Computer Help forum

General discussion

Cannot delete virus infected file

The file ''netdaemon.exe'' (C:\WINDOWS\system32\netdaemon.exe) has been infected with the ''Trojan.KillAV'' virus. It is an anti-antivirus virus. Norton caught it but cannot delete it. I cannot delete it manually either. No, it is not running in the background (as far as Task Manager says). When I try to delete manually it it says:

''Cannot delete netdaemon: access is denied. Make sure that the disc is not full or write-protected and that the file is not currenetly in use.''

I have consulted Norton's internet help page (http://securityresponse.symantec.com/avcenter/venc/data/trojan.killav.html) but it only says delete it and gives no further instructions.

As far as I can tell I don't think it is a legitimate program.

My computer is Windows XP Professional.
Please help!

Discussion is locked
You are posting a reply to: Cannot delete virus infected file
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Cannot delete virus infected file
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Slasher, A Couple Of Things To Try

In reply to: Cannot delete virus infected file

First, restart the computer into Safe Mode, then run a full system scan and see if it will remove the file..If that doesn't do it, then try to delete the file manually.

CLICK HERE For: How To Start In 'Safe Mode'

If you still can't remove the infected file, then try using the ''MoveOnBoot'' program from the link below:

Program To Delete Locked Files
http://www.webattack.com/get/moveonboot.html

In addition, you'll note at the Symantec article below that it's important to eliminate the registry key which calls on the infected file:

Trojan.KillAV
http://securityresponse.symantec.com/avcenter/venc/data/trojan.killav.html

Hope this helps.

Grif

Collapse -
Thanks!

In reply to: Slasher, A Couple Of Things To Try

I thought about deleting it in safe mode before but i didnt think it would make a difference, but it worked!

Collapse -
Here's some info and how to

In reply to: Cannot delete virus infected file

Trojan.KillAV.F is a Trojan horse that installs a Browser Helper Object(BHO) and disables security software. This BHO causes the browser to download a variant of PWSteal.Bankash.

It actively disables your antivirus program which is why it can't do anything with it.

Here's how to get rid of it and it will take hacking the registry as I just had to do this with my sister's system....her homepage and also her browser had been hijacked, which may not be the case with you, however, the way to stop your problem is identical:

You will need to reboot to Windows in Safe Mode which will stop all programs from starting up so the Hijacker will be unable to reinstall its' startup Key in the Registry. Since the hijacker file will not be running you will be able to delete the file(s) when you find it. Next, open Msconfig, you can type the word Msconfig in the Run window and click on OK to start Msconfig. Now, click on the Startup tab, and uncheck all the program entries in the window. Now place a check mark in any one of the entries that are not familiar to you. If you recognize any of the entries in the Startup group and you are 100% sure that they belong there, then you can checkmark them as well for the first run that we will do. Be sure to pay attention to what entries you have checked in the startup group. Now fix your home page in the Control Panel and reboot in normal mode.

Once your back in Windows verify that your home page and search page has not been hijacked by opening the Internet Options applet. DO NOT START YOUR BROWSER. Go back to Msconfig and check one more entry, reboot and verify your home page and search page. Once you find the entry that starts the Hijacker, reboot into Safe Mode and remove that start Key. Read the Key carefully and find the file that the Key points to. You will now know what file you will need to delete to get rid of the Hijacker. But as I have mentioned, it may have a backup Hijacker, so continue the process until you have rechecked your entire startup group.

Suppose after going through all the Startup group items, your home page was not hijacked.The Hijacker is then being started by your browser, so let's open the browser now. The Hijacker can be started when you open your browser by adding a Registry Key to the Key HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ explorer\ Browser Helper Objects. Under this Key you may see Keys like {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}.

Reboot in Safe Mode, reset your home page, and rename all the SubKeys by adding a dash in the front of the Key name, like "-{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Now reboot and open your browser, The Hijacker should not run. Close your browser and rename one Key back to the original name by removing the dash. Open your browser to see if the Hjacker has returned. Close the browser and repeat the process until all keys have been renamed. Once you have found a Key that starts the Hijacker you will need to view the Key that it is pointing to. Go to the HKEY_CLASSES_ROOT\ CLSID\ {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}. Open this Key and view the contents of the InprocServ32 Key. In my example it will have the value of the (Default) Key set to C:\ ACROBAT5\ READER\ ACTIVEX\ ACROIEHELPER.DLL. This file belongs to Acrobat Reader. But your Key will contain the Hijacker.

Reboot in Safe Mode, delete both Keys, the CLSID key and the Browser Helper SubKey that points to the Hijacker and then you can delete the Hijacker file.

Congratulations, You have now successfully killed the Hijacker.

TONI

Collapse -
mmm...

In reply to: Here's some info and how to

There was no hijacker and no registry infection.

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GRAMMYS 2019

Here's Everything to Know About the 2019 Grammys

Find out how to watch the Grammy Awards if you don't have cable and more.