Win32/TrojanClicker.Delf.NAZ removal?

enduser999 · #1 January 8th, 2008, 10:03 PM

Trying to help someone over the phone. They have NOD32 installed and on bootup tonight it found Win32/TrojanClicker.Delf.NAZ but was unable to remove it in normal and safe mode. Any suggestions how to get rid of this trojan?

katty · #2 January 9th, 2008, 04:48 AM

Try to address NOD32 forum for this question, they should definitely know, here's the address: http://www.eset.com/support/

enduser999 · #3 January 9th, 2008, 10:07 AM

Quote:

Originally Posted by katty

Try to address NOD32 forum for this question, they should definitely know, here's the address: http://www.eset.com/support/

This is the NOD32 forum.

Eclipse99fwb · #4 January 9th, 2008, 12:18 PM

I would download a trial to SuperAntiSpyware, it should be able to remove the infection. I'm guessing the trojanclicker.delf.NAZ is a newer variant of TrojanClicker.Win32.Delf.y.
I tried looking up specific removal instructions, but could only find sites showing signature being added to a variaty of AV softwares. Hope this helps.

#5 January 9th, 2008, 12:40 PM

Quote:

Originally Posted by enduser999

Trying to help someone over the phone. They have NOD32 installed and on bootup tonight it found Win32/TrojanClicker.Delf.NAZ but was unable to remove it in normal and safe mode. Any suggestions how to get rid of this trojan?

Cleaning malware on the phone is like healing an illness on the phone (calling a doctor instead of visiting them).
Removing malware is not that easy sometimes due to the way they get into Windows . V3 has better cleaning abilities so the first thing I would try is to perform an in-place upgrade , later perform full Standart scan .

Should this fail , contact ESET Support with a log of Microsoft Autoruns and Eset SysInspector http://www.eset.com/support

BigT · #6 January 10th, 2008, 01:49 AM

I was trying to clean this off of a family member's computer in person, but no dice so far.

NOD32 failed to prevent it from installing

It seems to create 2 files (with .dll and .dll.bak extensions) in Windows\System32\ with a name derived from a current dll file with a letter appended to the end. Per Hijack this logs, it installs itself as a BHO and uses a Winlogon entry.

NOD32 detects the files, but is unable to delete them because they are locked.

Trojan Remover fails to detect the trojan as of the 1/8/08 definitions.

Hijack this fails to remove the entries.

Programs such as Moveonboot fail to delete the locked files, giving "access denied" error messages.

I'm no expert on trojan removal (personally haven't had one in many years), but this seems a bit tough.

Anyone have any experience with this or ideas? I couldn't find a writeup online, so I'm essentially working blindly...

Marcos · #7 January 10th, 2008, 02:33 AM

What about cleaning it in safe mode or slaving the disk and cleaning it from a clean system?

viarippa11 · #8 January 10th, 2008, 07:28 PM

hi there, i'm new here, but i subscribed to this forum because i was searching about this trojan. it infected my neighbour's machine this night and it creates that 2 files on windows/system32 which are impossible to remove on windows. so i booted with the ubuntu 7.10 live cd and remove that 2 files from linux. but now i have one other trouble: the network connections (both cable and wireless) don't work anymore! windows signals the status "connected", but they don't catch any ip address and internet connection doesn't work. anyone could help me?
lot of thanks, an italian guy

BigT · #9 January 10th, 2008, 07:32 PM

Thanks for the suggestions.

Safe mode did not seem to work.

I did not attempt to clean using another system. It was from a laptop (SATA I believe) and I did not have the right adapters nor time to get it working.

I will work on it some more over the weekend. If I find something out, I'll post it here.

lucas1985 · #10 January 11th, 2008, 08:51 AM

Quote:

Originally Posted by viarippa11

but now i have one other trouble: the network connections (both cable and wireless) don't work anymore! windows signals the status "connected", but they don't catch any ip address and internet connection doesn't work. anyone could help me?

Try repairing the TCP/IP stack

enduser999 · #11 January 12th, 2008, 11:02 AM

I had to remove the infected SATA hard drive and scan it in an external hard drive case on another machine with NOD32 V3. Seems to have cleaned the TrojanClicker as well as a BHO.AGZ trojan that also was on the drive.

pardesia · #12 January 12th, 2008, 01:45 PM

hi enduser i have also got this trojan in my pc.can you please explain me how to remove it. thanks

enduser999 · #13 January 12th, 2008, 05:04 PM

Quote:

Originally Posted by pardesia

hi enduser i have also got this trojan in my pc.can you please explain me how to remove it. thanks

I had to remove the infected SATA hard drive and scan it in an external hard drive case on another machine with NOD32 V3. Seems to have cleaned the TrojanClicker as well as a BHO.AGZ trojan that also was on the drive.

BigT · #14 January 12th, 2008, 06:08 PM

I eventually used Knoppix to remove the two files ([random].dll and [random].dll.bak) in Windows\System32 and one file ([random2].dat) in Windows\System32\drivers. The drive needs to be mounted as read-write (directions are given here: http://www.knoppix.net/forum/viewtopic.php?p=115479 )

I also removed the associated registry entries for winlogon and the BHO in safe mode.

AFAIK, the trojan is gone, but its removal has hosed TCP/IP on my computer. The TCP/IP protocol driver fails to start and thus DHCP and other services don't work. As a result, like viarippa11, my network connections no longer work.

Running Winsock XP fix did not help, neither did "netsh winsock reset." Has anyone been able to remove this trojan and preserve/fix TCP/IP?

Kosak · #15 January 12th, 2008, 06:51 PM

Hi!

When I removed this malware, I had to unload one driver. It caused renewal of malware. Then I deleted another threats and issues in Registry.

enduser999 · #16 January 12th, 2008, 08:53 PM

Quote:

Originally Posted by BigT

Running Winsock XP fix did not help, neither did "netsh winsock reset." Has anyone been able to remove this trojan and preserve/fix TCP/IP?

Hmm I had no problem with the Winsock however I also did run SuperAntiSpyware app before removing it from the computer to scan it. Do not know if that help any but no winsock problems here.

BigT · #17 January 13th, 2008, 12:54 AM

I figured it out.

Basically, the 2 files in system32 with .dll and .dll.bak extensions were detected as Win32/TrojanClicker.Delf.NAZ. The one file in system32\drivers with a .dat extension was detected as Win32/Agent.NOU trojan.

One of these seemed to have modified the file tcpip.sys in windows\system32\drivers. Replacing this file with a known good tcpip.sys and restarting the machine restored connectivity. Previously, I also repaired winsock with the tool described earlier in this thread.

I copied a tcpip.sys file from another computer. The good file has a crc32 of 647c7660 and a modified date on 10/30/07.

Hope this helps.

Kosak · #18 January 13th, 2008, 09:05 AM

You have to unload and delete Win32/Agent.NOU and delete Win32/TrojanClicker.Delf.NAZ

If you want, you can write me PM.

krish667 · #19 February 11th, 2008, 02:05 PM

Hi Lukas,

I was just doing some internet searching because this morning, my NOD32 2.7 virus scanner picked up the Win32/TrojanClicker.Delf.NAZ trojan with the file C:\WINDOWS\SYSTEM32\COMCTL32Q.dll And I haven't been able to find anyone who knows how to get rid of it. The PM system is currently not working, so I was hoping that maybe someone could help me out maybe via email if at all possible. Please help, any help is greatly appreciated. Thanks.

Quote:

Originally Posted by Lukas K.

You have to unload and delete Win32/Agent.NOU and delete Win32/TrojanClicker.Delf.NAZ

If you want, you can write me PM.

#20 February 11th, 2008, 02:12 PM

Download UnDll - the DLL removal utility from:
http://www.nod32.it/tools/undll.zip

It is great ESET Italy tool to unregister and remove dlls. Extract the file into new folder .

Run the exe file and follow the instructions (a.k.a. point the program to the infected dll , in your case C:\WINDOWS\SYSTEM32\COMCTL32Q.dll )

Follow the instructions , you may also need to reboot at the end

Kosak · #21 February 11th, 2008, 03:52 PM

Quote:

Originally Posted by krish667

The PM system is currently not working, so I was hoping that maybe someone could help me out maybe via email if at all possible. Please help, any help is greatly appreciated. Thanks.

You can write me to lukas[at]secit[dot]sk, then I write you instructions.

Quote:

Originally Posted by HiTech_boy

It is great ESET Italy tool to unregister and remove dlls.

When i tested it for removing different active samples, it was successful with Stration and PSW.OnlineGames, but Virtumonde's DLL stayed there.
However, every time I recommend use this utility in safe mode.

ner0z · #22 February 11th, 2008, 08:00 PM

So WTF... somhow I get this and I read the itmes here but to no avail... I call ESET support they tell me to run super anti spyware in safe mode.. it finds the virus and I remove then reboot as soon as I do it comes back and I have no TCPIP..... what is the deal with this and what should I do

I am seeing conflicting messages on this board on how to get rid of this!!!

Please help.

Thanks

ner0z · #23 February 11th, 2008, 09:25 PM

So I got a hold of NOD and they told me to run the UNDLL and a program called smitfraudfix.... did both of these in safe mode and the DLL keeps comming back!!!! the 2 dll's are called D3dx9_30l.dll and D3dx9_30l.dll.bak

thanatos_theos · #24 February 12th, 2008, 02:36 AM

Hi ner0z. Post a hijackthis log in one of the forums listed here.

thanatos

krish667 · #25 February 12th, 2008, 12:09 PM

I tried the undll program, and after reboot, the scanner picked up the virus again, so i guess it didnt work... hmmm

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search