/27 17:20:26 | 000,000,670 | ---- | C] () -- C:\Users\Mish\AppData\Local\Tempm.vbs


:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[AestheticAthlete]

1st file is what came up as soon as I rebooted. 2nd is the one after Quick Scan.  No error messages on start up.  ALL GOOD!

[essexboy]

That looks good - If there are no further problems then run OTL and hit the cleanup button and it will disappear

[AestheticAthlete]

Thank you for you help.