Solved

Unable to delete infected file via Safe Mode or Symantec Antivirus Client

Posted on 2006-11-26
15
717 Views
Last Modified: 2013-12-04

Symantec recently detected a virus of type Backdoor.Trojan on my WindowsXP computer.  The client is unable to delete the file even when I boot up in Safe Mode.  The file in question is xtav3des.dll.  It doesn't appear to exist in the registry either (in the folders I was told to check).  How can I remove this file?   I have been using the following removal instructions regarding this particular virus, however, there is no mention of how to proceed if you are still unable to delete the file after following step 3.  Thanks!

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2001-062614-1754-99&tabid=3

Krista
0
Comment
Question by:KristaVM
  • 7
  • 6
  • 2
15 Comments
 
LVL 30

Expert Comment

by:irwinpks
ID: 18015270
Here's my recipe for a fix, please follow;
Download and install this
http://www.majorgeeks.com/HijackThis_d3155.html

Then copy the log and paste it in the analyzer
http://www.hijackthis.de/

Analyze the file and POST THE LINK here so that we can take a look at it..

In the mean time, there are several things to apply:

Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them.  Restart your machine
---------------
Download Ewido, http://www.ewido.net/en/download/, install, open program, check for updates, restart computer, press F8 before windows logo appears, select safe mode, open Ewido, run full system scan. let Ewido delete all it finds, if anything is called serious by Ewido, disable Norton's Goback, and run Ewido again.
---------------
chkdsk /r
--------------
Windowsupdate everything except .NET items
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18015476
I second the suggestion of letting us look at the hijackthis log, the log should confirm the bad file and registry, if the file and registry entry are still present Avenger no doubt will get rid of it, if other tools like Killbox won't.
0
 

Author Comment

by:KristaVM
ID: 18017141

Here is the link to the HijackThis log:

http://www.hijackthis.de/logfiles/768a62f67db2aa8390857c3e3783849f.html

Krista
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18017174
The hijackthis entries seem to be cut off, and the registry paths are incomplete.
can you post the log here?(not recommended) but we need to see the whole log.

0
 
LVL 30

Expert Comment

by:irwinpks
ID: 18017939
O4 - HKLM\..\Run: [Dell Wireless Manager UI]
That entry is a "Nasty"....which needs to be delete from the registry, along with scrutinizing "possibly nasties" and unknowns.

For now, "fix" that entry with hijack this. Reboot the system and post back your results.
0
 

Author Comment

by:KristaVM
ID: 18021069

Today's output (after fixing the Dell Wireless entry) appears to have a lot more information (and complete paths this time).  Here is the link.  All of the entries with a gold "?" sign I can confirm are known programs or settings that are good with the exception of a Shopper Report and the file that Symantec is claiming has the virus (O20 - Winlogon Notify: xtav3des - C:\WINDOWS\SYSTEM32\xtav3des.dll ).

http://www.hijackthis.de/logfiles/24fa03975f5dbd72e625f1a91ebcf289.html

Krista
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
ID: 18023413
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy, then paste the following text(all the text inside the lines below):

-----------------------------------------------------------------------------------------------------------
Files to delete:
C:\WINDOWS\SYSTEM32\xtav3des.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xtav3des
------------------------------------------------------------------------------------------------------------

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:KristaVM
ID: 18024253

That seems to have done the trick.  A Symantec scan no longer detects the virus in that file.   I appreciate all of the help.  I have one side effect though.  Since I did the "fix" in HijackThis on the Dell Wireless item, I get "An Internal Error Occurred" message when my PC boots.  I just click OK and all seems to be fine but it didn't have that message before.

Avenger Output:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\trdkfpae

*******************

Script file located at: \??\C:\WINDOWS\hyfwxkmn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\xtav3des.dll deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xtav3des deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.




Krista
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18024950
O4 - HKLM\..\Run: [Dell Wireless Manager UI]

The above entry is legit if you have the Dell Wireless WLAN Card.
If so, you can restore it from the backup.
You have hijackthis.exe in your temp folder and it might get deleted when you clean your temp files, if you want to restore that entry you need to do it soon.
You should really move hijackthis into its own permanent folder so its not accidentally deleted and the backup that it creates will be in a safe place.


0
 

Author Comment

by:KristaVM
ID: 18034843

The folder was already empty.  I verified my wireless no longer works.  I am guessing I will have to uninstall and reinstall from the Dell website.

Krista
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18035269
Sorry to hear that,

I never trust in an automated analyzer on which entries to fix because they make so many mistakes, false positives etc. Auto-analyzers are only as good as their database.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18035312
Did you delete any files belonging to your wireless?
If it was only the registry entry that you fixed(hijackthis entry) we can re-create that registry entry. But if you also deleted the files then it is gone and you need to reinstall.

But if it was only a registry entry that was gone and the files are still intact, it will be okay to just recreate the reg entry. Hijackthis only deletes registry entry, it doesn't delete files or directory.
0
 

Author Comment

by:KristaVM
ID: 18038006

All I did was select the entry in HijackThis and select the "Fix" button.  So perhaps I just need to recreate the registry entry.  How can I do that?

Krista
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18041271
Okay then, let's recreate the wireless "run" entry.

O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
You only fixed the one entry(as above) right? You didn't fix any other wireless entries like the WLAN wireless service?
If it was only that one 04 entry that was removed, then this should fix it, merge the regfile below with your registry.

Copy and paste the text(starting with Windows Registry Editor Version 5.00) into Notepad.
Save this text as "Fixme.reg"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the .reg file and when it asks you to merge the information with the registry click "Yes". (delete the reg file you created on your desktop after the successful merged)
-------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="C:\\WINDOWS\\System32\\WLTRAY"
0
 

Author Comment

by:KristaVM
ID: 18056363

That did it. Thank you all so much!

Krista
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Clickfree HD 7 84
IE Plugin Issue 4 60
Ransome Ware Question 10 123
Share and Advanced Sharing permissions 8 56
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now