Cannot Delete or move virus file

Hey i have problem in the form of this file:
C:\Windows\System32\ovfsthvcdcqqejrrwospshraopripidcwiqpau.dll
Avast keeps popping up with it, i tried deleting and it still pops up. I tried moving to chest but it says it’s being used in a process. Then i did a boot up scan and deleted it, but it still came back. Avast says it’s a, Win32:Alureon-V [trj]. I tried looking for the file in the folder but it does not show up. I wish to know whether this is a false alarm or not, thank you.

VirSCAN.org Scanned Report :
Scanned time : 2009/04/26 03:12:29 (CST)
Scanner results: 24% Scanner(9/38) found malware!
File Name : 303572~1.EXE
File Size : 131072 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 94cb995207571b50a792bd23cbf9cdf9
SHA1 : a6d81d88c01caaf4a10c598231c3abbe90a00a31
Online report : http://virscan.org/report/3bc314a7f55352e4e3ddc95866659ac7.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090424020229 2009-04-24 1.83 -
AhnLab V3 2009.04.25.00 2009.04.25 2009-04-25 0.68 -
AntiVir 7.9.0.156 7.1.3.109 2009-04-25 1.99 -
Antiy 2.0.18 20090425.2318496 2009-04-25 0.16 -
Arcavir 2009 200904240931 2009-04-24 0.04 -
Authentium 5.1.1 200904251448 2009-04-25 1.15 -
AVAST! 3.0.1 090425-0 2009-04-25 0.01 Win32:Alureon-V [trj]
AVG 7.5.52.442 270.12.4/2080 2009-04-25 2.04 Downloader.Agent2.BLO
BitDefender 7.81008.2850284 7.25006 2009-04-26 0.72 Trojan.TDss.FJ
CA (VET) 9.0.0.143 31.6.6474 2009-04-25 4.38 -
ClamAV 0.95 9288 2009-04-25 0.03 -
Comodo 3.8 1135 2009-04-25 0.64 -
CP Secure 1.1.0.715 2009.04.26 2009-04-26 8.60 -
Dr.Web 4.44.0.9170 2009.04.25 2009-04-25 4.41 BackDoor.Tdss.115
F-Prot 4.4.4.56 20090425 2009-04-25 1.12 -
F-Secure 5.51.6100 2009.04.25.02 2009-04-25 5.22 -
Fortinet 2.81-3.117 10.320 2009-04-25 0.34 -
GData 19.4844/19.310 20090425 2009-04-25 6.27 -
ViRobot 20090424 2009.04.24 2009-04-24 0.76 -
Ikarus T3.1.01.49 2009.04.25.72632 2009-04-25 2.72 -
JiangMin 11.0.706 2009.04.25 2009-04-25 1.72 TrojanDownloader.Agent.bgha
Kaspersky 5.5.10 2009.04.25 2009-04-25 0.04 -
KingSoft 2009.2.5.15 2009.4.25.21 2009-04-25 0.40 Win32.TrojDownloader.Agent.131072
McAfee 5.3.00 5596 2009-04-25 2.79 -
Microsoft 1.4602 2009.04.25 2009-04-25 6.88 -
mks_vir 2.01 2009.04.26 2009-04-26 2.76 -
Norman 6.00.06 6.00.00 2009-04-24 8.01 -
Panda 9.05.01 2009.04.25 2009-04-25 1.55 -
Trend Micro 8.700-1004 5.986.01 2009-04-25 0.03 -
Quick Heal 10.00 2009.04.25 2009-04-25 1.11 -
Rising 20.0 21.26.52.00 2009-04-25 0.71 -
Sophos 2.85.0 4.40 2009-04-26 2.33 -
Sunbelt 5111 5111 2009-04-24 0.73 -
Symantec 1.3.0.24 20090425.005 2009-04-25 0.07 -
nProtect 20090424.03 3494918 2009-04-24 4.38 Trojan.TDss.FJ
The Hacker 6.3.4.1 v00314 2009-04-24 0.81 Trojan/Downloader.Agent.brzy
VBA32 3.12.10.3 20090425.0905 2009-04-25 1.80 Malware-Cryptor.Win32.Palka
VirusBuster 4.5.11.10 10.105.6/1306872 2009-04-25 1.66 -

uhh what does this mean?

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

That means that (I think) Donovansrb 10 has inadvertently posted a scan report in your topic. (Or maybe thought it was pertinent to your issue. I don’t know. Without further clarification from the member, I’d ignore it.)

What I’d do:

  • Clean your temp and temp internet files. (Use disk cleanup, or ATF cleaner or Ccleaner.)
  • Download MBAM http://www.malwarebytes.org/mbam.php , install it, update it, and run a full scan. If during the scan it prompts to restart to remove malware, please do so promptly.
  • Post the scan report below.

Hope this does the job.

Thats all the anti-viruses that detect it as malware.

Be sure to do what Tarq57 and DavidR said!

What I’d Do:
Use ComboFix to destroy the virus. To get combofix, go here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Wait until someone posts the INSTRUCTIONS to use ComboFix for this event.

Donovan, without the actual file from the OP’s computer, you can not know this.
It could be one of many variants, and could serve as a guide only, nothing more.

???

Ok, let me put it this way.
Where did you (Donovansrb) get the file from that you submitted to virscan?

Google.

Right. So it’s a google hit.
You can use that as a guide to what the OP has reported, according to the description of the detection by Avast. But you have no idea what the structure of the file is, since you don’t have it on your pc. And if you did have it, you would have no way of knowing that it’s the same that the OP has.
The file he (or she) has that Avast has flagged may be a similar beast; it may be the same beast; or it may be a totally different beast or even a FP.
Without more info about the file - not some random file selected from Google - help should not be proffered, unless it is made clear when proffering the help where the “helper” is coming from, ie: what relevance is the info, how pertinent, what to do about it, etc.
Do you see?

…Well, you gotta take your chances! ::slight_smile:

...Well, you gotta take your chances!
Which means what? Well, if you want to actually help, let people know where you're coming from. I do. You're talking to someone who is worried they have a virus, and it's not going away. This is a concern. Posting some random excerpt without offering the context is not helping. I'm not trying to discourage you, but this is not a game to the person infected.

I was infected with Zango before I even knew about Avast…

Once again, what does this mean?
So you know what a trojan looks like.
Good for you.
I’m only going to post to this thread now ref: the OP’s problem.
If you’d like to continue this chat, please start a new thread.

I did as u guys suggested, and ran MBAM:

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\config\systemprofile\AppData\Local\minisvr4.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3HUW09UW\minisvr4[1].exe (Trojan.Downloader) → Quarantined and deleted successfully.

That scan report looks encouraging.
Is the computer running OK?
If you scan the “Windows\System32” folder with Avast, does it generate an alert?

I still get the virus thing. i dont know why, even if i delete the supposed virus file with avast.

Can you find that file ovfsthvcdcqqejrrwospshraopripidcwiqpau.dll in C:\Windows\System32\ovfsthvcdcqqejrrwospshraopripidcwiqpau.dll if you enable 'show hidden files ’

http://www.bleepingcomputer.com/tutorials/tutorial62.html

Post a HJT log,download, open,choose scan and save a log file.Copy/paste the log back here

http://filehippo.com/download_hijackthis/

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:22 AM, on 4/26/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newyorker.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Malwarebytes’ Anti-Malware] “C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe” /starttray
O4 - HKCU..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU..\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘?’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘?’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘?’)
O4 - HKUS\S-1-5-21-2149623557-4127203915-1145061720-1000..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘?’)
O4 - HKUS\S-1-5-21-2149623557-4127203915-1145061720-1000..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User ‘?’)
O4 - HKUS\S-1-5-18..\Run: [nDler2] \?\globalroot\systemroot\system32\nDler2.exe (User ‘?’)
O4 - HKUS.DEFAULT..\Run: [nDler2] \?\globalroot\systemroot\system32\nDler2.exe (User ‘Default user’)
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &UʹÓÃÄÉÃ×»úÆ÷ÈËÏÂÔز¢ÊÕ²Ø - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØ - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe