Nightly scan does not clean viruses that it finds

Discussion in 'NOD32 version 2 Forum' started by extremesanity, May 22, 2007.

Thread Status:
Not open for further replies.
  1. extremesanity

    extremesanity Registered Member

    Joined:
    May 22, 2007
    Posts:
    5
    I am a new user to NOD32, and have setup about 15 clients remotely and use the remote administrator console to watch them.

    I setup a nightly scan of all machines, and several of my clients have detected viruses. This particular machine has 54 infections, but despite my best efforts, they never get cleaned off of the system.


    Code:
    Log Details
    Scanning Log
    NOD32 version 2283 (20070521) NT
    Command line: /config=
    Operating memory - is OK
    
    Date: 21.5.2007  Time: 23:00:37
    Anti-Stealth technology is enabled.
    Scanned disks, folders and files: C:
    C:
    C:\pagefile.sys - error opening (File locked)
    C:\Adp\MSDE\MSSQL$ADPDB\Data\master.mdf - error opening (File locked)
    C:\Adp\MSDE\MSSQL$ADPDB\Data\mastlog.ldf - error opening (File locked)
    C:\Adp\MSDE\MSSQL$ADPDB\Data\model.mdf - error opening (File locked)
    C:\Adp\MSDE\MSSQL$ADPDB\Data\modellog.ldf - error opening (File locked)
    C:\Adp\MSDE\MSSQL$ADPDB\Data\tempdb.mdf - error opening (File locked)
    C:\Adp\MSDE\MSSQL$ADPDB\Data\templog.ldf - error opening (File locked)
    C:\Documents and Settings\abrody\Local Settings\Temp\Rem31.exe - Win32/TrojanDropper.Swicer.A trojan - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temp\Sentry.exe - Win32/TrojanDownloader.Stubby.B trojan - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temp\toolbar.dll - a variant of Win32/Adware.Websearch application
    C:\Documents and Settings\abrody\Local Settings\Temp\upd117.exe - a variant of Win32/Adware.Look2Me application
    C:\Documents and Settings\abrody\Local Settings\Temp\upd118.exe - a variant of Win32/Adware.Look2Me application
    C:\Documents and Settings\abrody\Local Settings\Temp\upd120.exe - Win32/Adware.Look2Me application - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temp\upd121.exe - Win32/Adware.Look2Me application - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temp\THI6BDB.tmp\preInsTT.exe - Win32/Adware.BiSpy application - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temp\THI6BDB.tmp\twaintec.dll - Win32/Spy.BiSpy.C trojan - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temp\THICA3.tmp\preInsTT.exe - Win32/Adware.BiSpy application - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temp\THICA3.tmp\twaintec.dll - Win32/Spy.BiSpy.C trojan - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\0D0F47GF\upd121[1].exe - Win32/Adware.Look2Me application - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\7QSVNT85\upd120[1].exe - Win32/Adware.Look2Me application - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\833JE0D9\keyword[1].exe - Win32/Spy.Newrok.B trojan - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\AZM7KDAX\AppWrap[1].exe - a variant of Win32/TrojanDownloader.Swizzor trojan - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\AZM7KDAX\fsc2k[1].htm - JScript/TrojanDownloader.Cobase.A trojan - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\GDC5Q3CT\file[1].php - Win32/Adware.Xupiter application - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\IJS941MV\AppWrap[1].exe - a variant of Win32/Adware.Apropos.downloader application
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\J2WRBHKH\AppWrap[6].exe - Win32/Revop.C trojan - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\J2WRBHKH\upd118[1].exe - a variant of Win32/Adware.Look2Me application
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\NZPRZL4O\dw[1].exe - Win32/TrojanDownloader.Realtens.E trojan - unable to clean
    C:\Documents and Settings\abrody\Local Settings\Temporary Internet Files\Content.IE5\NZPRZL4O\upd117[1].exe - a variant of Win32/Adware.Look2Me application
    C:\Documents and Settings\Administrator\Local Settings\Temp\toolbar.dll - a variant of Win32/Adware.Websearch application
    C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked)
    C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked)
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked)
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked)
    C:\Documents and Settings\lwesterman\Local Settings\Temporary Internet Files\Content.IE5\G1UV0963\sethome[1].com - JS/AdWare.SearchPage.A virus - unable to clean
    C:\Documents and Settings\lwesterman.ENCORE-INC\NTUSER.DAT - error opening (File locked)
    C:\Documents and Settings\lwesterman.ENCORE-INC\ntuser.dat.LOG - error opening (File locked)
    C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked)
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked)
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked)
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked)
    C:\Documents and Settings\vdarrow\NTUSER.DAT - error opening (File locked)
    C:\Documents and Settings\vdarrow\ntuser.dat.LOG - error opening (File locked)
    C:\Program Files\Common Files\MSIETS\msielink.dll - Win32/Adware.Wintol application - unable to clean
    C:\Program Files\Common Files\updater\delupdat.exe - Win32/TrojanDownloader.Keenval.A trojan - unable to clean
    C:\Program Files\Common Files\updater\sui.exe - Win32/TrojanDownloader.Keenval.A trojan - unable to clean
    C:\Program Files\Common Files\updater\wupdater.exe - Win32/TrojanDownloader.Keenval.A trojan - unable to clean
    C:\Program Files\Sqwire\ad.exe - Win32/Adware.Xupiter application - unable to clean
    C:\Program Files\Sqwire\s.dll - Win32/Adware.Xupiter application - unable to clean
    C:\Program Files\Sqwire\t.dll - Win32/Adware.Xupiter application - unable to clean
    C:\Program Files\Sqwire\u.dll - Win32/Adware.Xupiter application - unable to clean
    C:\WINDOWS\Downloaded Program Files\HbInstIE.dll - Win32/Adware.HotBar application - unable to clean
    C:\WINDOWS\SoftwareDistribution\EventCache\{A4D33216-1534-4222-83CD-40D69618BE06}.bin - error opening (File locked)
    C:\WINDOWS\system32\usgcomcr.exe - a variant of Win32/Adware.HotBar application
    C:\WINDOWS\system32\config\default - error opening (File locked)
    C:\WINDOWS\system32\config\default.LOG - error opening (File locked)
    C:\WINDOWS\system32\config\SAM - error opening (File locked)
    C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked)
    C:\WINDOWS\system32\config\SECURITY - error opening (File locked)
    C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked)
    C:\WINDOWS\system32\config\software - error opening (File locked)
    C:\WINDOWS\system32\config\software.LOG - error opening (File locked)
    C:\WINDOWS\system32\config\system - error opening (File locked)
    C:\WINDOWS\system32\config\system.LOG - error opening (File locked)
    C:\WINNT\CDL.exe - Win32/VB.JH trojan - unable to clean
    C:\WINNT\preInsTT.exe - Win32/Adware.BiSpy application - unable to clean
    C:\WINNT\twaintec.dll - Win32/Spy.BiSpy.C trojan - unable to clean
    C:\WINNT\SYSTEM32\inetadpt.dll - Win32/Adware.Virtumonde application - unable to clean
    C:\WINNT\SYSTEM32\mp_sys.exe - Win32/VB.JH trojan - unable to clean
    C:\WINNT\SYSTEM32\msg117.dll - a variant of Win32/Adware.Look2Me application
    C:\WINNT\SYSTEM32\msg118.dll - a variant of Win32/Adware.Look2Me application
    C:\WINNT\SYSTEM32\msg120.cpy.dll - a variant of Win32/Adware.Look2Me application
    C:\WINNT\SYSTEM32\msg120.dll - a variant of Win32/Adware.Look2Me application
    C:\WINNT\SYSTEM32\msg121.cpy.dll - Win32/Adware.Look2Me application - unable to clean
    C:\WINNT\SYSTEM32\msg121.dll - Win32/Adware.Look2Me application - unable to clean
    C:\WINNT\SYSTEM32\msguard.dll - a variant of Win32/Adware.Look2Me application
    C:\WINNT\SYSTEM32\msg{97FE7C31-5CD1-45A1-B979-DAB2442A2E08}0115.dll - Win32/Adware.Look2Me application - unable to clean
    C:\WINNT\SYSTEM32\msss.exe - Win32/TrojanDownloader.Lookme.F trojan - unable to clean
    C:\WINNT\SYSTEM32\PopOops.dll - Win32/Adware.VirtualBouncer application - unable to clean
    C:\WINNT\SYSTEM32\PopOops2.dll - Win32/Adware.VirtualBouncer application - unable to clean
    C:\WINNT\SYSTEM32\SWLAD1.dll - Win32/Adware.VirtualBouncer application - unable to clean
    C:\WINNT\SYSTEM32\SWLAD2.dll - Win32/Adware.VirtualBouncer application - unable to clean
    C:\WINNT\SYSTEM32\wincore.dll - Win32/TrojanDownloader.Agent.E trojan - unable to clean
    C:\WINNT\SYSTEM32\winhost32.exe - Win32/TrojanDownloader.Agent.E1 trojan - unable to clean
    Number of scanned files: 137889
    Number of threats found: 54
    Number of active threats: 54
    Time of completion: 23:52:07 Total scanning time: 3090 sec (00:51:30)
    
    Notes:
    [4] File cannot be opened. It may be in use by another application or operating system.
    
    Each night, the same machine gets scanned, and each night it comes up with 54 infected files, 0 cleaned. This occurs with two other clients with infections also. How do I get these things to clean themselves automatically?

    I uploaded the config file as a .txt, have to change it to .xml in order to view it in the configuration editor though.
     

    Attached Files:

  2. ASpace

    ASpace Guest

    I am now not sitting at a computer with NOD32 EE or LU edition and I cannot see your configuration.

    Two possible reasons:
    - Incorrect settings for on-demand scanner
    - Severe infection which is difficult to clean remotely

    The fact that it has so many trojans and Look2Me makes me feel the second .

    Something else:
    The way NOD32 reports there two
    makes me think NOD is set not to clean the found malware.

    I recommend you visit the infected machine.



    On that particular infected machine do the following

    1. Download The Avenger
    http://swandog46.geekstogo.com/avenger.exe

    The Avenger is a full-scriptable, kernel-level driver designed to remove highly persistent files and registry keys/values protected by entrenched malware. Basically this means that The Avenger is a program to which you give commands to execute (the script) consisting of files to delete, etc., which would otherwise be hard to delete because they were protected or “in use” by malicious software.More about The Avenger http://swandog46.geekstogo.com/avengernotes.htm

    2. Download this file and save it somewhere (e.g. on Desktop)

    3. Run the program avenger.exe

    4. Choose "Load Script From File"

    5. Browse to find the file/the script I gave you (clean.txt) , press the Glass icon to see the script and when you are ready ...

    6. Press on the traffic light icon.Confirm

    Now , your computer will boot, and The Avenger will run the script file before the malware.After restart the malware files will be gone . The Avenger will inform you with a log text file you'll see after you reboot.This log should report that all 54 infected files are eliminated


    Then , to finish , perform full scan with NOD32 (but at the computer)


    ADD: Keep this tool handy - WinsockXPfix (should work with Win2k and XP)
    www.snapfiles.com/get/winsockxpfix.html
    Some malware might broke the Winsock of that PC and it might loose network connection.Use the tool to restore it should there is a need

    Once the system is free from these nasty crapwares , you can easily manage it through RAS/RAC and clean future infections
     
    Last edited by a moderator: May 22, 2007
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That's because you set the action to clean instead of delete for uncleanable files.
     
  4. extremesanity

    extremesanity Registered Member

    Joined:
    May 22, 2007
    Posts:
    5
    Yep. ESET support answered that for me.

    Basically I had the settings under on demand scanning to clean, and the settings for how to deal with uncleanable files as prompt. I set the settings for uncleanable files to quarantine and delete and I'm set.

    Thanks again. :)
     
Thread Status:
Not open for further replies.