Hi, I have been trying for the last few days to remove two trojans that were found by Avast 4.7. At times it allows me to put them in the chest, other times I have to delete them but often not allowed to. The first one is Win 32:Trojano-3428[Trj] the other Win32:Agent-Qj[Trj]. I also have Adaware, Spybot and Spy Search and Destroy but nothing shows up on their scans. When I try to move them to chest or delete I get this message: The process cannot access the file because it is being used by another person or process. Any ideas on how to safely remove these trojans would be greatly appreciated. I have also tried to disable my system restore and tried other trojan remover programs with no luck.
At times it allows me to put them in the chest, other times I have to delete them but often not allowed to.
Windows in its infinite wisdom protects files in use (even malware), so it is likely that avast! can’t delete or move files in use. So schedule boot-time scan in avast’s menu if you have XP, win2k or NT, otherwise boot into safe mode and run an avast scan. This should ensure that the file isn’t in use and avast should be able to deal with it.
What is your OS ?
What was the file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
The file names were: C:\WINDOWS\Debug\DCPROMO.LOG and C:\Documents and Settings\Frank\Local Settings\Temporary Internet\Content.1E5\92M7K75C\drsmartload[1].exe"file and C:\System Volume Information_restore{9BO65O9F-D8DA-41c1-8A8. I was looking at another chat message with similar problems re trojans and it was recommended to download ewido anti-spyware. I did this and it found a few high threats: Backdoor.codbot.bd and Downloader.Adload.ct. The scan recommended putting them in quaranteine and then I deleted them from there. I have repeated the scan several times and no new threats have been found. I also have run avast thorough scan and it now is showing nothing as well. I am not sure if the trojans are still there or if avast is unable to pick them up now.
Cleaning the temporary files AND disabling System restore will delete these files.
Schedule a boot time scanning with avast.
Boot.
Enable System restore again.
Ewido does not read anything right now nor does avast. I have run both several times. I have disabled the system restore and I will go and set up a boot scan time for avast. Could it be possible that the items found in ewido were the same as the ones by avast or are they two seperate things?
I was looking at another chat message with similar problems re trojans and it was recommended to download ewido anti-spyware. I did this and it found a few high threats: Backdoor.codbot.bd and Downloader.Adload.ct. The scan recommended putting them in quarantine and then I deleted them from there.
The recommendation was correct Quarantine them not ‘Quarantine them and then delete them from the Quarantine’ it is never a good option to delete as a first option as you are left with no other choice if the detection was incorrect.
That is the whole idea of the Quarantine or the avast Chest, they can do no harm there but it allows for investigation and restoration at a later time if required or deletion after investigation or after a couple of weeks if there are no adverse effects from having moved them to Quarantine.
The names of the viruses were:Win 32: Trojano-3428[Trj] and
Win32:Agent-Qj[Trj]. This is what Avast had classified them as. When I ran Ewido Anti-SpyWare it found 6 traces of Backdoor.codbot.bd and Downloader.Adload.ct. I put these ones in quarantine for 2 days and everything else works fine~I could not even find some of the files even after opening up all hidden files.
The path of the ones found in Avast were: C:\WINDOWS\Debug\DCPROMO.LOG and C:\Documents and Settings\Frank\Local Settings\Temporary Internet\Content.1E5\92M7K75C\drsmartload[1].exe"file and C:\System Volume Information_restore{9BO65O9F-D8DA-41c1-8A8.
I also have Spybot Search and Destroy, Adware and AdAware programs on my pc as well as Avast and now Ewido. I am going to run them all and see what happens.
On my system following a full Avast scan. This had not been spotted in previous system scans but came up on this one as the “Win 32: Trojano-3428[Trj]” infection.
The file itself had been created in May 2004, which is exactly the time I had a Sasser infection (which is long gone on my system).
Does anyone think maybe Avast is picking up old remnants of Sasser just now? This could be totally unrelated to other infections which some other posters may have.
Update the particular file in question to virus total or jotti, because we are anxious to know if there are multiple flags for this file, and as what it is being flagged as such.
Download aproposfix and dubbleclick aproposfix.exe and unzip it unto the desktop. Don’t use it as such, but re-start your comp in SaveMode. On the desktop look for aproposfix and in the file doubleclick the file, named RunThis.bat. Doubleclick this batfile and follow instructions as they come. After the tool has finished completely, restart the computer this time in normal mode. Open aproposfix and look for log.txt. Run at your very own risk, but if you follow the instructions not much can go wrong.
[b]Step 3: Mitigate the Vulnerability[/b]
You can [b]temporarily[/b] remove the vulnerability that allows the worm to infect your computer by creating a log file.
Create the log file
On the taskbar at the bottom of your screen, click Start, and then click Run.
Type: cmd and then click OK.
At the command prompt, type: echo dcpromo >%systemroot%\debug\dcpromo.log and then press ENTER.
Make the log file read-only
At the command prompt, type: attrib +R %systemroot%\debug\dcpromo.log and then press ENTER.
The reason it may not have come up previously might have been the sensitivity of the scan as .log files usually aren’t considered an immediate threat as they aren’t executable on their own.
If you had Sasser then avast should also have detected that so the dcpromo.log would seem redundant so leave it in the chest for a few weeks to ensure there is no reference to it and then delete from the chest.