Win32/TrojanClicker.Delf.NAZ removal?

Discussion in 'NOD32 version 2 Forum' started by enduser999, Jan 8, 2008.

Thread Status:
Not open for further replies.
  1. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Trying to help someone over the phone. They have NOD32 installed and on bootup tonight it found Win32/TrojanClicker.Delf.NAZ but was unable to remove it in normal and safe mode. Any suggestions how to get rid of this trojan?
     
  2. katty

    katty Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    4
  3. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    This is the NOD32 forum.
     
  4. Eclipse99fwb

    Eclipse99fwb Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    54
    Location:
    Lakewood, CO
    I would download a trial to SuperAntiSpyware, it should be able to remove the infection. I'm guessing the trojanclicker.delf.NAZ is a newer variant of TrojanClicker.Win32.Delf.y.
    I tried looking up specific removal instructions, but could only find sites showing signature being added to a variaty of AV softwares. Hope this helps.
     
  5. ASpace

    ASpace Guest


    Cleaning malware on the phone is like healing an illness on the phone (calling a doctor instead of visiting them).
    Removing malware is not that easy sometimes due to the way they get into Windows . V3 has better cleaning abilities so the first thing I would try is to perform an in-place upgrade , later perform full Standart scan .

    Should this fail , contact ESET Support with a log of Microsoft Autoruns and Eset SysInspector http://www.eset.com/support
     
  6. BigT

    BigT Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    14
    I was trying to clean this off of a family member's computer in person, but no dice so far.

    NOD32 failed to prevent it from installing :(

    It seems to create 2 files (with .dll and .dll.bak extensions) in Windows\System32\ with a name derived from a current dll file with a letter appended to the end. Per Hijack this logs, it installs itself as a BHO and uses a Winlogon entry.

    NOD32 detects the files, but is unable to delete them because they are locked.

    Trojan Remover fails to detect the trojan as of the 1/8/08 definitions.

    Hijack this fails to remove the entries.

    Programs such as Moveonboot fail to delete the locked files, giving "access denied" error messages.

    I'm no expert on trojan removal (personally haven't had one in many years), but this seems a bit tough.

    Anyone have any experience with this or ideas? I couldn't find a writeup online, so I'm essentially working blindly...
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What about cleaning it in safe mode or slaving the disk and cleaning it from a clean system?
     
  8. viarippa11

    viarippa11 Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    1
    hi there, i'm new here, but i subscribed to this forum because i was searching about this trojan. it infected my neighbour's machine this night and it creates that 2 files on windows/system32 which are impossible to remove on windows. so i booted with the ubuntu 7.10 live cd and remove that 2 files from linux. but now i have one other trouble: the network connections (both cable and wireless) don't work anymore! windows signals the status "connected", but they don't catch any ip address and internet connection doesn't work. anyone could help me?
    lot of thanks, an italian guy
     
  9. BigT

    BigT Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    14
    Thanks for the suggestions.

    Safe mode did not seem to work.

    I did not attempt to clean using another system. It was from a laptop (SATA I believe) and I did not have the right adapters nor time to get it working.

    I will work on it some more over the weekend. If I find something out, I'll post it here.
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Try repairing the TCP/IP stack :)
     
  11. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    I had to remove the infected SATA hard drive and scan it in an external hard drive case on another machine with NOD32 V3. Seems to have cleaned the TrojanClicker as well as a BHO.AGZ trojan that also was on the drive.
     
  12. pardesia

    pardesia Registered Member

    Joined:
    Jan 12, 2008
    Posts:
    1
    hi enduser i have also got this trojan in my pc.can you please explain me how to remove it. thanks
     
  13. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    I had to remove the infected SATA hard drive and scan it in an external hard drive case on another machine with NOD32 V3. Seems to have cleaned the TrojanClicker as well as a BHO.AGZ trojan that also was on the drive.
     
  14. BigT

    BigT Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    14
    I eventually used Knoppix to remove the two files ([random].dll and [random].dll.bak) in Windows\System32 and one file ([random2].dat) in Windows\System32\drivers. The drive needs to be mounted as read-write (directions are given here: http://www.knoppix.net/forum/viewtopic.php?p=115479 )

    I also removed the associated registry entries for winlogon and the BHO in safe mode.

    AFAIK, the trojan is gone, but its removal has hosed TCP/IP on my computer. The TCP/IP protocol driver fails to start and thus DHCP and other services don't work. As a result, like viarippa11, my network connections no longer work.

    Running Winsock XP fix did not help, neither did "netsh winsock reset." Has anyone been able to remove this trojan and preserve/fix TCP/IP?
     
  15. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi!

    When I removed this malware, I had to unload one driver. It caused renewal of malware. Then I deleted another threats and issues in Registry.
     
  16. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Hmm I had no problem with the Winsock however I also did run SuperAntiSpyware app before removing it from the computer to scan it. Do not know if that help any but no winsock problems here.
     
  17. BigT

    BigT Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    14
    I figured it out.

    Basically, the 2 files in system32 with .dll and .dll.bak extensions were detected as Win32/TrojanClicker.Delf.NAZ. The one file in system32\drivers with a .dat extension was detected as Win32/Agent.NOU trojan.

    One of these seemed to have modified the file tcpip.sys in windows\system32\drivers. Replacing this file with a known good tcpip.sys and restarting the machine restored connectivity. Previously, I also repaired winsock with the tool described earlier in this thread.

    I copied a tcpip.sys file from another computer. The good file has a crc32 of 647c7660 and a modified date on 10/30/07.

    Hope this helps.
     
  18. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    You have to unload and delete Win32/Agent.NOU and delete Win32/TrojanClicker.Delf.NAZ

    If you want, you can write me PM. :thumb:
     
  19. krish667

    krish667 Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    2
    Hi Lukas,

    I was just doing some internet searching because this morning, my NOD32 2.7 virus scanner picked up the Win32/TrojanClicker.Delf.NAZ trojan with the file C:\WINDOWS\SYSTEM32\COMCTL32Q.dll And I haven't been able to find anyone who knows how to get rid of it. The PM system is currently not working, so I was hoping that maybe someone could help me out maybe via email if at all possible. Please help, any help is greatly appreciated. Thanks.

     
  20. ASpace

    ASpace Guest

    Download UnDll - the DLL removal utility from:
    http://www.nod32.it/tools/undll.zip

    It is great ESET Italy tool to unregister and remove dlls. Extract the file into new folder .

    Run the exe file and follow the instructions (a.k.a. point the program to the infected dll , in your case C:\WINDOWS\SYSTEM32\COMCTL32Q.dll )

    Follow the instructions , you may also need to reboot at the end
     
  21. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    You can write me to lukas[at]secit[dot]sk, then I write you instructions.

    :thumb:

    When i tested it for removing different active samples, it was successful with Stration and PSW.OnlineGames, but Virtumonde's DLL stayed there.
    However, every time I recommend use this utility in safe mode.
     
  22. ner0z

    ner0z Registered Member

    Joined:
    Jan 13, 2006
    Posts:
    3
    So WTF... somhow I get this and I read the itmes here but to no avail... I call ESET support they tell me to run super anti spyware in safe mode.. it finds the virus and I remove then reboot as soon as I do it comes back and I have no TCPIP..... what is the deal with this and what should I doo_O I am seeing conflicting messages on this board on how to get rid of this!!!

    Please help.

    Thanks
     
  23. ner0z

    ner0z Registered Member

    Joined:
    Jan 13, 2006
    Posts:
    3
    So I got a hold of NOD and they told me to run the UNDLL and a program called smitfraudfix.... did both of these in safe mode and the DLL keeps comming back!!!! the 2 dll's are called D3dx9_30l.dll and D3dx9_30l.dll.bak
     
  24. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Hi ner0z. Post a hijackthis log in one of the forums listed here.

    thanatos
     
  25. krish667

    krish667 Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    2
    I tried the undll program, and after reboot, the scanner picked up the virus again, so i guess it didnt work... hmmm
     
Thread Status:
Not open for further replies.