NOD32 - File cannot be opened (File locked) [4]
25 posts
• Page 3 of 3 • 1, 2, 3
I have gotten rid of it on a system about 2 months ago; I unfortunately did not document the entire procedure. Much of the procedure was in SafeMode, involved online Trendmicro and Panda scans, as well as some registry searching. I may also have used a program called BlackLight, which I use periodically to check for rootkits.................. not to mention the "usual programs" to combat spyware/adware [Spybot, AdawareSE, & Ewido]
If I remember correctly, one of the scans notified me that it was unable to delete a particular file because it was part of another file [Conveniently located in the \sys32 subdir], but also asked if I wanted to delete the entire archive............... so I answered yes - I caught at least 3 archives this way on that system, but like I said, nail.exe was only ONE of them, and I didn't document the entire procedure, so I have no way of knowing which procedure killed which "badguy"
I had to go into safe mode. Delete the nail.exe file about five to six times to keep it deleted (If you use search to find nail.exe, you can delete it as soon as pops up and the search will keep finding it, do this till it stops.) Created a blank text file name Nail.txt, rename it to nail.exe and change the attrib to read only. Restart the system and it will give you an error for the winlogon shell. Regedit and get rid of the nail.exe in the winlogon shell, reboot. Now do a search for all the registery keys and files on the site you pointed out, run a spysweeper in safe mode at least 3 times in a row and run NOD32 in safe mode. Be sure to turn off system restore. Use Hijackthis to delete some entries also.
Now that I know how to do this it went from an 8 hour problem/fix to less than 30 problem/fix on the second machine.
Dogs Have Owners; Cats Have Staff
- NT50
- PROfessional Member
- Posts: 8220
- Joined: Sat Jun 19, 2004 4:46 pm
- Location: Jackson, TN USA
- Real Name: Jeff Replogle
Good to hear! I have also used the explorer search function to locate the bad files as well. I had not actually created a txt file and renamed; I'm guessing you would have to have the original culprit file deleted by then? HJT is also a good "killer" - I think this may have been one of the programs that found the original archive files for some trojans and deleted the entire archive.
My "Step 1" always involves turning off System Restore................before I do anything else
My "Step 1" always involves turning off System Restore................before I do anything else
25 posts
• Page 3 of 3 • 1, 2, 3
Who is online
Users browsing this forum: No registered users and 1 guest