Solved

Unable to delete infected file via Safe Mode or Symantec Antivirus Client

Posted on 2006-11-26
15
721 Views
Last Modified: 2013-12-04

Symantec recently detected a virus of type Backdoor.Trojan on my WindowsXP computer.  The client is unable to delete the file even when I boot up in Safe Mode.  The file in question is xtav3des.dll.  It doesn't appear to exist in the registry either (in the folders I was told to check).  How can I remove this file?   I have been using the following removal instructions regarding this particular virus, however, there is no mention of how to proceed if you are still unable to delete the file after following step 3.  Thanks!

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2001-062614-1754-99&tabid=3

Krista
0
Comment
Question by:KristaVM
  • 7
  • 6
  • 2
15 Comments
 
LVL 30

Expert Comment

by:irwinpks
ID: 18015270
Here's my recipe for a fix, please follow;
Download and install this
http://www.majorgeeks.com/HijackThis_d3155.html

Then copy the log and paste it in the analyzer
http://www.hijackthis.de/

Analyze the file and POST THE LINK here so that we can take a look at it..

In the mean time, there are several things to apply:

Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them.  Restart your machine
---------------
Download Ewido, http://www.ewido.net/en/download/, install, open program, check for updates, restart computer, press F8 before windows logo appears, select safe mode, open Ewido, run full system scan. let Ewido delete all it finds, if anything is called serious by Ewido, disable Norton's Goback, and run Ewido again.
---------------
chkdsk /r
--------------
Windowsupdate everything except .NET items
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18015476
I second the suggestion of letting us look at the hijackthis log, the log should confirm the bad file and registry, if the file and registry entry are still present Avenger no doubt will get rid of it, if other tools like Killbox won't.
0
 

Author Comment

by:KristaVM
ID: 18017141

Here is the link to the HijackThis log:

http://www.hijackthis.de/logfiles/768a62f67db2aa8390857c3e3783849f.html

Krista
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18017174
The hijackthis entries seem to be cut off, and the registry paths are incomplete.
can you post the log here?(not recommended) but we need to see the whole log.

0
 
LVL 30

Expert Comment

by:irwinpks
ID: 18017939
O4 - HKLM\..\Run: [Dell Wireless Manager UI]
That entry is a "Nasty"....which needs to be delete from the registry, along with scrutinizing "possibly nasties" and unknowns.

For now, "fix" that entry with hijack this. Reboot the system and post back your results.
0
 

Author Comment

by:KristaVM
ID: 18021069

Today's output (after fixing the Dell Wireless entry) appears to have a lot more information (and complete paths this time).  Here is the link.  All of the entries with a gold "?" sign I can confirm are known programs or settings that are good with the exception of a Shopper Report and the file that Symantec is claiming has the virus (O20 - Winlogon Notify: xtav3des - C:\WINDOWS\SYSTEM32\xtav3des.dll ).

http://www.hijackthis.de/logfiles/24fa03975f5dbd72e625f1a91ebcf289.html

Krista
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
ID: 18023413
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy, then paste the following text(all the text inside the lines below):

-----------------------------------------------------------------------------------------------------------
Files to delete:
C:\WINDOWS\SYSTEM32\xtav3des.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xtav3des
------------------------------------------------------------------------------------------------------------

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
0
 

Author Comment

by:KristaVM
ID: 18024253

That seems to have done the trick.  A Symantec scan no longer detects the virus in that file.   I appreciate all of the help.  I have one side effect though.  Since I did the "fix" in HijackThis on the Dell Wireless item, I get "An Internal Error Occurred" message when my PC boots.  I just click OK and all seems to be fine but it didn't have that message before.

Avenger Output:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\trdkfpae

*******************

Script file located at: \??\C:\WINDOWS\hyfwxkmn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\xtav3des.dll deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xtav3des deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.




Krista
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18024950
O4 - HKLM\..\Run: [Dell Wireless Manager UI]

The above entry is legit if you have the Dell Wireless WLAN Card.
If so, you can restore it from the backup.
You have hijackthis.exe in your temp folder and it might get deleted when you clean your temp files, if you want to restore that entry you need to do it soon.
You should really move hijackthis into its own permanent folder so its not accidentally deleted and the backup that it creates will be in a safe place.


0
 

Author Comment

by:KristaVM
ID: 18034843

The folder was already empty.  I verified my wireless no longer works.  I am guessing I will have to uninstall and reinstall from the Dell website.

Krista
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18035269
Sorry to hear that,

I never trust in an automated analyzer on which entries to fix because they make so many mistakes, false positives etc. Auto-analyzers are only as good as their database.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18035312
Did you delete any files belonging to your wireless?
If it was only the registry entry that you fixed(hijackthis entry) we can re-create that registry entry. But if you also deleted the files then it is gone and you need to reinstall.

But if it was only a registry entry that was gone and the files are still intact, it will be okay to just recreate the reg entry. Hijackthis only deletes registry entry, it doesn't delete files or directory.
0
 

Author Comment

by:KristaVM
ID: 18038006

All I did was select the entry in HijackThis and select the "Fix" button.  So perhaps I just need to recreate the registry entry.  How can I do that?

Krista
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18041271
Okay then, let's recreate the wireless "run" entry.

O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
You only fixed the one entry(as above) right? You didn't fix any other wireless entries like the WLAN wireless service?
If it was only that one 04 entry that was removed, then this should fix it, merge the regfile below with your registry.

Copy and paste the text(starting with Windows Registry Editor Version 5.00) into Notepad.
Save this text as "Fixme.reg"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the .reg file and when it asks you to merge the information with the registry click "Yes". (delete the reg file you created on your desktop after the successful merged)
-------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="C:\\WINDOWS\\System32\\WLTRAY"
0
 

Author Comment

by:KristaVM
ID: 18056363

That did it. Thank you all so much!

Krista
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question