bdmc
August 18th, 2008, 01:11 AM
Hi All,
I have just been handed a PC that didn't have anti-virus installed. I have just installed NOD32, and it has found a few files infected with win32/wigon trojan.
It was able to remove some of the infected files, but 1 file is unable to be removed.
c:\windows\system32\drivers\Tah20.sys
In safemode, I am still unable to rename or delete this file.
Under HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal, there is a key for Tah20.sys, which I am unable to delete from the registry. So the driver is starting up even in safemode.
For some reason my BartPE boot disk isn't able to see the harddisk.. Encryption is turned off though...
Anyone have any ideas?
I have just been handed a PC that didn't have anti-virus installed. I have just installed NOD32, and it has found a few files infected with win32/wigon trojan.
It was able to remove some of the infected files, but 1 file is unable to be removed.
c:\windows\system32\drivers\Tah20.sys
In safemode, I am still unable to rename or delete this file.
Under HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal, there is a key for Tah20.sys, which I am unable to delete from the registry. So the driver is starting up even in safemode.
For some reason my BartPE boot disk isn't able to see the harddisk.. Encryption is turned off though...
Anyone have any ideas?