cant delete trojan with nod32

Discussion in 'NOD32 version 2 Forum' started by jcee, Jun 29, 2006.

Thread Status:
Not open for further replies.
  1. jcee

    jcee Registered Member

    Joined:
    Jun 29, 2006
    Posts:
    5
    I ran nod32 which picked up the trojan...
    Win32/TrojanDownloader.IstBar trojan but the option to
    delete or clean was not available , the only button available was " leave " . .. so I have no idea how to remove it
    Can anyone shed some light on that for me ?
    thanks
    jcee
     
  2. honeybunny

    honeybunny Suspended Member

    Joined:
    Dec 21, 2004
    Posts:
    168
  3. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    It is certainly in self-extracting archive or archive. NOD32 cannot delete files inside archives. You should delete infected archive manually. And don't worry you are fully safe because when suspicious file is extracted from archive it will be detected by AMON upon extraction.
     
  4. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Restart your pc in safe mode and scan your hdd.
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi jcee, welcome to Wilders.

    I would also suggest a run through this thread and then run a scan by doing the following:

    NOD32 Control Centre
    Run NOD32
    Scan and Clean

    Let us know how you go...

    Cheers :D
     
  6. jcee

    jcee Registered Member

    Joined:
    Jun 29, 2006
    Posts:
    5
    thanks for reply Fosius and others,
    I should have added that I did run the pc in safe mode and scanned but was still unable to delete file because there was no option but to leave available....... I have tried to find the file manually and delete it but am unable to find it, I know it said the path was in the temp internet ie5 files but I have not been able to find this folder, I emptied the temp int. files by going into Internet options but the file is still there somewhere. I run xp.
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Please follow the instructions in Post number 5 and then report back, the Trojan should be removed.

    Cheers :D
     
  8. jcee

    jcee Registered Member

    Joined:
    Jun 29, 2006
    Posts:
    5
    Thanks , is there a specific part in the instruction you can direct me to that will allow me to locate and delete the file..
    most of this is about installing and configuring nod32.
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Exactly ;) :D

    And once it is configured I want you to run a further scan:

    NOD32 Control Centre
    Run NOD32
    Scan and Clean

    Cheers :D
     
  10. ASpace

    ASpace Guest


    He'd better first boot in Safe Mode and Perform In-Depth Analysis which includes all the important stuff for on-demand scan :D
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    All the important stuff as you put it is within the configuration settings provided in that link, and a scan as suggested will use these configurations settings. Let's not confuse the person please.

    Blackspear.

    Edit ~ see attached screenshot for In Depth settings.
     

    Attached Files:

    Last edited: Jun 30, 2006
  12. jcee

    jcee Registered Member

    Joined:
    Jun 29, 2006
    Posts:
    5
    Ok, I did all the configuring and ran the scan and it still picked up the trojan and only gave me the option to leave it.
    Do you know where I can locate this folder on my pc in xp ?
    My temp int. files folder doesnt have any other folders in it
    just a few browsing files.

    Temporary Internet Files\Content.IE5\SBTBUEZ1\ysb_regular[1].cab »CAB »ysbactivex.dll - a variant of Win32/TrojanDownloader.IstBar trojan
     
  13. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    The Content.IE5 folder is a hidden system folder, which is probably why you cannot see it. You can make it visible by going to (in Windows Explorer) Tools --> Folder Options --> View --> get rid of all the "hiding" options.

    Even after you have already done this, it is possible that you may not be able to delete this file. Whatever is preventing NOD32 from deleting the file may prevent you from deleting it, as well. If this is the case, then it may be some sort of Windows/NTFS permissions issue with the file (darned clever trojan...), and we can try attacking it from that angle.

    Which version of Windows XP do you have, by the way, Home or Professional? Do you by any chance have the Windows XP installation CD?

    (No, I will not ask you to reinstall Windows, but there is a "Recovery Console" utility on the CD that we may have to use to delete the file manually, totally bypassing Windows. I just want to know what you have available.)
     
  14. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    This trojan isn't in the system restore folder is it?
    What path is nod giving to it?
    Just seen post wher you gave path to this trojan
    Best way to get rid of that would be to log on as another administrator,you should have 1 password protected admin acc as well as yours from when windows was 1st installed for use in such instances ,in safe mode (with all files showing including protected system files),you'll have to allow access to your personal files on you user profile ie dont make private! and just go to this file in you temp internet folder,you should then be able to delete it as you will be logged on as another user and all your files relating to IE will not be in use and "locked"
     
    Last edited: Jun 30, 2006
  15. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Thats a little complicated an explanation:-Basiacally you need to be logged on as a different user with admin rights and with total access/control over your user files,you'll then be able to delete it
     
  16. jcee

    jcee Registered Member

    Joined:
    Jun 29, 2006
    Posts:
    5
    Thanks to all for your help, I think all is fine now, seems to be that this was not really a trojan, I run a program called prevx which monitors my system and it picked up a file which it had in quarantine , I decided to delete all and any files in prevx quarantine and nod and then did a full deep scan and nothing was found, so I gather it was somehow connected to the file in prevx quarantine... I thought it was odd because I have not had anything get through since running nod and prevx on my pc.
    thanks again
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see, and thanks for letting us know.

    Cheers :D
     
Thread Status:
Not open for further replies.