WinXP... can't delete or repair bad files

I got hit with a bunch of trojans today. Each time Avast! Home found a bad file, it would tell me the file was in use and/or could not be deleted, repaired, etc. Sometimes it offered me the option of scheduling a scan at startup. If I took that option, it would shut WinXP down and restart the system, but after the initial WinXP Pro logo (with the moving dashes in the bar below it) I just get a blank dark grey screen and WinXP never comes up. Tried this 4 different times.

The most troublesome file was a trojan called “Back Door”: C:\windows\system32\ewdlhqd.dll

It was a hidden file, and in use, and I could not figure out how to delete it manually, either. I finally downloaded and used Norton AV trial version of Internet Security and it succeeded in getting rid of it.

I would like to stay with Avast! Home, but I don’t know what to do when it tells me it cannot delete or repair or rename or quarantine a bad file… what is one supposed to do?

Hi,

please tell us the full, exact name of the trojan as avast and/or Norton reported it (see reports/logs)

it might not be something with AFCORE in it ?

Well…: General Instructions →

test the file with OnlineScanners e.g. from Trend & KAV (see below) to get a more specific name
(you need to temporarily disable AV-Resident Shields/Monitors to be able to scan the file online)

-remove the Virus/Malware and it’s system modifications according to VirusInfos
from Avast, VGREP, TrendMicro, Kaspersky;
you might also try searching for the virus name or filename with google

general removal procedure:

  • disable system restore on Win ME/XP
  • kill respective Backdoor/Trojan process with task manager
  • search for the file/process names in the registry; remove the malware’s startup entries in the registry
  • disinfect or (if disinfection is not possible) delete the file; this may be possible only after a reboot

You’re giving me credit for being much smarter than I am…

  • I don’t know how to “disable system restore” or what it does
  • I don’t think Avast Home has a “task manager”
  • I’m not smart enough to fool with registries
  • what is “disinfect”

In looking for logs, I didn’t find much, but here are recent entries from a couple I did find:

from Resident Protection log:

  • avast! Report
  • This file is generated automatically
  • Task ‘Resident protection’ used
  • Started on Thursday, March 11, 2004 6:11:03 PM
  • VPS: 0403-7, 03/11/2004

C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
During the file delete, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
During the file repair, error occurred: The process cannot access the file because it is being used by another process
During the file repair, error occurred: The process cannot access the file because it is being used by another process
During the file repair, error occurred: The process cannot access the file because it is being used by another process
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
During the file rename/move, error occurred: The process cannot access the file because it is being used by another process
During the file rename/move, error occurred: The process cannot access the file because it is being used by another process
During the file rename/move, error occurred: The process cannot access the file because it is being used by another process
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\SYSTEM32\EWDLHQD.DLL [L] Win32:Trojan-gen. {Other} (0)

  • Task stopped: Thursday, March 11, 2004 7:07:09 PM
  • Run-time was 56 minute(s), 6 second(s)

Note: multiple entries above are because Avast! continually bugged me about that file and wouldn’t delete it so I had to stop Avast! in order to do anything else with the computer.


from ASW Boot log:

11/03/2004 11:10
Scan of all local drives

File C:\Documents and Settings\Me\Local Settings\Temp\arcebxe.dll is infected by Win32:Trojan-gen. {Other}

11/03/2004 11:13
Scan of all local drives

File C:\Documents and Settings\Me\Local Settings\Temp\arcebxe.dll is infected by Win32:Trojan-gen. {Other}

11/03/2004 11:21
Scan of all local drives

11/03/2004 19:08
Scan of all local drives

File C:\Documents and Settings\Me\Local Settings\Temp\arcebxe.dll is infected by Win32:Trojan-gen. {Other}

Note: entries above appear to have been generated whilst the system was rebooting after I asked for a scan on restart; none of those scans on restart seemed to finish as I only got a blank screen after the initial WinXP logo, and WinXP never came back up.


My questions, though, are a bit more generic:

  1. Why doesn’t Avast! run a scan on WinXP startup as it says it will and seems to try to do? (ie, something is failing there)

  2. If Avast! can’t delete a file because it is hidden or in use, and the scan on startup doesn’t work, then how DO you get rid of the file?

Hi,

I thought your system is clean again ?
just some generel info for next time :wink:

google.com and the board search above will help you search for any expressions you don’t understand…

I suspect it would be this one:
http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=afcore&product=2
→ AFcore probably the “Q”-variant

Don’t believe the “Avast: undetected” in some entries, VGREP is usually outdated by a good 1-2 months

:wink:

  1. don’t know; you’d have to ask the developers (never neded a bootscan so far). Could be that the dll-file gets recreated only AFTER the boot; then you’d have some other malware on your PC
    → read above VGREP-Link, and tell us, what Symantec scanner said about the file

  2. you get informnation about the virus/trojan, and then remove it according to the instructions… (if avast or its special virus Cleaner doesn’t pick it up) :wink:

You maybe had an active Backdoor on your PC:
you should scan thoruoghly with uptodate avast, and onlinescanners from www.trendmicro.com and www.ravantivirus.com

  • also go to www.lurkhere.com → nicefiles
  • download HIJACKTHIS from there und unzip it into a new empty folder
  • run it, click scan, then Save logfile … copy the contents of the logfile here

It is relatively clean (at least I did get rid of the trojan in the logs of my previous reply that was driving me nuts with Avast! virus alert windows every 10 seconds) but I had to use Norton Internet Security trial download to get rid of it, and Norton is scanning and finding more bad guys even as I write this… so is the answer to pay for Norton rather than hope/expect Avast! Home can do the job?

Yes, I think I did have an active backdoor… I was trying to close it.

Thanks for the other sites, I’ve bookmarked them. I’ll try online scanning tomorrow, it’s way past my bedtime.