Win32:Agent - HYL (Trj), USBDrive based : Detected, not handled by Avast Home Ed

Hi all:

I am a new user of an uptodate Avast AV Home Edition… (OS is Win XP Professional SP2)

Was hugely pleased that Avast detected a Trojan Horse, propogated by USBDrives, that my previous AV software could not… this Trojan prevents access to Youtube/Orkut etc. immediately issuing a mildly absusive screen and audio image…

Here’s the Avast Report:
File name: H:MicrosoftPowerpoint
Malware name: Win32: Agent – HYL
Malware Type: trojan Horse
VPS Ver: 000751-4, 06/23/2007

HOWEVER, none of the actions that Avast allows (Move/Rename, Delete, Move to Chest, No action) was able to PERMANENTLY get rid of this pest…

The Avast warning just keeps popping back up.

Does Avast or anyone else have a permanent solution to this?

There is a fairly technical discussion of a ‘MANUAL’ way to deal with this that I found ubder a blog but was unsuccessul in implementing the suggested actions (see: http://www.jeba.in/posts/w32usbworm-lets-remove-this-worm-manually/ ).

Partly it is because the instructions there are not 100% clear. My submission to that forum is under DesNaz. No response from the ‘expert’ blogger yet!

Can Avast technical whizzes, or this forum’s users, help me in any way?

Thanks in advance!

Desmond Nazareth

If a virus is replicant (coming and coming again), you should:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

  6. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  7. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Desmond, if that fails and you need a manual remove/cleaning, it would be better that other experienced users come here to help you. Sorry.

Hi desnaz,

Removal instructions here:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AHKHEAP.A&VSect=Sn

Thanks for the responses, Tech and FreewheelinFrank…

Will check out your suggestions…

DesNaz

Dear Tech and FreewheelinFrank…

Here is what I did:

Followed the instructions in http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AHKHEAP.A&VSect=Sn

Ran Avast Home Edition while inserting my three USB pendrives and slected ‘delete’, when the worm warning popped up.

All clean now…

Hope this helps other users.

Thanks again!

DesNaz