It "C:\WINDOWS\system32\WCMLOGON.dll "
The virus is identified as
Zapchast-O
Sofar I havedone the following:
1Turned off the restore point feature.
2 Avast cant delet it,nor move or rename.
3 Safe mode reboot with avast still cant remove or rename.
4 Command prompt: InDOS renamed it.Avast cant find it.
5Delet from DOS…Still there
Last choice: Reinstall Windows
STILL THERE!
Finally Reformat HDD and reinstall.
But forgot to include slave HDD.
Clicked on file in slave drive and now am reinfected.
It looks like Im gonna have to Reformat both drives and then start over again.
Not unless the really nice techs at avast can send an up date to help me git rid of it.

Please?
Thank you for your time
brad

Have you tried Ewido anti-malware. Good against those stubborn viruses!

http://www.ewido.net/en/

Yes I have …
It cant find the file path.
Ive tried to show EWIDO Where to find it .
But It just doesn’t see it.

OK

I reformatted my slave HDD.
And did a Reset to a point before I had accessed the Infected folder.

This seemed to work.

But alas, This morning.
Avast found a copy of it hidden in C:\system volume information\ _restore 187000…“etc”.

I turned off the system restore feature in the hopes of removing the bug.

I still have a copy of it in the avast chest.

I also found this bug makes unauthorized changes to the Avast antivirus system and causes it to prompt the user to reboot every 20 minutes or so.

Who ever made this thing knows how your Avast antivirus software works.
Any copy stored in the Chest .
Becomes a threat, as it gets into and changes the settings in Avast.
The Avast warns of unauthorized changes and tells the user Not to run Avast.
Then Avast prompts for system restart every 20 minutes.

This one is getting to be really nasty.

I have an Idea…
If I were to open this bug and place it on a note pad where one could see its code , and email it to a tech perhaps they might be able to find a way to stop it.

Any more Ideas is greatly appreciated.
Thank you for your time
Brad

Ok.

Can you post a screenshot of this message?
If you delete the file reboot.txt on the \setup folder, will it help?

Can you post a screenshot of this message?

Unfortunately I cant send a screen shot …
I have finally gotten rid of the infection.

I a to open the folder permissions in system volume information and then used avast to locate the virus and delete it.

There have been no more copies found in the last three scans.

I had to reformat the HDD and the slave HDD.

I forgot to reformat the slave drive last time and reinfected the drive with windows on it.

a small prompt would appear in the middle of the screen
it would say

There have been unauthorized changes in avast files.
Running Avast with these changes is dangerous.
do you want to continue to run any way?
yes no

Another prompt would appear after a few minutes .

Avast system reboot required.
DO you want to restart your computer now?
yes no

This one would create a file called
C:\WINDOWS\system32\WCMLOGON.DLL
Avast would detect the Trojan:
WIN32:zapchast-o
It seemed to spread as if it where attached to my arrow.
Every file I clicked on became infected.

I got so happy that I finally got rid of this bug .
NOW you want to take a look at it.

Heres a copy of the warning log list:
4/15/2006 9:45:20 PM furball 1952 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\system32\wcmlogon.dll” file.
4/15/2006 9:57:18 PM furball 1952 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\system32\wcmlogon.dll” file.
4/15/2006 10:02:07 PM furball 1952 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\system32\wcmlogon.dll” file.
4/15/2006 10:02:18 PM furball 1952 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\system32\wcmlogon.dll” file.
4/15/2006 10:04:48 PM furball 1952 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\system32\wcmlogon.dll” file.
4/15/2006 10:07:22 PM furball 1952 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\system32\wcmlogon.dll” file.
4/15/2006 11:40:49 PM furball 2524 Sign of “Win32:Zapchast-O [Trj]” has been found in “c:\windows\system32\wcmlogon.dll” file.
4/15/2006 11:50:11 PM furball 2000 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\system32\wcmlogon.dll” file.
4/16/2006 12:08:47 AM furball 2000 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\system32\wcmlogon.dll” file.
4/16/2006 1:35:57 AM SYSTEM 1928 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\System Volume Information_restore{90C6CAB4-FBC1-4722-9B15-0FB44A64FA99}\RP25\A0005742.dll” file.
4/16/2006 10:29:03 AM furball 2804 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\system32\trz4.tmp” file.
4/16/2006 12:02:46 PM furball 2804 Sign of “Win32:Zapchast-O [Trj]” has been found in “C:\WINDOWS\Temp_avast4_\unp98212212.tmp” file.

And here is a list of the error log:
4/16/2006 12:08:41 AM furball 2832 Scan of “C:\WINDOWS\system32\wcmlogon.dl_” area failed with 00000003 error (function avfilesScanReal failed).
4/16/2006 8:50:07 AM furball 1996 Error in aswChestC: chestOpenList Error 1753.
4/16/2006 8:50:07 AM furball 1996 aswChestInterface - Program error description: CChestListView::LoadFiles() chestOpenList() failed: 2147422219.
4/16/2006 8:50:39 AM furball 1996 aswChestInterface - Program error description: CChestListView::OnCreate() !m_strErrorWnd.IsEmpty().
4/16/2006 9:46:55 AM furball 1884 Error in aswChestC: chestOpenList Error 1753.
4/16/2006 9:46:56 AM furball 1884 aswChestInterface - Program error description: CChestListView::LoadFiles() chestOpenList() failed: 2147422219.
4/16/2006 9:47:24 AM furball 1884 aswChestInterface - Program error description: CChestListView::OnCreate() !m_strErrorWnd.IsEmpty().
4/16/2006 9:48:33 AM furball 1848 Error in aswChestC: chestOpenList Error 1753.
4/16/2006 9:48:33 AM furball 1848 aswChestInterface - Program error description: CChestListView::LoadFiles() chestOpenList() failed: 2147422219.
4/16/2006 9:48:34 AM furball 1848 aswChestInterface - Program error description: CChestListView::OnCreate() !m_strErrorWnd.IsEmpty().

I hope this helps.
Got to go now will check back later
thx brad

Hi gbrad64,

Here is the info about and for the removal of this trojan:
http://alerta-antivirus.red.es/virus/detalle_virus.html?cod=5805

You can translate the original with an onlin translator, like Babelfish.

polonus

Thank you for the link.

This particular trojan was a different variant of WIN32:Zapchast.

I tried to find info on this one. But it appears to be rather new.

Avast identified it as

WIN32:Zapchast-O

I tried all the removal procedures listed on the web site you linked above.
They did not work.

While in admin. mode of windows XP I could delete the Dll file. But as soon as I went back to user mode it reinstalled itself.

It attached itself to all EXE files on my HDD.

Had no choice but to reformat.

if sombody still checks this one, i am quite a newbie with getting rid of viruses without depending on only one scanner.
i have zapchast-dk on my computer.
it is detected by avast but it reapears every time i boot my computer.
it the infected file is:
windows\system32\3053\protection.nrp
there are two more files there out of protection.nrp:
ntfls.exe
ntfls.sys or .dll
the last one i don’t remember very well.
i’ll soon send the file for checking. i don’t have internet in my computer but i always get infections from other machines threw my pendrive.

Welcome to the forums, milhouse_86.

Yes, please send the file for checking. I am sure the awil team will appreciate you sending it in a password protected zip file. Please include the password in the text about file you are sending.

what is the version of your avast installation? the 4.8.x should protect itself against unauthorised modifications…