error while cleaning - operation unavailable for this type of object

[Lollan]

Having difficulty removing an infection from a system today, wanted to see if you could provide me with some assistance.

AMON logs the intrusion as "file C:\WINDOWS\Help\runabr.dll Win32/Agent.CS trojan error while cleaning - operation unavailable for this type of object DDKG7D61\AdAm Event occurred at an attempt to access the file by the application: C:\WINDOWS\explorer.exe."


Ran a Jotti/Virustotal just to make sure it wasn't an FP, of course it isn't, as all of the scanners caught it as something or other.

Scans in normal/safe mode do not see it because AMON is setup to clean automatically. (But the file is generated every second according to my threat log) I have attempted to remove this file with killbox as well, but it is unable to remove the file. Any ideas?

[Marcos]

Hello,
did you have NTFS AD streams enabled in the on-demand scanner setup?

[Lollan]

Quote:

Originally Posted by Marcos

Hello,
did you have NTFS AD streams enabled in the on-demand scanner setup?

Yes, it is enabled.

[tsilo]

Once i cheked my friend computer's nod32 threat log, there was a virus created by mywebsearch and nod32 can't clean it ( error while cleaning - operation unavailable for this type of object...Event occurred at an attempt to access the file by the application: C:\WINDOWS\explorer.exe), so I deleted it manualy without problem, I'am interesting It 's dificult to configure nod32 that way he can delete such kind of viruses automaticly?

sorry for my english

[Marcos]

AMON is set to move all newly created files to quarantine automatically. If you set AMON to clean infected files, it will not be able to clean uncleanable malware (trojans, backdoors, etc.), but will still block access to such files.

[tsilo]

So what to do?
If I set prohibit accses & show alert window with action option, it will give me option delete that file? or I must unset :move newly created infected files to quarantine?

Quote:

Originally Posted by tsilo

So what to do?
If I set prohibit accses & show alert window with action option, it will give me option delete that file?

Yes .


If it is set to Clean automatically , AMON will atempt to clean the file , however trojans, spywares.... cannot be cleaned,they are just deleted . Since Agent is a trojan , AMON can't clean it so it will only prohibit the access to that file .

Move newly created infected file is quite useful options . It will move all newly created malware to quarantine , however in that case (Event occurred at an attempt to access the file by the application: C:\WINDOWS\explorer.exe) the file is not new

[tsilo]

SO why don't add option to avtomatically delete such kind of files?

[Marcos]

For security reasons AMON CANNOT DELETE files AUTOMATICALLY.

[tsilo]

Can you tell me please for what kind security reasons AMON CANNOT DELETE files AUTOMATICALLY?

[Marcos]

For instance, having a false positive on system files would render your OS unuseable if AMON deleted certain crucial files automatically. The same goes for files infected with viruses that cannot be cleaned.