Avast shows me a warning that says “A Trojan Horse was found.”

When I try to move to chest it says that it can’t access the file because it is in use in another location. I am really not sure what to do here.

Windows XP

File name: C:\WINDOWS\system32__c0057B4D.dat

Malware name: Win32:Agent-NXN [trj]

Malware Type: Trojan Horse

I would really appreciate any advice and help on what to do to get everything working properly again!

Thank you!!

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.

you can try to find the dependant process by searching the currently open handles with process explorer

A litle tool called WhoLockMe (quite old, not sure if it works on Vista, doesn’t work on win98/ME) or Unlocker (see image), http://ccollomb.free.fr/unlocker/, should also be able to say what is locking the file.

Thanks for getting back to me so quickly…

I had previously completed the boot time scan before posting here… There were several infected files found, all which I was able to move to the chest. The specific one that I am mentioning here, when I choose the move to chest option while in the scanning process it mention something about being a windows file… is it still ok to then move it to the chest if I choose yes?

When I try to download the suggested antispyware software, I can go to the websites, but when I click the download button, I get a black screen with neon colored writing and it says “DNS Error.” This also happens when I try to download or run the Hijack This. I had previously used the program Counter Spy as suggested by someone else. That found several things that I was able to quarantine, and the last time I ran a scan through that program it came back clean.

The other thing I have noticed is that I am unable to get into the control panel on my computer…Thinking this is where I needed to disable the system restore you were talking about… It says that I need to contact my system administrator. This was never there untill I noticed the system was infected with spyware/trojans…

I wish I had more helpful information to let you know what is going on… But I can’t seem to get anywhere…

It seems a system file… better if you post its path and name…

You seem to have your browser hijacked… the infection will prevent to download and install the most common antivirus/antitrojans tools.

Can’t you do by another computer and run it from a USB drive?

It’s not rare that antispywares can’t detect browser hijackers.

Another infection behavior/symptom.

Can’t you boot in Safe Mode and run HijackThis from there?

I had previously completed the boot time scan before posting here.. There were several infected files found, all which I was able to move to the chest. The specific one that I am mentioning here, when I choose the move to chest option while in the scanning process it mention something about being a windows file... is it still ok to then move it to the chest if I choose yes?

It is a common tactic for malware to place files in the system folder/s to trick the user into thinking it is an important file. avast is just making you aware that it might be a windows file because of its location.

So the file you mentioned in the first post, C:\WINDOWS\system32__c0057B4D.dat, I doubt is a windows system file, so there shouldn’t be a problem if you moved it to the chest. One because of the file name __c0057B4D.dat the double Underscore __ is strange in a file name and Two because a google search for __c0057B4D.dat or c0057B4D.dat, returns zero hits, which in itself is suspicious.

ok - still here… still working on this

I was able to move the file to the chest when I did the boot scan - still having the same problems that I was having before though, not sure what my next step would be. As you can tell, I have never had a virus on my computer before, so this is all new for me…

I was also able to run the HiJackThis… Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:10 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\CounterSpy\CounterSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v6.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [smgr] mgrs.exe
O4 - HKLM..\Run: [dyvqtwhw] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\dyvqtwhw.dll”
O4 - HKLM..\Run: [kjcrovkp] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\kjcrovkp.dll”
O4 - HKLM..\Run: [BootService] rundll32.exe “C:\WINDOWS\system32__c00E0058.dat”,realset
O4 - HKLM..\Run: [robgtqds] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\robgtqds.dll”
O4 - HKLM..\Run: [rqxmxipw] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\rqxmxipw.dll”
O4 - HKLM..\Run: [ybwjofmz] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\ybwjofmz.dll”
O4 - HKLM..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178835871890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: __c0057B4D - C:\WINDOWS\system32__c0057B4D.dat (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

–
End of file - 6593 bytes

I have no idea what any of this means, but I hope that it is of some help to you!

Thanks Again!!

at least these references

O4 - HKLM..\Run: [dyvqtwhw] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\dyvqtwhw.dll”
O4 - HKLM..\Run: [kjcrovkp] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\kjcrovkp.dll”
O4 - HKLM..\Run: [BootService] rundll32.exe “C:\WINDOWS\system32__c00E0058.dat”,realset
O4 - HKLM..\Run: [robgtqds] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\robgtqds.dll”
O4 - HKLM..\Run: [rqxmxipw] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\rqxmxipw.dll”
O4 - HKLM..\Run: [ybwjofmz] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\ybwjofmz.dll”
O20 - Winlogon Notify: __c0057B4D - C:\WINDOWS\system32__c0057B4D.dat (file missing)

are very strange…

btw: update your java JRE to the latest version (i think there’s something newer than yours one), it’s maybe the hole to your system…

Suspect:
For suspect files they should be tested at VirusTotal and report the findings, if detected by multiple scanners, send a sample of the file to avast and fix the entries in HJT, see below.
All of the ones posted by Mazz_original plus.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O4 - HKLM..\Run: [smgr] mgrs.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

I have never seen this used in a HJT log before, I don’t know if it is an attempt to block safe mode boot or not.
O4 - Startup: .protected
O4 - Global Startup: .protected

FIX:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Unknown
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v6.dll

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.

Send the sample to virus@avast.com zipped and password protected with the password in email body and undetected malware in the subject.

Run HJT again, close any other windows except HJT and check the box to the left of the entries you want to fix and click the ‘Fix Selected’ button.

@ Maxx
Java\jre1.6.0_03 is the latest version, I have it and Secunia Software Inspector shows that as the latest version.

DavidR: ook… i wasn’t sure with the version (and build) number “decoding” ;D

and i also never heard about the “.protected” item, but i’d expect that it isn’t a standard feature…