My computer has recently been infected with the backdoor.beasty trojan, as indicated by NAV for HP Pavllion(version 8.07.17g). This virus has installed the following three files on the hard drive: [svchost.exe]
[msnqrf.com] and [msdnvq.com]. By looking in the windows registry, it appears that the program hasn't activated due to the windows update I installed which changes the default value of hkey_class_root to "%1" %*. However, upon startup a NAV popup warning displays that it has found the virus but cannot delete or quarantine it (this popup can not be closed!) I have also tried to delete them from explorer and move them to a floppy, but they appear to be encrypted. 1.Is this still a threat in this condition? 2.Is it possible to remove these files? Just a warning: I had installed all available updates for both WIN XP and NAV, and ran a full system scan with no problems just 2 days prior to this(firewall was up). If this isn't enough to protect the system, what is? Thanks

Have you tried deleting them while you are in the safe mode? Norton probably cannot delete them because they are in use. Are they listed in the system restore files, as these files are protected and no antivirus progran can clean/delete these files. Software is not enough, you have to be careful what you are downloading from the internet(especially if you use a peer to peer program like Kazaa), cd's and floppies, and scan everything before opening. If you use Outlook/Express the security must be set correctly and the preview pane disabled. Take care and all the best!

pang

Try the web site www.trojanscan.com
it is a free search specifically to find and delete trojans

Also similar to what capt said, try this.
Start>"right click" My Computer>Properties>"click" System Restore "tab">"click" Turn Off System Restore>Apply>OK
then reboot in safe mode and try to delete with NAV.

hth

In the context of above discussion, I noticed that my XP has one the three files svchost.exe, but not the others. Is this file part of the regular Windows files, and the other two are part of the virus? My computers has the latest NAV definitions and does not complain about the presence of the virus.

DKS

Dhiraj, svchost is a required XP/2000 file. Take care and all the best!

Yes, but are THREE of them being present part of the XP requirment too?? I've got the same issue and my system is hovering at 100% cpu load.......... I have NO idea what's going on with it..... NAV is not complaining and trojan scan is turning up nothing........

I also have the virus on my home computer, not this one...it does not have any of the following extensions E, F, G, H, etc. But none of Symantecs fixes seem to get rid of it. Backdoor.beasty.H has a file that matches the directions, found in regedit, yet even in safemode it won't delete it...this is driving me crazy. It goes away, but when I reboot to normal start up its back...what the heck? Symantec calls this an "easy" fix...please help

I have encountered Backdoor.Beasty last night. I got the alert that does not close. As with you, Symantic gave me instructions on how to get rid of it but my reg contains none of the files that Symantic would like me to delete. I tried safe mode, same thing. I dowloaded virus updates, used my restore function to restore to October 8th, before I had installed the Windows updates, and scanned for virus. I rechecked if the virus updates were up to date, they were. Still no virus found. Could the backdoor.beastie have been in the Windows updates? How can I be totally sure the trojan is gone?

I have this too, and the instructions at Symantec didnt help at all. I tried to delete the file the trojan created in the Windows folder but it told me access was denied. Any idea's on what to do now?

I have a customer with the same issue. NAV 2003 reports it ok, but symantics removal instructions are no help. Install AVG 7.0 trial for a 'second-opinion' and it reports removal and healing but a few hours later we are back to square-one....

Took a couple of hours to have a further dig at this one. It looks to me I have a new variation of the beasty tojan similar to Backdoor.Beasty.H .

(1) The following files I've found so far (WinXP Pro)...

c:\windows\dxdgns.dll
c:\windows\msagent\Msfjvr.com
c:\windows\msagent\MSFJVR.COM-0552BE97.pf
c:\windows\system32\Mscoty.com
c:\windows\system32\coty.blf

(2) Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44CC0112-AB51-22EF-BA32-20AA12E6115C}

contains the value:

"StubPath"="c:\Windows\System32\Mscoty.com

(3) Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

contains the value:

"COM Service" = "c:\Windows\msagent\msfjvr.com"

So NAV is incorrectly identifying this trojan as 'Backdoor.beasty' and can quarantine file 'dxdgns.dll' in Safe Mode ok but leaves the rest to re-install the trojan.

I've isolated the other four files and deleted the first registry key and the 'StubPath' entry from the second.

Touch-Wood, five hours later no re-infection.

Hope this helps....

I have a similar infection as the ones described above. Here the details:

Created files:
Windows/system32/msfrgm.com (25.264 byte)
Windows/system32/frgm.blf (360 kByte)
Windows/system32/msfrgm (3 byte)
Windows/msagent/msusug.com (75.264 Byte)
Windows/dxdgns.dll

Of those only frgm.blf can be deleted – however it is automatically recreated after deletion. The others cannot be deleted in any PC configuration (including safe mode)

Changed? Files (at least file date has changed to same as the above files)
C:\Windows\System32\Appwiz
C:\Windows\Explorer

Registry Keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run -- COM Service = C:\Windows\msagent\msusug.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -- SysComp ? C:\Windows\System32\msfrgm.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -- System=C:\Windows\msagent\msusug.com

What have I tried:

Deletion of infected files – not successful, only frgm.blf can be deleted but restores itself automatically

Deletion of above registry entries : Can be deleted, but get instantly restored by the system

Above happens both in normal configuration as well as in any safe mode configuration

I have seen, that Backdoor.Beasty.H requires system restore to be turned off – that’s what I did. I still have the feeling, that infected old configurations are stored.

As situation seems similar to Backdoor.Beast.H, I followed the removal instructions without success

Norton Antivirus is disabled and no system scan or file quarantine can be performed (neither in normal nor in safe mode)

Who can help me?

Well I had the same virus or a variation of it. Couldn't find anyway to delete it at first and the only anti-virus/anti-trojan programs that could find it were AVG 6.0 and TD-3. I had to boot to MS-DOS to delete some of the files.

1. Restart to MS-DOS. If you have WinXP go to Start and Search and Help then lookup "MS-DOS disk". It will show you how to create a MS-DOS disk.

2. switch to the drive your virus is on (drive letter then colon and ENTER). It should be C but might be different for you.

3. TO delete the C:\WINDOWS\dxdgns.dll-- type cd windows and hit ENTER. The prompt should look like this C:\WINDOWS\> -- then type del dxdgns.dll Make sure you include the spaces.

4. Follow the same instructions to delete the other files. In my case I have to type cd system32 which made prompt look like C:\WINDOWS\SYSTEM32\> -- then I typed del msarqu.com Your file names may differ but you get the idea.

5. Exit DOS, take out disk and restart PC.

6. Follow instructions above to delete the registry entries. Also make sure the System Restore is off.

7. Restart again and run anti-virus program to ensure virus is gone.

Hope that works for you all. Anyone have any questions post back or email me.