I am having trouble with a apparent virus. My McAfee is notifying me constantly (until I hit the "Exclude" button at least of a virus. It states that it is the Backdoor-CFB virus. I get the message in sets of like 4-5 each time. My McAfee "Infected.log" shows the following:

J:\WINDOWS\System32\logo.dll => logo.dll
J:\WINDOWS\System32\logo.dll => logo.dll
J:\WINDOWS\SYSTEM32\LOGO.DLL => LOGO.DLL
J:\WINDOWS\SYSTEM32\LOGO.DLL => LOGO.DLL
J:\WINDOWS\System32\logo.dll => logo.dll

I've searched and been unable to find any logo.dll's on my system. I have ran Spybot, CWShredder, and McAfee VS. I have disabled system restore. I have also booted in safe mode, searched for the files and have ran McAfee and still have not been able to get rid of these (McAfee didn't seem to bring up the viruses while in safe mode).

My problem is that although McAfee is bringing up the message that I have the virus, I am unable to delete or clean due to my access rights. How can I get rid of these (rather than my present ignore method) once and for all? Thanks!

bfeller,

Try this online scan, maybe it can delete it.

http://housecall.trendmicro.com/

JPQ

For some reason my system is not letting me run the scan. Whenever I try I get the fun little error that closes IE and asks if I want to send in the report to MSFT.

bfeller,

Are you using a firewall?

You might have to disable your firewall just for that website for TrendMicro to bring up a Install Housecall message window.

After,the Trendmicro Housecall scan finishes, if that is the problem (firewall), don't forget to enable the firewall again.

JPQ

Unfortunately that didn't help. I use ZoneAlarm but I disabled it. I also tried running it in Safe Mode but with same problem. I also ran VirusScan in Safe Mode and it didn't find the virus(es). So it only finds it/them while running in normal mode.

bfeller,

try this forum maybe they can help you.

http://forums.tomcoyote.com/

JPQ

Hi all,

Going through exactly the same nightmare as our friend bfeller. Only on my machine the alleged dll is called kbdjio.dll. The file is nowhere to be found although I've done exactly everything that was discussed here. Also went through the registry according to the instruction on the McAfee page and none of the keys/strings are there.

Help. This is driving me insane.

Thanks in advance

GS

i have same virus/symptoms and offending file in my case is sqldj.dll. my sp advised try stinger tool but latest version does not deal with backdoor-cfb its driving me potty.

JPQ,

Thank you for all the help and for the link. Looks like I got it fixed.

I went to http://housecall.trendmicro.com/ and since I was having trouble getting the online scan to work (I finally did get it to work somehow, not sure what it was), I downloaded their PC-cillan program. Well, the online scans were not finding the virus, but the PC-cillan was finding it just as my McAfee was. When the virus message for PC-cillan popped up, I clicked on the link for the virus it listed was present and it took me to a webpage that described the virus. On that webpage they had a removal tool/program that I downloaded and ran and it seems to have solved my problem. Unfortunately I didn't save the website address so looks like you'd have to do the same thing as me with no shortcuts. Sorry!

Might be worth giving it a try.

BF

I found the website that had the FIX TOOL.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.J

I should probably say. This worked for me, but I am not in a position to advise you on whether this is appropriate for your system and what the results could be. My assumption is that running the Fix Tool would not hurt your system, even if the tool is for the wrong virus, but I am in no way an expert. In other words, try at own risk =)

Best of luck!

BF

I've had the same problem as those above (see my posting kbdc.dll). Took me sometime to figure out what it was actually... I tried bfeller's link. It fixed my problem.

Many thanks

bfeller,

There is also a Trendmicro Sysclean Package (1.8 mb) (free) to download, it will delete virus, trojan-virus, ....(If you are not Trendmicro customer...)

The link is:
http://www.trendmicro.com/download/dcs.asp

Just download the file to a desktop folder....and extract the executable to the same folder....then download the latest Virus Pattern File from this link:

http://www.trendmicro.com/en/home/us/enterprise.htm

after that file downloads extract the lpt$vpn.(###) to the same folder...

After that just double click the sysclean executable to start the virus scan.....

ALSO, don't forget to download the latest VIRUS PATTERN FILES....at least once a week...they update on a daily basis....

I HAD A FEW QUESTIONs about the PC-cillan program......

Is it free....and what do you have to do after it downloads...to make it run....and did you have to download update definitions before running it....

I have dial-up, so about how long did it take you to download the program......

JPQ

JPQ,

PC-cillan was a 30 day trial, which was fine for me as I only needed to get rid of this thing, not a permanent virus scan. I have actually already uninstalled it and reactivated my McAfee (which I have update daily).

If I am not mistaken (I hope this is the right program, sorry, I've just been trying so many different programs I get them confused sometimes), there was no updating (that required registering). If there was updating, it did it fast, but then I'm on cable Internet with 3mb download. Hope that helps.

BF

I tried to clean the BackDoor-CFB with Trendmicro Sysclean Package and Virus Pattern File but it didn't help. It wasn't able to delete it :(

Slawek,

Download the AUTOMATIC fix tool:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.J

JPQ

HOW TO GET RID OF THAT F***** DLL

For me the following worked to get rid of the file:

I logged on as local administrator.
I stopped McAfee.
After that I was able to rename the file at the command prompt. While in C:\WINNT\system32 I entered the command:

ren <your filename>.dll infected

I rebooted the system and logged in again as local administrator.
I stopped McAfee again.
I opened a command prompt and changed directory to C:\WINNT\system32 again.

The file "infected" has some very special attributes and access rights. Therefore you can't see it in Explorer, and you can't see it on the command prompt with the DIR command. But you can see it with the ATTRIB command.
Change the access rights with the command CACLS:

CACLS infected /g administrator:f

This gives full access to the local administrator.
If you tried ATTRIB you probably saw that the file has the old DOS attribute R, which means that it's read-only.

Enter now the following:

attrib -r infected

And now, tadaah!!!!, enter

del infected

Reboot your machine. I think now it should be possible to delete the mentioned registry entries without them always coming back.

On my computer they were already gone before I managed to delete the file. I tried a lot of what I read here, and something seems to have worked.

I wish you success with your efforts!

I was able to finally fix my problem by generally following the steps laid out by Fero. Thanks a million for posting your method! However, I had to do a couple of things differently (Windows2000, Service Pack 4). Bear in mind that I had also tried many other methods including trying to change/delete registry keys. What I was forced to do differently follows:

1. When I logged in as the local admin, disabled MacAfee and tried to rename <your filename>.dll to "infected" at the command prompt, I got the "file not found" response.

2. I browsed to the directory in Windows, found the file and successfully renamed it in there. I tried to delete the renamed file and was unable to (our friend: file may be use...).

3. I logged off and back on (no reboot), and tried to find the renamed file at the command prompt using both DIR and ATTRIB and it return the file not found in both cases (even though the file was showing up when I browsed the folder within Windows). I tried the CACLS command but it only returned a description of the command from help, apparently not able to find the file either!?

4. I went ahead and tried: "attrib -r infected" at the command prompt and it worked!

5. I was also able to successfully delete the file immediately followin by using: "del infected"!

I rebooted and logged in as normal and it appears to finally be gone! Only 6 hours of lost productivity! I guess it beats reinstalling the OS. Hope this helps someone out there.

Any one find a fail safe way to kill this yet....tryed fero's method but cant' find some AppInit.dll???

Very fustraed...Very little sleep///PLEAZZZZE HELP !!!

http://www.versiontracker.com/php/dlpage.php?id=29970&db=win&kind=&lnk=http%3A%2F%2Fwww.anti-viruses.net%2FDownload%2FTrojan_Guarder.exe

Seemed to do the trick....very fast and easy

I too was running McAfee (unfortunately!). I purchased a $39/per incident phone support. I would have lost had I tried the per minute support.

McAfee Virus Scan identified the virus, but could do nothing with it. The support group had similar results. After 4 call backs, they had tried everthing that was mentioned in above responses which fell under "unsuccessful". They also had me download 4 different Freeware programs (seems kind of strange for a Top Virus Company).

When I finally lost my cool with them they offered to upgrade my problem to an advanced service technician. Their promised response time was 3-5 days. (Pretty impressive, I thought.)

I started searching on my own and ran across this forum. I had heard some impressive things about Trend Micro previously, so I subscribed for PC-cillin and installed it. First, I ran an upgrade. Then I ran a virus scan. The program found and quarantined the file (Windows/System32/sqlc.dll). I restarted the program and selected "Delete" - END OF PROBLEM !!!!!!!!!!!!!!

I rebooted the computer and ran another scan.
Everything is clean.

Good Luck,

JP