My most recent complete system scan with Avast found the following:
c:\System Volume Information\catalog.wci\00000002.ps2
Infection: win32:Crypt-LUQ [trj]
Severity: High
Action: Move to Chest
Result: Error: The process cannot access the file because it is being used by another process (32)
When I choose the Action: Delete, I get the message: Action postponed until the next reboot.
I scheduled a Boot-time Scan but it did not solve the problem.
Thanks for your suggestion. I deleted my restore points (XP allows the deletion of all but the most recent). Because of this, the trojan continues to exist. I did turn off System Restore (My Computer>Properties>System Restore>Checked “Turn off System Restore on all drives”). I ran Avast on the folder again but the infection was still there.
Also, the infection is not located in any of the “_restore…” files but in the 00000002.ps2 file. It’s path: c:\System Volume Information\catalog.wci\00000002.ps2. This may or may not make any difference but the infection persists.
I installed and ran SAS in both Normal and Safe Modes:
I did turn off System Restore (My Computer>Properties>System Restore>Checked "Turn off System Restore on all drives"). I ran Avast on the folder again but the infection was still there.
did you reboot computer before you turned it on again ?
I followed instructions from old topic: Win32:Agent-OLD [Trj] on this forum January 02, 2008.I had same problem
c:\System Volume Information\catalog.wci\00000002.ps2 Infection: win32:Crypt-LUQ [trj]. Use ComboFix and after delete manually 00000002.ps2. Use rootkitbuster trend micro I had some threads found.My computer was very slow for past week and hard disk was working when left alone. Avast detected 00000002.ps2 on 03-10-12 now computer is fast as new.
I had the same issue on two different XP SP3 machines (no trace of the issue on Windows7 machine).
c:\System Volume Information\catalog.wci\0000002.ps2 - Threat: Win32:Crypt-LUQ [trj]
And I did not understand why Avast was not removing the problem until I came across this thread.
While reading this thread, I tried this sequence to remove the problem:
Turn off System Restore (Start – Accessories – System Tools – System Restore – Checked “Turn off System Restore on all drives”
Configured Avast Boot-time scan to scan folder c:\System Volume Information
Rebooted
Avast Boottime Scan started
Problem was detected
Problem can now be deleted in the view log
Rescanned to verify (problem gone)
Turned on System Restore again
And neither Malwarebytes or SuperAntiSpyware detected the issue.
So I tried following this sequence and although that stupid 0000000.ps2 file is there (again) - the boot time scan of c:\system volume information did NOT detect the threat - even though my last full scan of the system or a direct scan of the file shows it as a threat. This makes no sense to me. What is generating this file and why is it so HUGE.