Firstly, I'm new to the forums as well as NOD32, so Hi everybody!

After doing several scans of C drive on my PC NOD32 has detected at least one trojan, maybe two, but I think they are the same program. Unfortunately the files are locked and cannot be deleted or renamed. I've also ran NOD32 while windows was in safe mode but the infected files were still locked. My ISP (clear wire) will not let me connect to internet explorer because their server thinks these viruses are spamming e-mails. :dry:

Here are my system specs:

AMD 4200+ X2
Geforce 7950GT
Maxtor 160G hard drive
2 gigs of ram @ 800mhz
MSI platinum SLI mother board
Windows XP professional

Here is the NOD32 scan log:

Scan performed at: 5/31/2007 6:38:45 AM
Scanning Log
NOD32 version 2299 (20070530) NT
Operating memory - is OK

Date: 31.5.2007 Time: 06:39:29
Scanned disks, folders and files: C:
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\~Snip~\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\~snip~\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\~Snip~\Application Data\SecuROM\UserData\???????????p????????? - error opening [4]
C:\Documents and Settings\~Snip~\Application Data\SecuROM\UserData\???????????p????????? - error opening [4]
C:\Documents and Settings\~Snip~\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\~Snip~\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
C:\WINDOWS\SoftwareDistribution\EventCache\{8C2B828A-DE03-4298-BB16-8443E5C9C424}.bin - error opening (File locked) [4]
C:\WINDOWS\system32\oocbooc.dll - Win32/TrojanClicker.Delf.NAO trojan
C:\WINDOWS\system32\oocbooc.dll.bak - Win32/TrojanClicker.Delf.NAO trojan
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\wtusngqi.sys - error opening (Access denied) [4]
Number of scanned files: 20500
Number of threats found: 2
Number of active threats: 2
Time of completion: 06:41:53 Total scanning time: 144 sec (00:02:24)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

Hello and Welcome to Wilders!

Perform these instructions and keep them handy (printed) or so ... You need internet connection on the infected computer , otherwise you'll need to transfer some things to CD,DVD or flash memory . The suggested Ewido micro scanner will not work without internet connection


1. Download The Avenger
http://swandog46.geekstogo.com/avenger.exe

The Avenger is a full-scriptable, kernel-level driver designed to remove highly persistent files and registry keys/values protected by entrenched malware. Basically this means that The Avenger is a program to which you give commands to execute (the script) consisting of files to delete, etc., which would otherwise be hard to delete because they were protected or “in use” by malicious software.More about The Avenger http://swandog46.geekstogo.com/avengernotes.htm

2. Download this file (http://pandaman.my.contact.bg/trojd.txt) and save it somewhere (e.g. on Desktop)

3. Run the program avenger.exe

4. Choose "Load Script From File"

5. Browse to find the file/the script (trojd.txt) , press the Glass icon to see the script and when you are ready ...

6. Press on the traffic light icon.Confirm

Now , your computer will boot, and The Avenger will run the script file before the malware.After restart the malware files will be gone . The Avenger will inform you with a log text file you'll see after you reboot.This log should report that all infected files are eliminated.Using copy/paste , please put the log file into your next reply.


After this , should the malware have eliminated Winsock (not sure but some does it) , you may need to repair Winsock

Repair Winsock
Windows XP SP2 / Windows Vista

Goto Start –> Run
type cmd and click OK.
Type netsh winsock reset
Press ENTER . Restart immediately !

Note that there is a space between the commands , example netshSPACEwinsockSPACEreset

After restart , open NOD32's Control Center -> Click IMON and reregisted it to the system


After this :
Open Control Center and click on Update -> Update now to ensure your NOD32 is up to date.

Make sure your settings are the same as this tutorial (http://www.wilderssecurity.com/showthread.php?t=37509).

Download ATF Cleaner from here (http://www.atribune.org/ccount/click.php?id=1).
Start it -> choose "Select all" and press "Empty Selected" button.

Open Control Center -> NOD32 -> Run NOD32 and perforum full Scan&Clean over your hard drives . NOD32 will take care of all threats found :)

If you have problems deleting them in Normal mode , boot in Safe Mode (http://support.microsoft.com/kb/315222) and then perform full scan there .

You can also use Ewido Micro (http://download.ewido.net/ewido_micro.exe) for second opinion.

I ran Avenger but it was unable to access the files in question, so I just reinstalled windows. :dry:

I've always found it handy to have a BartPE (http://www.nu2.nu/pebuilder/) CD handy. It's a bootable live Windows CD that will allow you to access your HDD and delete any files with no problem as well as perform other tasks.

{QUOTE-> I ran Avenger but it was unable to access the files in question, so I just reinstalled windows. :dry: <-QUOTE}

It wasn't actually necessary but as you like it 8)