Win32:Trojano-2502 [Trj] Alert help

I tried finding help for my problem on Avast’s website before posting this, but I was unable to find any so I hope someone here can help me.

Avast alerted me that I have the Win32:Trojano-2502 [Trj] and suggested that I “move it to chest.” Unfortunately, when I do this, a pop-up box tells me it “cannot access the file because it is being used by another process.” The file showing is “cursors\rasvb.dll.” I ran SpyBot but it found nothing. I even downloaded Avast’s virus cleaner but I haven’t installed it yet because this trojan is not listed as one that this program will fix.

Can someone help me get rid of this please?

Thank you,
GinaPA

I hope you get a response to this because I am having the exact same problem with the exact same trojan (and have tried everything you have to fix it). I am very careful about what I download and read, so am not sure where it came from. Ewido (I have several spyware removers I use regularly) froze up when it got to this file: C:\WINDOWS\system\runole.dll which is where Avast is saying this trojan is. I am running Win XP if that helps.

Files in use are protected by windows from being moved or deleted.

If you have winXP/NT/win2k you can schedule a boot-time scan from within avast!

http://img.photobucket.com/albums/v325/for-dwr/boottime.jpg

If not, boot into safe mode (press the F8 key on boot) and start avast and run a scan.

I ran avast in safe mode and it still wouldn’t move the file to chest (saying it was used by another process or something like that). I Googled the trojan and found nothing about it, so I’m at a loss to what to do next. Did it work for you, GinaPA?

It’s not safe mode but boot time scanning :slight_smile:

DavidR wrote:

If you have winXP/NT/win2k you can schedule a boot-time scan from within avast! If not, boot into safe mode (press the F8 key on boot) and start avast and run a scan.

DraykoDog wrote:

I ran avast in safe mode and it still wouldn't move the file to chest (saying it was used by another process or something like that).

Tech wrote:

It's not safe mode but [b]boot time scanning[/b]

^ Tech, I don’t know what OS DraykoDog has but I think DavidR was refering to those who do not have “winXP/NT/win2k” OS’s (i.e. WIN98) when he said “If not, boot into safe mode (press the F8 key on boot) and start avast and run a scan.”

Correct me if I’m wrong, but it is my understanding that I would have to apparently run Avast in safe mode in this case since Avast cannot run a boot time scan for WIN98.

Do as I suggested and schedule a boot-time scan from within avast, open the simple user interface as if you were going to run a scan and click the menu and select the schedule boot-time scan as in the image above. That way the file won’t be in use so it can be deleted or moved.

You are not wrong avast can only schedule a boot-time scan with only the NT based OSes I mentioned.

The rest including win98 have to use safe mode which is not as effective as some viruses are obviously still active in safe mode.

I ran the boot scan and got the file moved…yay! Thank you everyone for your help! :smiley:

Well done, welcome to the forums.

I’m not sure yet (I’ll explain in a minute)??? BTW…I also did a check with Google and couldn’t find info on it either.

I was able to run a boot-time scan from the option shown on the Avast warning box. It took about 45 minutes!! :o

It caught a few problems for me. The first was a vbs:malware [script]
I tried selecting “repair it”, then “repair all” when nothing happened. When nothing happened again I choose “Delete all.” (That always makes me nervous though)!!
Then the scan then continued.

The FIRST trojan was located at:
c\documents and settings\owner\localsettings\temporaryinternetfiles\content.IE5\ULW9YTE3\ifm[1] and it was infected by win32:trojano-2502 YES!! :smiley:
It deleted this automatically (I supppose because I chose this option earlier) and the scan continued.

I ran into a second and third malware script that was deleted and the scan resumed automatically.

THEN…it found the second win32trojano-2502 at:
c:\windows\cursors\rasvb.dll
HOWEVER…Rather than doing anything on its own, Avast asked if I REALLY wanted to delete this. THAT made me nervous because earlier I was told it was also used by another process–so instead I said no. I chose “repair” but nothing happened. The only thing left (other than to delete it), was “ignore.” That got the scan moving again and it was finished shortly after that.

I’m a little confused because I expected the warning to come up again since I ignored that second infected file–but it booted up with no warning about it given!
I immediately came here to post my scan results but a minute ago a small box came up (several times, actually) that said: “Error loading c:\window\cursors\rasvb.dll” and I had to click “OK” to get rid of it.

So, can you tell me what this means and how I should proceed??

Thanks again…Gina

Well, trojans can’t be repaired as the ‘malware’ is the entire file, I mean, to repair you need to delete it. Some virus just attach a part of the file and then this part could be repaired. Trojans don’t.
Everything is fine.

Yes, works like it should.

If you go there to the boot time scanning scheduler you’ll see all this options. If you read the help file either.
There is not a surprise. Everythink is like it should. This file is under a system folder (windows) and the system, for precaution, ask a second time.
Deleting a necessary file could avoid the system to boot.

When you ignore the infection it stays there… Could you run an avast! scanning into Windows and see what you get. I mean, not at boot time but right now, into Windows.

When you ignore the infection it stays there… Could you run an avast! scanning into Windows and see what you get. I mean, not at boot time but right now, into Windows.

i’m not sure what you mean by this or how to do it?

I guess I should tell you that I just restarted my computer before reading your response because many of my normal startup programs weren’t loaded when I did the Avast boot-time scan. I thought (and after reading your reply I thought you also felt), that the ignored, infected file would still be in my computer because I had chosen “ignore.” So I was expecting to get the Avast warning even after restarting, but so far nothing!!?? Could this mean it DID get rid of the virus (because I had originally only gotten the one warning regarding the virus infecting C:windows\cursors\rasvb.dll)???

I’m so confused!!! ???

Start Menu > avast! antivirus > avast!
Mark to scan the whole disks whit archive scanning too.
Then click on the ‘play’ buttom to run a scan.

Take it easy. Don’t get confuse… it will be worse.
Run an avast! scan like I posted before. And post what you get. It’s safer send the file to Chest not delete it.

OK–I ran it–it took forever!! the log came up. NOTHING was found, BUT…the results from the 880 lines shown all say “unable to scan ar…” (I assume that means “Archive?”) Does this mean after all that time it was not able to scan ANYTHING???

Unfortunately, for whatever reason, everytime I try to click on that log window, it goes to the background–even if I try to hit “Action” or “close???”

It’s after 11:00 here on the east coast and I have to get up early for work in the morning, so I better shutdown for the night-- but I would appreciate any other info you can give me! I will be sure to check here as soon as I get home.

Thank you so much for trying to help me. Good night…Gina

Run an avast! scan like I posted before. And post what you get. It’s safer send the file to Chest not delete it.

OK–I booted up this morning and have not received any alerts from Avast! Could this mean that the virus IS in the chest and that I’m safe (the one infected file did go there with no problem)??? I was unsure if my choice during the boot-time scan for that other infected file was the correct choice, but since I’m not getting any further warnings, is it possible that I did get rid of the virus???

I really appreciate all the help you’ve given me. You people here are great…Gina

Files unable to be scanned could be in use, could be password protected. I won’t worry with them.
Please, on the ‘Report file’ options just click on the ‘Infected files’ unchecking the other options (hard errors, soft errors, etc.).

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others.

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can’t be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to.

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

All 880 items were shown as “unable to scan ar…”???

You can expand the column width to view the complete text, hover your mouse pointer over the gap between the column titles and the mouse pointer will change to something like this <-|-> click the left mouse button, hold it and drag it to the right.