Hi,

I got an alert from Avast about a Trojan. It recommended that I move it to chest. When I click “Move To Chest” button an error message appears saying:

Avast!: This process cannot access the file cause it is being used by another process. Cannot process"C:/Documents and Settings/Dog/LocalSettings/Temporary Internet Files/Content.IE5/Z6GBVRWV/dep(1).png" file

I closed all programs and only left my anti spyware and avast (running in the backround as usual) They were not making any scans. I tried again but still receive same error message.

Any idea please?

Thanks a lot,
Karl Sultana

What was the name of the malware detected?

Have you tried running a boot time scan?

There may be an element of the infection not detected by avast! or your anti-spyware program, so try some other scans: AVG Anti-Spyware, Ad-Aware, Spybot.

Try cleaning out temp files with CleanUp!

http://www.stevengould.org/software/cleanup/

Hi,

I could not “Move To Chest” so I clicked “Delete” the trojan. That worked. Now I made a full system scan to see what happens. Since I deleted the trojan I do not know its name.

I also cleaned Temporary Internet Files. Thanks for support.

Karl

It is strange to get an alert on a .png file, I think that is why Frank asked for the malware name of the detection.
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Whilst it was in a temp folder deletion shouldn’t cause a problem, but deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate. Since it was in use, it was probably being displayed in your browser, by closing the browser that may have removed the lock and allowed for the move to chest. Though why it can be deleted yet not moved to the Chest is strange as the in use lock should effect both actions in the same way.

It is strange to get an alert on a .png file, I think that is why Frank asked for the malware name of the detection.

Yes, I was probably thinking something along those lines. It did strike me as odd- .png is just an image file, but then file extensions can be hidden, or a file given an extension that doesn’t match the body- or at least it’s better to err on the side of caution and assume this might be happening. The name of the malware might have indicated if this file name and type was typical of the malware activity or off-base and probably a FP.

Hi,

I used the avast! Log Viewer and here is the information I found. This goes under the WARNING icon:

12/23/2006 7:31:49 AM SYSTEM 1252 Sign of “VBS:Malware [Encrypted]” has been found in “http://www.sharpinfosys.com/seo/web-hosting-designing.htm” file.

1/5/2007 12:13:02 AM SYSTEM 1440 Sign of “Win32:Diamin-DN [Trj]” has been found in “http://deposito.trafficadvance.net/2779-23-exe.exe\[UPX]” file.

1/5/2007 12:13:03 AM SYSTEM 1440 Sign of “Win32:Diamin-DN [Trj]” has been found in “C:\DOCUME~1\Dog\LOCALS~1\Temp\o8lb3kad.exe[UPX]” file.

1/5/2007 12:13:48 AM SYSTEM 1440 Sign of “Win32:Diamin-DN [Trj]” has been found in “C:\Documents and Settings\Dog\Local Settings\Application Data\Mozilla\Firefox\Profiles\yzhqnzf7.default\Cache\80859403d01[UPX]” file.

1/7/2007 8:57:32 AM SYSTEM 1244 Sign of “Win32:Diamin-DN [Trj]” has been found in “http://deposito.traffic-advance.net/3991-76-exe.exe\[UPX]” file.

1/7/2007 8:57:35 AM SYSTEM 1244 Sign of “Win32:Diamin-DN [Trj]” has been found in “C:\DOCUME~1\Dog\LOCALS~1\Temp\l5i59ptf.exe[UPX]” file.

1/7/2007 8:58:17 AM SYSTEM 1244 Sign of “Win32:Diamin-DN [Trj]” has been found in “C:\Documents and Settings\Dog\Local Settings\Application Data\Mozilla\Firefox\Profiles\yzhqnzf7.default\Cache\BD0CFDAFd01[UPX]” file.

3/8/2007 3:00:21 PM SYSTEM 1244 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.

3/8/2007 3:00:25 PM SYSTEM 1244 An error has occured while attempting to update. Please check the logs.

3/13/2007 7:30:42 AM Claire 464 Function setifaceUpdatePackages() has failed. Return code is 0x00000426, dwRes is 006E006F.

3/13/2007 7:33:59 AM Claire 464 Function setifaceUpdatePackages() has failed. Return code is 0x00000426, dwRes is 00000000.

3/19/2007 1:58:37 AM SYSTEM 1260 Sign of “VBS:Malware [Script]” has been found in “C:\Program Files\Evrsoft First Page
2006\Iscripts\Buttons\is-KDFD2.tmp” file.

4/27/2007 12:22:54 AM SYSTEM 1136 Sign of “Win32:Ani-BN [Trj]” has been found in “C:\Documents and Settings\Dog\Local Settings\Temporary Internet Files\Content.IE5\Z6GBVRWV\dep[1].png” file.

4/27/2007 3:25:57 AM Dog 3664 Sign of “Win32:Ani-BN [Trj]” has been found in “C:\Documents and Settings\Dog\Local Settings\Temporary Internet Files\Content.IE5\Z6GBVRWV\dep[1].png” file.

(I hit enter after each entry) Hope these are not too long. Under other icons like EMERGENCY etc there was nothing.

After I made a scan today, it found another virus or trojan and I was able to move it to chest.

Thanks a lot for support,
Karl Sultana

We were only really interested in the information about this detection not all previous, but no matter.

Well this is strange.

Sign of “Win32:Ani-BN [Trj]” has been found in “C:\Documents and Settings\Dog\Local Settings\Temporary Internet Files\Content.IE5\Z6GBVRWV\dep[1].png” file.

This detection is associated with a windows exploit about how windows handles animated image files and I though that this was relating to animated .gif files, but as .png can also be animated, I don’t really know if applies to .png files. Perhaps it may have been a valid detection, perhaps not, it would have been nice were you able to have saved it to the chest or uploaded it to VirusTotal or Jotti before killing it.

What surprises me more is the fact that this isn’t being caught by the Web Shield before it gets into your temporary internet files folder.

What Operating System are you using ? is it up to date ?
Is the Web Shield enabled and working (files being scanned, Scanned Total: increasing) ?
What is your firewall ?

Hi,

I wish to add that my computer does not have any problems. When I did a full scan it found another trojan or virus and I was able to move it to the chest.

My operating system is Windows XP service pack 2, and I downloaded latest updates. Web Shield is also enabled, set as HIGH. Everything is enabled

I use Windows XP firewall. No other software.

Thanks,
Karl Sultana

Hi,

Sorry for second message and thank you for your support.

Just recently Avast told me that it found another malware.

Malware name: Win32:Ani-BN [Trj]

Malware type: Trojan Horse

VPS Version: 000741-4, 05/18/2007

Then I tried to move it to chest and got the same error message:

Avast!: This process cannot access the file cause it is being used by another process. Cannot process"C:\Documents and Settings\Dog\Local Settings\Temporary Internet Files\Content.IE5\7CZNFGRF\dep[1].png" file

(a different file name)

I deleted it, since I could not move to chest.

Thanks,
Karl Sultana

This is the same thing coming back and it appears to be able to either bypass the web shield (if it is being downloaded) or there is something else generating/restoring it. Looking at the Web Shield exclusions the .png files aren’t scanned as there is an avast set MIME type to exclude of mime/png files.

I would have suggested to add png to the list of files to be scanned but this isn’t as easy as it at first sounds since , my settings are set to scan all files (Customize, Web Scanning tab), which greys out the addition of the MIME file type. You would also have to set it to Scan files of selected type only and you would have to indicate what other file types to scan (this I feel could leave you more vulnerable if you missed any out).

It is the same file name, just in a different temporary internet files folder, to the one you posted from the avast log viewer.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

• Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware. There are others, Comodo, PCTools Firewall Plus, Sunbelt Kerio, Jetico, etc.

See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml
Also see http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php later set of results

Did you run a full scanning of avast at boot time?
This way you can avoid the scanning/cleaning of files in use (access error).