Move to chest, Error: Access is denied (5)

system · April 4, 2013, 1:48pm

Twice during the last months Avast has notified me about viruses in files. Both times they have been files I used for a long time so I think they were FP.

I got a pup up window asking me to move file to chest. When I click “OK” the pop up window disappears and comes back immediately with the same content. I click “OK” and it comes back. Over and over again.

The FileShieldScanLog tells me there is an “Error: The process cannot access the file because it is being used by another process (32)” and later" Error: Access is denied (5).

The only way to get out of this is to reboot. After that the file is gone and nothing in the chest.

What is happening here and what can I do?

mikaelrask · April 4, 2013, 2:00pm

hey i suggest you follow this guide and attach your logs.
And let a malwaree expert help you from there.

http://forum.avast.com/index.php?topic=53253.0

Pondus · April 4, 2013, 2:42pm

do you use the program private VPN?
is it running?
do you use the yamicsoft Windows 7 Manager program?
is it running?

system · April 4, 2013, 2:56pm

Yes, I do use these programs. They are not running and the two files have no handle associated to them so I guess they are not in use. Checked that with “Sysinternals Process Explorer”.

I have attached a few more logs but I cannot see that there are any problems with my files.

essexboy · April 4, 2013, 3:17pm

I concur, there is now malware present. There are some old Java addons that need removing also a suspect Ads on the windows folder. Are you experiencing any problems ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
[2010-04-22 12:21:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010-09-14 20:04:50 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010-12-01 22:10:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011-02-18 14:39:50 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011-06-14 07:53:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2012-05-01 06:35:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
[2012-06-20 07:07:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
@Alternate Data Stream - 108 bytes -> C:\Windows:

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

system · April 4, 2013, 3:49pm

Ok, I hope I did this correctly. The OTL.txt file is attached.

I removed the two files from the “Exclusions” list and run Avast quick scan. Didn’t report any problem. So maybe the latest virus database has taken care of this. Have to wait and see if this turns up again.

Thank you for helping me and if you have any other suggestions I will be here to respond to them.

Thank you!

essexboy · April 4, 2013, 5:09pm

Nope, if you are happy then run OTL and press the cleanup button to remove it

system · April 5, 2013, 6:42am

Ok, this morning it was there again. IPSwither.exe has a Win32:evo-gen (Susp) virus. This is not a problem in itself as it is probably a FP. But it is impossible to get rid of the pop up window. It just comes back. And in the log it says: Move to chest. Error: Access is denied (5).

The file is not in use so I don’t know what access is denied.

As before, the only way to get rid of the pop up window is to reboot and then the file will disappear. I cannot even send the file to Avast for analysis. (Don’t know how to put it in chest manually???).

Why is it doing this to me?

mikaelrask · April 5, 2013, 7:22am

hey essexbox will continue to help you when he is online again later today.

Pondus · April 5, 2013, 8:12am

I cannot even send the file to Avast for analysis. (Don't know how to put it in chest manually???).

[b]Using the Virus Chest[/b] https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1406

essexboy · April 5, 2013, 12:54pm

That is a file associated with yamicsoft Windows 7 Manager program and is a suspicious one as it looks to be an IP changer

And in my opinion that type of programme is snake oil as I doubt if it will increase the efficiency of your system at all

system · April 5, 2013, 7:48pm

If you had read my first post you should have known that it is not the file in itself that is the problem but the behavior of Avast. Avast cannot put a suspicious file into the chest. Actually, it cannot do anything with a file. It is just coming back with that pop up window again and again. With any suspicious file. I can live without that IOSwitch file but I cannot live with a antivirus program that cannot handle suspicious files.

So what should I do? Uninstall and reinstall Avast? And if that doesn’t help I guess I have to switch to another antivirus software.

essexboy · April 5, 2013, 7:59pm

It will not put it in the chest as the triggering file is run32.dll a windows system file, and it will not kill that

Have you scanned the main file involved ipswitcher.exe

system · April 6, 2013, 7:06am

Sorry I was a little rude in my last mail. Now I have uninstalled Avast 5 with Total Uninstall 6, which uses Avast’s own uninstaller and after that deleted 289 leftovers (folders, registry entries and other stuff). Then I re-installed Avast and now everything works as it should!

Avast finds the suspicious file and moves it directly to the chest. Perfect.

I have used Avast for many years and installed it on all my friend’s computers and I have always been very happy with it. Maybe I just have updated the software too many times. A fresh install was needed.

Thank you for your help!

Pondus · April 6, 2013, 7:12am

Sorry I was a little rude in my last mail. Now I have uninstalled Avast 5 with Total Uninstall 6,

avast has it own removal tool http://www.avast.com/en-no/uninstall-utility

and removal tools for almost everything http://singularlabs.com/uninstallers/

Move to chest, Error: Access is denied (5)

Announcements