Can't Delete this Trojan...

Discussion in 'NOD32 version 2 Forum' started by Rukshawmaster, May 31, 2007.

Thread Status:
Not open for further replies.
  1. Rukshawmaster

    Rukshawmaster Registered Member

    Joined:
    May 31, 2007
    Posts:
    2
    Firstly, I'm new to the forums as well as NOD32, so Hi everybody!

    After doing several scans of C drive on my PC NOD32 has detected at least one trojan, maybe two, but I think they are the same program. Unfortunately the files are locked and cannot be deleted or renamed. I've also ran NOD32 while windows was in safe mode but the infected files were still locked. My ISP (clear wire) will not let me connect to internet explorer because their server thinks these viruses are spamming e-mails. :cautious:

    Here are my system specs:

    AMD 4200+ X2
    Geforce 7950GT
    Maxtor 160G hard drive
    2 gigs of ram @ 800mhz
    MSI platinum SLI mother board
    Windows XP professional

    Here is the NOD32 scan log:

    Scan performed at: 5/31/2007 6:38:45 AM
    Scanning Log
    NOD32 version 2299 (20070530) NT
    Operating memory - is OK

    Date: 31.5.2007 Time: 06:39:29
    Scanned disks, folders and files: C:
    C:\pagefile.sys - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\~Snip~\NTUSER.DAT - error opening (File locked) [4]
    C:\Documents and Settings\~snip~\ntuser.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\~Snip~\Application Data\SecuROM\UserData\o_Oo_Oo_O??po_Oo_Oo_O - error opening [4]
    C:\Documents and Settings\~Snip~\Application Data\SecuROM\UserData\o_Oo_Oo_O??po_Oo_Oo_O - error opening [4]
    C:\Documents and Settings\~Snip~\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\~Snip~\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
    C:\WINDOWS\SoftwareDistribution\EventCache\{8C2B828A-DE03-4298-BB16-8443E5C9C424}.bin - error opening (File locked) [4]
    C:\WINDOWS\system32\oocbooc.dll - Win32/TrojanClicker.Delf.NAO trojan
    C:\WINDOWS\system32\oocbooc.dll.bak - Win32/TrojanClicker.Delf.NAO trojan

    C:\WINDOWS\system32\config\default - error opening (File locked) [4]
    C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\software - error opening (File locked) [4]
    C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\system - error opening (File locked) [4]
    C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\drivers\wtusngqi.sys - error opening (Access denied) [4]
    Number of scanned files: 20500
    Number of threats found: 2
    Number of active threats: 2
    Time of completion: 06:41:53 Total scanning time: 144 sec (00:02:24)

    Notes:
    [4] File cannot be opened. It may be in use by another application or operating system.
     
    Last edited by a moderator: May 31, 2007
  2. ASpace

    ASpace Guest

    Hello and Welcome to Wilders!

    Perform these instructions and keep them handy (printed) or so ... You need internet connection on the infected computer , otherwise you'll need to transfer some things to CD,DVD or flash memory . The suggested Ewido micro scanner will not work without internet connection


    1. Download The Avenger
    http://swandog46.geekstogo.com/avenger.exe

    The Avenger is a full-scriptable, kernel-level driver designed to remove highly persistent files and registry keys/values protected by entrenched malware. Basically this means that The Avenger is a program to which you give commands to execute (the script) consisting of files to delete, etc., which would otherwise be hard to delete because they were protected or “in use” by malicious software.More about The Avenger http://swandog46.geekstogo.com/avengernotes.htm

    2. Download this file and save it somewhere (e.g. on Desktop)

    3. Run the program avenger.exe

    4. Choose "Load Script From File"

    5. Browse to find the file/the script (trojd.txt) , press the Glass icon to see the script and when you are ready ...

    6. Press on the traffic light icon.Confirm

    Now , your computer will boot, and The Avenger will run the script file before the malware.After restart the malware files will be gone . The Avenger will inform you with a log text file you'll see after you reboot.This log should report that all infected files are eliminated.Using copy/paste , please put the log file into your next reply.


    After this , should the malware have eliminated Winsock (not sure but some does it) , you may need to repair Winsock

    Repair Winsock
    Windows XP SP2 / Windows Vista

    Goto Start –> Run
    type cmd and click OK.
    Type netsh winsock reset
    Press ENTER . Restart immediately !

    Note that there is a space between the commands , example netshSPACEwinsockSPACEreset

    After restart , open NOD32's Control Center -> Click IMON and reregisted it to the system


    After this :
    Open Control Center and click on Update -> Update now to ensure your NOD32 is up to date.

    Make sure your settings are the same as this tutorial.

    Download ATF Cleaner from here.
    Start it -> choose "Select all" and press "Empty Selected" button.

    Open Control Center -> NOD32 -> Run NOD32 and perforum full Scan&Clean over your hard drives . NOD32 will take care of all threats found :)

    If you have problems deleting them in Normal mode , boot in Safe Mode and then perform full scan there .

    You can also use Ewido Micro for second opinion.
     
    Last edited by a moderator: May 31, 2007
  3. Rukshawmaster

    Rukshawmaster Registered Member

    Joined:
    May 31, 2007
    Posts:
    2
    I ran Avenger but it was unable to access the files in question, so I just reinstalled windows. :cautious:
     
  4. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,100
    Location:
    Adelaide
    I've always found it handy to have a BartPE CD handy. It's a bootable live Windows CD that will allow you to access your HDD and delete any files with no problem as well as perform other tasks.
     
  5. ASpace

    ASpace Guest

    It wasn't actually necessary but as you like it :cool:
     
Thread Status:
Not open for further replies.