Ack! All of a sudden, my Nortan's flared up, warning me that C:\Windows\system32\ms.dll is infected with Backdoor.Trojan!

I've tried to remove the file, and used Adaware and Norton scans, but nothing seems to work. It keeps coming back. Suggestions? This looks serious.

Disable System Restore; reboot into Safe Mode; re-scan your PC with Norton; remove what it finds.

Beer, Barbeque, Best Movies

Report Offensive Follow Up For Removal

I have the same issue on my W2K set up. Haven't got it on the XP system yet. Anyway, did the Safe Mode boot and scanned, nothing found, ran all the CWS, AdAware etc pest programs and nothing found. Rebooted normally and back it comes.

Found a reference to winbbip.dll in WinNT/System32 folder, couldn't delete it so went to RegEdit and renamed Windows folder and deleted the AppInit loading that DLL. It deleted fine, rebooted and Norton no longer picks it up on boot but I still can't get rid of the winbbip.dll file and Norton flares up each time I try to get rid of the file. Any help appreciated.

I've got a similar problem as FrodoFrog. I used Safe Mode, ran Norton, AdAware, Spybot, and even a Trojan scanner called Digital Patrol Scanner, and I've found nothing. Once I reboot, it flares up again. Even in safe mode, the file ms.dll doesn't give me permission to delete it. Any help is appreciated,

Muser

Full details from Symantec's library.

Transmitter 99X

Report Offensive Follow Up For Removal

yea im having the exact same problem and norton's full details on removal, yea they dont work.

any other ideas?

Since you are all wither Win Me ort Xp (seems like) you must diable your system restore and leavee it disabled until the system is clean:

http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm

Then go into Safe Mode and run:

You UPDATED AV, UPDATED Adaware and Spybot. Expose hidden foles thusly:

Expose hidden files/folders in Xp:
Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".

Clean TIF, cookies, %TEMP%, recycle bin

Use these diagnostics:

Jason’s Browser Security Test:

http://www.jasons-toolbox.com/BrowserSecurity/

Gibson tests:

http://www.grc.com/default.htm

I use LeakTest, DCOMbobulator, ShieldsUp, and UnplugNpray

Thresher

Reformat and reinstall.

I tried everything.

Did battle with it for a 2 weeks.

I thinks it's linked to the about:blank hijackings.

I tryied change the file attributes in recovery console.

I downloaded a third party regeditor to see the hidden .dll file.

The ONLY thing that got rid of it was a reformat and a reinstall of the O.S.

Sorry. Tough luck.

The good news is that Norton and other AVG software can now keep you from getting reinfected.
But once infected they are of little help.

looks like all of us have the same problem.

i tried removing backdoor.trojan by the symantec way... didnt work ....

system restore off... safe mode ... scan .. and the file is no where to be seen (even when it is configured to show all files)

booted again in normal mode Norton pops the same backdoor.trojan found and cannot repair it.

tried somehing called "HijackThis" .. this came the closest to atleast showing me the stupid c:\windows\system32\ctlheob.dll file ... pressed fix icon .... i thought it did but scanned again and it was still there.

Try HijackThis and let me know if it worked for ull!!

ne more suggestions?

nothing

win2k:
install hdd with infected os as second drive,
boot with first drive (clean os) and run full virus scan on second drive
have fun

Copy and paste this text into notepad and save the file as remove.bat, double click the batch file you created and see if this removes you ms.dll issue.

@echo off
SET FILE=sqll

echo y | cacls c:\windows\system32\ms.dll /g Everyone:f
attrib -r -s -h C:\Windows\system32\ms.dll
ren C:\Windows\system32\ms.dll ms.old
del C:\Windows\system32\ms.old

I have the same problem running XPHome as Muser with the backdoor.trojan, except mine reads:
C:\WINDOWS\System32\loghgc.dll

I've followed Symantec's removal instructions to no avail and run numerous full scans (NAV, Ad-aware, Panda} that declare my system virus-free, but the error remains.

By doing a 'find' in the registry editor for loghgc.dll, I've located the file in:
MyComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Name: AppInit_DLL
Data: C:\WINDOWS\System32\loghgc.dll

The only problem is if I delete the file, once I close the regeditor, it somehow reappears in that same location. If running in safe mode, the regedit 'find' will not locate the file b/c it does not list the data info. You can still identify the file by AppInit_DLL, but even if you delete it there, it reappears still and a restart brings up the NAV virus alert.

Any suggestions that might work before I reformat my whole system?

Thank you for any help you can offer!

I have backdoor.trojan

windows/system32/kbdej.dll

can't seem to get rid of it though

What version of Norton Antivirus you have.
Upgrading from Norton Antivirus Corporate Edition 7.6 client to Symantec Antivirus Corporate 8.1 client solved my problems on XP Pro machines.

Regards.

hmmm. we're running system works v 7 on xp pro.

I have the same problem as these other guys. Running XP, it started with the about:blank hijack. Tried to eliminate the hijack to no avail for about 2 weeks, and then it morphed into this backdoor.trojan virus problem. Mine is called "c:\windows\\system32\logoh.dll", and no matter how many times I run HijackThis, spybotS&D, adaware, or Norton Antivirus 9, it keeps coming back on reboot. Norton pops up a window saying "unable to repair this file" and "access to this file was denied". I tried the Symantec solution (didn't work). I also now get a trojan.bookmarker.gen warning when I reboot, but Norton does fix that one (kkdi.dll).

PLEASE GOD SOMEONE PLEASE HELP ME!

http://computing.net/windowsxp/wwwboard/forum/110685.html

Hi Guys,

I think I found a way to kill this pest! My system was infected by a file called "msaih.dll". After some trials i did this (reguires Spybot):

1. After the NAV alert do not click the NAV popup alert window, but open your explorer. You should now find the file in your system32 folder. It is a stealth file which needs NAV Auto-Protect running in normal mode to be discovered.

2. Kill the NAV task via Task-Manager

3. Open the regedit and scan your complete registry for the infected file. Remove ALL entries, that means after removing the first one go on searching! To be sure better check your registry twice.

4. After having removed the NAV task dealing with that specific file and all the registries, switch to the explorer and rename your file (e. g. infected.dll).

5. Move the renamed file into the TEMP folder.

6. Start Spybot and go to Tools -> SecureShredder. Add the TEMP folder content and send the stuff to hell!

This seems to work now and even passed a reboot test. After this I haven't had an NAV alert and there were no more Registry entries with that file.

Good Luck!! :-)

P.S.: Another way is described in forum # 12555

I got this from another forum (see my previous post) and it worked for me. Good luck!

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the Trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC.
The way to remove the registry key is not obvious. If you just delete it from RegEdit, since the Trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the Trojan). So what you have to do is the following which worked for me.
1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.
Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."

I am sorry. Although the changes to the registry as per my previous post deletes the virus alert, the .dll file is still there. I think I found a manner to delete it. It worked for me even after a reboot.

Close all open apps. Open a command prompt and navigate to the directory with the offending files. (C:\winnt\system32)
Then open the Task Manager and click on the Processes tab. select "Explorer.Exe" under Image Name. Click "End Process".

Now you will only have the command prompt and the task manager. In the Command Prompt, DEL the offending files (DEL name of the infected file.dll - in my case winc.dll)

The file should now delete without a problem. Now go back to the task manager and click on the Applications tab. Click the "New Task..." button. in the dialog, type Explorer.Exe and click OK. I hope this is it..

Alright I was able to figure out how to get rid of this pesky bug through all of your help (Windows XP only). So here is the fix. Close out any unecessary service/app that is running by using task manager. Go to the registry and clear not delete the AppInit_DLLs string. Reboot your system in safemode command prompt. Delete the file that has been giving you problems (this varies from system to system) ex: c:\windows\system32\del comjgfn.dll

It is called "Backdoor.Agent.B" by Symantec even though it is reported by their antivirus software as Backdoor.Trojan. Go here for instructions on removal:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.html

Name: jeroen (by jeroensxm)
Date: July 22, 2004 at 17:01:43 Pacific
Subject: Backdoor.Trojan? Help!
------------
Thanks so much, jeroen! I've tried everything possibile and that NAV message was popping right back up. I had a scare after I followed the instructions and restarted the computer...NAV message popped up again, only this time is said "NAV detected a file infected with a virus and deleted it"...I clicked OK and finally...finally...it's GONE!!!
Thanks again!

Thanks Jeroen ... i did exactly what u wrote and it actually worked for me!!

Thank you!!

nothing

Yep! Nice one Jeroen, my system is now clean.

Thanks.

Hi, I have been trying to implement Jeroen's suggestion but seem to be missing some pieces of info. Could anyone that tried this help to elaborate? What is meant by "command prompt"? (i tried RUN but it does not stay on the screen once "end process" is initiated on explorer.exe. Also, my computer cannot find C:\winnt\system32, any suggestions?

Working solution for all of you:
I had the same problem (backdoor agent b), tried symantec page (the only thing good of those instructions is registry cleanup and system restore off), otherwhys you all have a "filename".dll file that drives you crazy.
First of all you have to remove it! The easiest way, at least to me, is:
1.turn off system restore (symantec instructions)
2.clean up the registry keys (symantec instructions)
3.Insert windows CD rom and reboot your machine
4.boot from Cd and run recovery console
5.Under this path C:\windows\system32 delete your "filename".dll
6.Reboot and clean the registry again using (symantec instructions)
7.run full system scan and enjoy :)
Though, it seems that one registry key cannot be deleted ((O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup) still couldn't figure that out! but otherway, after this, my system was fully functional again and there was a noticeable difference in working system after and before

Hello all,
Here is how i removed backdoor.agent.b on a Windows XP system.
I followed Symantecs steps to remove the registery settings. You can find the directions at the link below. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.html
This keeps the dll from loading on a reboot.
You then need to remove the file. It is a matter of file security at that point. If you have an XP Pro system you can right click on the file, go into the security settings and take ownership of the file. You can then delete it.
If you have XP home you need to reset the file permissions using the following utility recommended by scudney in response 10.
Go to run, type CMD. At the command prompt type cd \. Then type cd \windows\system32 (or the path the the file resides in) and press enter.
Type the following (keeping in mind the "filename" will be random for everyone)
cacls c:\windows\system32\"filename".dll /g Everyone:f
Finally, you can delete the file and NAV should stop comlaining......

Hope this helps,
CR

I have a fix. This is the only way I have found to get rid of a backdoor.trojan besides formatting.

Start off by writing down the name of the .dll file that is infected. Norton will not be able to remove it and neither will you because the file is in use. Even if you boot up in safe mode the file is still in use. The only way to delete the file is to hook your hard drive up as a slave to another computer. Boot up and the file will not be in use. Have norton scan your system32 file first, and if that doesn't get rid of it I have been able to just go in and delete the file manually.
Now hook your hardrive back up and boot up. You should see a few errors at startup about missing .dlls To fix this go into regedit and search for the .dll you wrote down. Delete any values that come up. I have done this procedure three times and it worked every time.
ask for my email if you need more help.