I tried the above; but the stubborn trojan refused to move to recyle bin. Ideas?

0

Dear Austin, I did what you say, but it don´t work. Can you help me ? Thank you Flavio Tongo

0

Ive got the dang thing to need lots of help though i dont get any blue screens Yet. i cant even right click on the file without it cancelling the window someone needs to infect these aholes with a little jail time

0

anch'io avevo backdoor.agent.ba preso dal sito "www.mocosoft.it". AVG lo vedeva MA non riusciva a rimuoverlo. AVG segnalava in windows\system32\CTLGC.dll Non riuscivo a cancellarlo perchè mi diceva che era utilizzato da un programma. Allora ho fatto regedit trova ctlgc.dll lo trovato in hkey_current_user\software\microsoft\search assistant\ACMru\5603 001 Reg.Sz ctlgc.dll hkey_local_machine\software\microsoft\windows nt\windows\ Applnit_dlls reg_sz c:\windows\system32\ctlg.dll ho eliminato i valori Sono tornato in c:\windows\system32\ e ho cancellato il file ctlgc.dll è ho avuto SUCCESSO!!!

0

uh.. dont knwo what responce 10 there is saying.. (anyone speak spanish or whatever?) but anyways, yeah i got the same problem.. and my system crashes at startup most times.. except you all seem to be able to find the file in the system32 folder right? well i cant... its like it doesnt exist

0

Hello I did what Austin said and it worked. The contaminated file, " sqleknp.dll " was removed. So far is everything OK. Thanks

0

ALL OF YOU PEOPLE, IF YOU HAVE WIN ME OR WIN XP YOU MUST DISABLE YOUR SYSTEM RESTORE FILES TO GET RID OF THIS BUG BECAUSE IT HIDES IN THERE: Disabling system restore in Win Xp http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?Open&src=sec_doc_nam&docid=2001111912274039&nsf=tsgeninfo.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl Win Me Sys Rest: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?Open&src=sec_doc_nam&docid=2001111912274039&nsf=tsgeninfo.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl It's hiding in your system-restore files which cannot be vaulted or cleansed except by dumping them. Do not re-enable system restore until you are 100% sure you are clean. You should also dump %TEMP% files > double click My Computer, put %TEMP% in address bar, enter, highlight and delete all. To dump TIF click tools > options > delete files, check the box for delete off line content > click ok > click delete cookies. > click ok. Dump recycle bin. Do it all from Safe Mode if you can. Shut down for two full minutes. Win Me error message resource center: http://support.microsoft.com/default.aspx?kbid=315854 Win Me error messages list: http://support.microsoft.com/default.aspx?scid=fh;EN-US;winmeerrmsg&product=winme Win Me support center: http://support.microsoft.com/default.aspx?pr=winme If you are getting trojans you need a firewall: Sygate firewall: http://smb.sygate.com/products/spf_standard.htm And anti-spyware anti-adware: http://www.lavasoft.de/support/download/ http://www.javacoolsoftware.com/spywareblaster.html http://www.javacoolsoftware.com/mrublaster.html http://www.safer-networking.org/ On-line scans: http://housecall.trendmicro.com/ www.security.symantec.com/ www.ravantivirus.com/scan/ http://www.bitdefender.com/scan/licence.php http://www.pandasoftware.es/actives...ivescan-com.asp http://security2.norton.com/ssc/vc_scan.asp http://housecall.antivirus.com/ Anti-TroHor: http://swatit.org/download.html File cleaner: http://www.xblock.com/download-freeware.shtml/ Thresher

0

ok boys and girls i had the same problem it was the win.dll here but i think i got a cure when using win 2000 professional. i first tried to move it to the desktop and remove the read only. didnt work. but i could rename it. so i could remove it in the save mode. try if it works on other systems and kill this annoying beast for me

0

thanks thresa' i havnt tried all youve said there yet but im about to, ill let ya know if it works thanks!

0

yo thresha', it appears to have worked. im still wrapping it up. however my browser appears to still be hijacked (goes to about:blank) and im workin on that still, but i think i can fix that. thank you very much for your time!

0

Hi, im Silvio, 25 years, im from Portugal. Is not too easy as Austin says, each computer have a different problem with that trojan. Unfortunely my Norton expires date, so i install AVG, big s---. Avg couldn't delete some virus, it said i had: trojan backdoor.agent.Ba , but in my computer it makes a lot of problems. I have pentium II, 30GB, windows xp, well all my exe (aplications) are "cut" i couldn't acess programs, i couldn't run anti-spywares, i couldn't run antivirus, i could't acess painel control, i could't find that trojan, avg says it is on: windows\system32\com.dll i gone to see in system32, but.. Doesn't exist com.dll, or is invisible. i go to dos mode (windows\system32\ delete com.dll , but doesn't exist.). so i go to internet on symantec and they don't have any report of that trojan, it seems doesn't exist., i run a lot of online-scans and any online viruscan didn't find nothing. maybe AVG ivented it. But my computer is f---ed. i try to install again the cd with windows-xp but doesn't works. i already delete coockies, temporary internet files,etc, i go to regedit and didn't find nothing. well, when i had Norton antivirus it also couldn't delete a lot of virus, i had to delete them manualy. in the internet this forum is the ONLY PLACE where we read about " backdoor.agent.Ba", because people have that AVG report, i also had AVG, so maybe avg make that... silvio

0

Do you know something? now i gone to AVG SITE , search for bakdoor.agent.ba , in virus encyclopedia, and AVG says it does not exists!!!! http://www.grisoft.com/virbase/virbase....h&type=web very very strange, cause i also have that trojan, i hate AVG, since i install avg my computer have a lot of infections, i read that avg could update some virus in "update", so we think its good because it finds some virus, i think AVg creates that strange virus. symantec doesn't knows any backdoor.agent.ba i will sent an email to avg, and i will writ to some antivirus sites reporting that avg bad stuff... silvio

0

Hey Everyone, I had the same exact thing except mine was wdm.dll. I tried what austin had said but it would not let me drag it into the R. Bin. So i went to add/Remove programs in my control panel and removed AVG from my computer. After it was gone i restarted my computer and the file was on my desktop. i simply dragged the file into the bin and this time it allowed me to delete the file. i hope this works for you because the virus was a pain in the ass for me.

0

I cleared this virus exactly how Kirk described... It initially infected a file called CTL.dll in XPs system32 folder. This file was only visable when the system restore was turned off (right click my computer, choose Properties, select System Restore, then check the Turn off System Restore on all drives box). Once I could see the file I dragged it to my desktop but could not delete as it was constalty in use but removing AVG and rebooting meant it could be moved the the recycle bin and deleted... I have not reinstalled AVG as the Backdoor.Agent.BA seems to target that particular software. Instead I opted for ANTIVir version 6 (http://www.free-av.com) which now says I'm clean and most importantly my PC has stopped crashing.

0

hallelujah! at last i have found a group of folks who have heard of my problem..thank goodness for forums.. since my original post i have been nibbling at the problem through sheer stubbornness!!! i have read the feedback and, in particular, Austin's contribution...i managed to cut and paste to desktop and then delete (i don't have a recycle bin) and all is ok. like many of you, i am very suspicious of avg! how can their program throw up a virus warning if they have never heard of it? i should add that my system restore had already been disabled and i also deleted my sqlf.dll from 'local machine' registry having done a search for it in the registry. unconvince that i had covered all angles, i pulled the plug on my modem connection in case it was being fed from outside. now, all is well (so far) quite an excercise eh? regards baz baz55

0

A Answer for all!!! go to:http://wwww.trendmicro.com click on support on the left side you find a link called "Damage Cleanup Engine" Read and download the standalone Cleaner named "sysclean.com" go back to trendmicro and download the latest pattern file named "lpt***.zip create a folder on C drive and drop sysclean.com and unzip the lpt***.zip file into the same folder. next turn off System Restore in XP run sysclean.com let it do it's job.it will take some time! when done turn on Sys Restore Done I use the Damage Cleanup Engine all the time but you have to update it every so often to stay on top of all the Pests out there! Cheers C-Tek

0

Ben11: How is the browser hijacker doing? Got it out yet? Just in case you need it, download HiJackThis here: http://www.lurkhere.com/~nicefiles/ when you download it, watch for the check box to extract it to a C:\ file, or get it into a C:\ file yourself, out of TEMP and not in desktop, that way you get backups in C:\ file. Log off the net, close all browser windows. Open it and click on SCAN, the SCAN button becomes the 'save file' button. Save it, higlight it, copy it, log on the net, and paste it in a blank form here: http://forums.spywareinfo.com/ or here: http://www.pcguide.com/vb/forumdisplay.php?s=&forumid=34 DO NOT attempt to fix anything in it unless you know exactly what you are doing--let the experts examine it. Thresher

0

Thanks to Austin and all above I was able to eliminate my BackDoor Agent Trojan Horse.In addition to his scenario in Response#5 above, after disabling System Restore (I have WIN XP Home) I dumped AVG (which has served me faithfully until now) as suggested in later responses. Now, any suggestions on how to get rid of Dialer 7B Trojan? Thanks to all, ED

0

Hi im Liam and i had exactly the same problem as the rest of u, only i had the added problem of my pc rebooting every time i logged in.I am very good at these sort of problem pc solving things and i help out on the Newbie dot org help site.I turned off my automatic reboot option in control panel just so i could get an error message and actually see the blue screen of death before it rebooted. I noticed the message report said there was a problem with one of my .dll files (d3dlgeo.dll fo me)I noticed straight away that this was not a .dll file as i have never seen it before. But once i was able to use safe mode to get into my login i noticed this back door trojan which none of my anti trojan or virus scaners would get rid of. anyway to cut a long story short i final realised that AVG must be at fault,AND IT IS!! so u must delete AVG,u may have to delete it manually because for me it wouldnt uninstall it self and ad/remove in control panel wouldnt work. u will be able to delte all the AVG files off the C: ecept for one,and guess what it is a .dll file for me it was called "avgse.dll" and it should be called that for u to.To delete this all u have to do is rename it and drag it to your desktop and then drag it into your recycle bin. SIMPLE!!! and thats that,no downloads needed or anything! all u need to do is restart your comp and get on with what ever u want!!! thx for all the help from people replying!

0

Hi I've had the same problem as everyone else with the Trojan Horse Backdoor Agent. The main problem I was having was annoying messages telling me that AVG had found a virus which could not then be deleted. I have eventually managed to get the file deleted which was called msda.dll in the System 32 folder. I did this by following Austin's instructions and also Baz55. First of all I changed the file name to virus.txt but left the file in it's original location. The messages continued to appear. I then moved the file to the desktop and changed it from a read only file. I was then able to drag the file to the recycle bin from where I managed to delete it. I am keeping my fingers crossed that it does not appear again. Thank you to everyone for your helpful tips and suggestions.

0

Hello Guys, Tis Very kind of ya to take care of some absolute beginners.. but what a strange help if they can't read it ! Yet, this forum is the only one beyond the wwweb talking about that f*** THB ! So, as a tribute to your help, I'll try to put it in other words... Je disais donc que, dans la mesure où il n'y a qu'ici qu'on parle de ce foutu machin, je pense à nos amis non anglophones, et je traduis-synthétise tous ces judicieux conseils. 1) Il y a des corrélations étranges entre AVG et ce foutu machin. Seul Avg le reconnaît, et pourtant il ne figure pas dans la liste des virus connus par AVG...tandis que seuls ceux qui utilisent AVG free edition se le fadent ! 2) Il faut commencer par désactiver le processus de restauration du système (click droit sur poste de Travail / propriétés / restauration du système)C'est là que le fichier surprise se planque. 3) Puis redemander à Windows de chercher le vilain fichier qui ne veut pas se montrer (du genre C:\Windows\system32\saloperie.dll), qui normalement apparaît enfin. 4) Ragger le fichier sur le bureau (clicker droit sur le fichier, maintenir appuyer et le faire sortir de la fenêtre jusqu'au bureau) 5) Et si là, même en essayant de le renommer, ou de casser la lecture seule (click droit, propriétés), il ne veut pas se laisser ragger dans la corbeille, ben il ne reste plus qu'à désinstaller AVG (aller dans le panneau de configuration), et de rebooter la bécane ; et là, comme par miracle, le fichier se laisse ragger, et pof videz la corbeille. That's all folks !

0

I deleted all AVG files manually as suggested by Blue Nova. But, there were two files that I couldn't delete. One was the avdse.dll file, the other is 'avgserv'. After renaming both and dragging to the desktop, I was able only to move the .dll to the recycle bin - the avgserv will not go to the recycle bin even after I rename it - it's apparently the file that displays the notification message for AVG. Any suggestions?

0

Are you people stupid or is it just me? Q: "I have a virus which won't go away, what should I do?" A: "Get rid of the antivirus software" Geez to remove the backdoor.agent.ba virus (as per my previous post): 1) disable restore, flush ie cache, temp files etc -restart 2) logon as administrator 3) goto control panel/administrative tools/local security settings/security options, network access: sharing and security model for local accounts, change to classic - local users ... 4a) find the infected .dll file, right click, properties, security, advanced, owner 4b) set the owner to administrators. 4c) ok-ok-ok-ok e.tc until the properties window is cloed 4d) right click file again, properties, security 4e) give full control to administrator (tick all "allow" boxes) 4f) close properties box (with ok, not cancel) 5) move the f***en SOB to the desktop then nuke it to hell (or just delete it) run regedit and search and delete any entries related to the virus infected .dll done.

0

I consider myself advanced at removing viruses and spyware but this one kept me busy for over 5 hours, got it in the end by putting the hard drive in a clean machine as a slave drive then finding the file that AVG had identified (previously hidden by the virus and different name to other listed here) right click, properties, security tab & take ownership. God knows how this sucker manages to protect itself here but you have to rename the file before you can delete it. After this use Spybots New Tools (ver 1.3) to remove "BHO's" (if you don't know what your looking at there just take them all, you can reload the legit ones like flash / shockwave later) then clean up "browser pages" (change them to Google or Microsoft) Spybot will run in safe mode! I also deleted the System restore files that were infected, no ill effects there. The trojan hooks in at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs so you can find it's name there, you can't change the value as it will change it straight back but you can rename the key "Windows" this will stop it running whenever a program runs. It has also altered my Task Manager to a single page with limited functionality so if anyone knows how to get that back i'd be grateful.

0

It seems that I have gotten rid of the B.A., AVG can't find it, nor can Spybot or norton, everything runs pretty fast. I, however, don't think its gone. My homepage still switches to about:blank, and I still get mad popups when I goto internet explorer. Can someone help!?

0

Can someone help me PLEASE!??? I have the "Trojan horse Backdoor.Agent.BA" virus. AVG says it is affecting "windows\system32\hlpalhn.dll" ....My system is windows XP. I have tried numerous things on these threads and nothing works, and all the same symptons as well. I currently have spykill, Ad-ware, Norton 2004, Tojan Hunter, AVG, Spygate firewall and tried stuff from trendmicro.com, and other numerous places. This crap is driving me nuts. I am a new/novice computer user and really need someone to talk me all the way through this thing. I have IMPORTANT work files on my computer and i now cant get my cd burner to work either, otherwise i would just back up and format the drive. I would GREATLY Appreciate any help you guys could give me. THank you!!!!

0

Hey Jay just follow the instructions i gave above and delete AVG! if u want to use it again just reinstall if u have any problems dont hesitate to email me

0

sorry my email didnt come up liam_walker@ntlworld.com just email me for help,and please dont send my email to anyone else.

0

I've had the same problem as all of you guys. I uninstalled AVG and I disabled system restore, and I moved the infected file to my desktop and I even renamed it, but I am not able to delete it, or change it from "read only". I don't want to sound annoying or anything, but this whole fing thing has really gotten on my nerves. I mean I re-installed windows xp just to kill it, but it didn't work!

0

hi, it's a relief to see that there are people out there who are familiar with this virus and know how to handle it. my problem, however, is a little more complicated: this afternoon avg told me that my computer has been infected, and that the infected file name was wdmnmj.dll under system32. I tried manually deleting it to no avail. Later on I found out about this board, tried to follow the instructions on post #29, but then I realized that the .dll file was GONE! Well not quite gone, avg still tells me that file exists and is causing damage (even rebooted on me about half a dozne times), and I went to tools to show all the hidden extension and files, and uncheck the box that asks me to hide all the protected system files. I still can't find that .dll file, yet avg swears it's there, and it's bugging my computer. help?

0

I downloaded avg anti-virus. It wouldn't work so I emailed them. They sent me a small file which I had to change and then save. Hey presto Backdoor.Agent.BA is gone!

0

did you download the free version or did you actually purchase a copy? 'cause that sounds great, I wanna email them too, but on their site they seem to only allow paying customers to contact them.

0

HI Nate, I had the same problem as you with the about:blank homepage problem download this file and run it. It will clear it right up! http://www.spywareinfo.com/~merijn/files/CWShredder.exe

0

HI Nate, I was having the same problem with the about:blank homepage thing..download coolweb shreddar and it will fix it. http://www.spywareinfo.com/~merijn/files/CWShredder.exe

0

I have tried everything and can't get it off of my computer either. Also, the computer is not letting me reinstall AVG. Help

0

HERE I COME TO SAVE THE DAAAY!!! (for some of you..) You might not all be able to make this work, however this is a fun story so you want regret reading it! (Roll down for shorter version) I've been trying for 72 long hours to get rid of this little pain in the ass, 'Tjojan horse BackDoor.Agent.BA' (Our deadly enemy!). The stupid virus was invisible to anything except AVG-super-virus-program-that-is-supposed-to-be-able-to-kill-viruses-BUT-CAN-NOT-IN-THIS-CASE… you know that part of the story. Anyways, after I’ve tried a couple other things, including the update of my entire PC, I changed strategy. I wanted that horse down. Instead of hoping to find some program to do the dirty work for me, I began look for a possibility to remove it manually. Since window itself could not see the virus, I used Windows Commander to find it. But even with system restore disabled, safe mode on and then trying to delete the dll in Windows Commander I was unsuccessful. In other words I had used all the heavy artillery against that so-called Backdoor-Agent and still it was untouched… By that time I realized and was able to conclude that when you run windows normally you can, with the right programs, see the virus but not delete it. And in safe mode you can delete it, but not see nor find it. If anyone is in doubt or curious then I want to explain: When you start your PC normally some programs is executed. Your virus program, your network, your drivers and so on. Among these, the Trojan might have opened itself and therefore can it not be deleted! When in Safe Mode the only processes that run, is the processes that is needed for the computer to be functional. Now I think everything is described very well. Except of course the most important… --------------Shorter version:------------------ It was actually luck that made me discover this… Well I was in Notepad. I hope that what it is called… It’s that very, very little, ridicules writing program that comes with almost all computers. Then I found out that if you look in the menu file and then open… You can find the virus there! I could not delete or copy it, BUT I could cut it! I created a new directory on the desktop, and dropped the infected dll-file there. Then to be able to delete it I went to Safe Mode and there I threw the directory in the bin, emptied it and SLAM! It was out… So: If luck is with you try doing this: 1. Open Notepad. 2. Find your infected file in ‘open…’ 3. Put it in a new directory on the desktop. 4. Go to Safe Mode(Restart, hold F8 on second screen). 5. Drag the directory to the recycle bin. 6. Empty the bin. 7. Hope for the best… Luck to you all! Asger 15, Denmark ~

0

My computer was doing the same thing, my culprit file was WINDOWS/SYSTEM32/logoo.dll I still can't locate the file even after turning off the system restore & going through all the suggestions above. I did remove AVG & the virus message stopped & I could use my pc without the dreaded blue screen, It still tries to hijack me to about.com, but spysweeper catches that & gives me a choice & my task menu did the same thing as Response 30's it went to one page & it looks odd. I reloaded a new download of AVG & guess what, the blue screen came right back, so I un-installed that. Is anyone having any luck with getting their pc back to normal. The most tragic part is all of my games that came with the computer are gone. No freecell.... I would appreciate any help & not just for the games, seriously. :-)

0

Hi Sue! It might sound silly and it's even sillier if it doesn't work, but have you tried finding it in Notepad? If yes, maybe you didn't type in "Show all files" as I forgot to mention in my long story above... I think, that the reason why the Notepad should be able to find the infected file, is that Notepad mostly is used by advanced programmers to correct files.. What I mean is that Notepad can open all files as a text-document, dll too, so it have to show itself in Notepad! (It did to me; so I just hope it will do so elsewhere) And then you should have the possibility to right-click on it & move it! You can't delete it just yet because its open somewhere else, so just move it to some new folder... Then read above and follow the instructions! If it works, don't be confused if your browser still goes About.blank/About.com or whatever.. I’m quite sure that’s a spybot problem. Not that it doesn't matter, you will need to get a spy-remover.. Try Lavasoft's Ad-Aware! It's great.. And as they say: Always update frequently! Jack Sparrow ~

0

I tried opening it with the notepad & didn't find it. I did find a place to unclick that I wanted my home page to be about.com, but I'm sure that will keep popping up. I really liked AVG & thought they did a super job till now. Did anyone have any luck with the new file from AVG? I tried to put the new updates in, & it worked for a little while & then the blue screen came back on after I restarted. My system does seem to be running faster, but since I'm still getting the about.com hijacking, something is still wrong. I did try the CWShredder, but it didn't find anything. McAfee isn't finding anything, but I haven't tried Lavasoft yet. Thanks again for any suggestions. sue

0

Hey Folks..... Same problem here.. I have progressed to the point where I no longer get the annoying message telling me that there is a virus.. I also have found the infected file, renamed it and placed it on my desktop. Of course it refuses to go into the Recycle Bin... I have also deleted AVG from my desktop. I personally think that this is a cheap advertising stunt by the AVG people... They infect computers, then when you do an internet search, they are the first people you see.......... I think they are trying to publicize their anti-virus software by spreading this Trojan thing.... so that all who have never heard of AVG no know that they exist....... But I hope that the massive inconvenience they are putting us through will backfire in their faces........

0

Incase it interests anyone, I'm using windows 98 SE and AVG quite gracefully moved the infected file "c:\windows\system\com.dll" (backdoor.agent.ba) to the virus fault. I'm not sure if that move was decisive though. However, I still do believe in this being at fault of AVG because i haven't seen any symptoms or evidence of this virus until having installed the AVG update. I confirmed that the creation date of the virus infected files match with the date when I updated AVG (yesterday). I'd like to know if anyone else remembers if the symptoms of the virus began shortly after their update of AVG, and if they could compare the creation date of the virus infected files against the date of their AVG update. Thanks, -brian

0

Tried this once so if I have two posts, I apologize/ First.....thank you, thank you, thank you, Jack Sparrow!!! Found my file... combdee.dll in Notepad, just like you said. I did have to rename it to move it to a new desktop file, then restarted in Safe Mode, dragged it to the recycle bin and viola'!!! It's gone!!! After about two miserable weeks of trying to get rid of it! The only problem I have now is getting rid of AVG...when I tried (still in Safe Mode), it reminded me that I have viruses in the vault and did I want to run something (wasn't paying too much attention so I can't recall what exactly it was). I got an hourglass and the uninstaller just seemed to freeze so I had to manually turn the computer off and start it over. How might I get rid of AVG AND the viruses residing in its vault? To those of you asking if this virus came with an AVG update, mine did not. I thought I was installing something like Shockwave, breaking my rule to never, EVER download anything I'm not sure of, and within minutes got about a dozen trojan horse viruses. With AVG I was able to vault all but the backdoor virus but I have to assume it came with the flashtalk thing. Again, Jack Sparrow.....THANK YOU!!! It's so nice to find an EASY solution to one of my computer problems for a change!!!

0

My thanks to BigKev response #29 I was having the same probs as you all just the file name was sqldn.dll and this file was not viewable on the system even when AVG was uninstalled. Had taken the hard drive out of the system set up a new drive with a fresh copy of winxp and installed AVG with the latest updates and scanned system. No virus so it does not come from AVG as has been suggested here. Then plugged the infected hard drive in as a slave to the new one an bingo there was the file sqldn.dll residing in the D:\windows\system32 directory. I thought great no i can see you I can toast you but the tricky little sod had more up its sleve than I thought.I still could not move it delete it or open it with notepad. Had looked at its security options while in safe mode but all options where greyed out so was trawling through all of the messages again and found BigKevs one about changing your permissions etc etc and followed them. Hey presto now I could move the SOB and toast it it HELL and Back. Thanks BigKev it had me beat and that hasn't happened in a while so as the saying goes you are never to old to learn a new trick!!

0

Hey Guys,Gals. Had this littele bug yesterday. And yeah it's nasty. Smart too. Will effectively block downloads of updates to known antivirus sites, went through four of 'em before ending up at my first choice all along. I notice all or most of yo are using AVG. I too had the virus laughing in my face with AVG. Remember it's smart. Crashed four AV's, changed it's name, and hid itself in safe mode. First run adaware from www.lavasoft.com After removing whatever Adaware finds. Go to www.free-av.com and download AntiVir XP. It's a german company that puts out a free antivirus. IT WORKS GREAT. will never use bloated norton or McAfee again. Run it. the scan will pick up the the tr.backdoor.BA variant immediately as it is an active process and squash it. If it can't remove it it will tell you exactly where it is hiding. grab a copy of CWS Shredder and Hijackthis from merijn. Both can be found through www.majorgeeks.com as if you are infected with a cool web search variant it blocks the download from the home site. run both programs,CWS first. Run Hijackthis and remove the entries HKLM series of home pages that are noticeably jacked and especially the about.blank entry. It's different for everyone's machine but you'll know which is which. The main ingredient is the Antivir Xp. Love this program and am sure you will too. Tell me how it works.

0

The Jack Sparrow / Asger method of using Notepad to actually see the .dll worked perfectly for my pc running XP Home edition. Thanks for your help

0

this little monster had me in a pickle,but i managed to get rid of it.use avg to identify the file(i found it in windows system 32)drag the file onto desktop ,go into my computer properties and disable system restore,go back to infected file-right click -properties,rename file(i chose backdoor.agent.ba),leave the window open-right click the infected file and delete,then close window open recycle bin and empty it,enable system restore and restart your computer,i do hope it works for you best of luck ,bob.

0

Hello, Here Jacques from France, Like you I have on my PC BackDoor.Agent.BA. I’ve XP Pro on my PC. I’ve identified in c:\windows\system32 the bad dll file, and I’ve rename it under another name. I can move it on the C: drive, but not move it on another disc (D:). I cannot change his rights! (read only). I cannot delete it! I tested all the councils which I found on this forum but nothing works! I have even created a bootable Cdrom Linux (Knoppix 3.2). I start directly my PC under Linux. (Windows Xp Pro is not launched) ! But I never can change his rights (chmod or chown) and delete it!!! It’s incredible! What is this junk! I removed Adware 6.0 and my PC works normally, but I cannot kill this file. If somebody has an idea, without format the disk! Thank you! Jacques

0

hi my friend, i know how to fix your problem because i was infected with the same virus: backdoor.agent.ba antivirus scanners do detect it but doesn't delete or repair it. First of all i have got good and bad news for you. To get rid of the virus you need to reformat your hard drive, if you can't use your computer, which means you will have to delete all your data in the hard. If you can use your computer then sava all your data to a cd or whatever u want to save to, then reformat your hard disk. To reformat (or reload windows)your hard drive you need a windows reinstallation cd. it is also called restoration cd. it normally comes with the computer in the box.find it if you didnt know about it.If u don't have that cd just like me, then you have to phone your computer shop that you bought your computer from and tell them about the problem(if you have a guarentee). this virus almost destroyed my computer. i coudn't open my computer and it kept shutting down non-stop when i tried to open it .i then took my pc to a friend just around our street who sometimes works in a internet cafe fixing computer problems. since i didnt have my cd,he reformatted my hard drive and fixed the problem. save your data and reformat hard drive.reload windows by the way you are lucky that i surfed the internet just to help people with this problem. and u are the one who hit the jackpot. also after you fix the problem go to start-all programs-windows update and download all the critical updates or go to microsoft.com and find the critical updates. after reinstallation go to accessories-accesibility-communication-new connection wizard then establish a internet connection with your internet connection phone number if u are using a dial up connection adios amigos

0

SOLUTION The problem - I had a variant of this one (win.dll) that couldn't be moved, deleted, or renamed. It wouldn't show up in safe mode, yet I couldn't overwrite it. The registry values couldn't be deleted. The problem is that its being loaded constantly. The solution - Open regedit (go to Start->Run, then type regedit and hit enter), then open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Windows, and then rename that Windows folder to Windows2. Delete the entry with the name AppInit_DLLs, and then rename Windows2 back to Windows. You will notice that the key is deleted and won't come back. Now restart your computer. Your antivirus program (I used Norton AntiVirus) should detect the file now if it has an auto protect feature. If it does not, run a virus scan in the C:\WINDOWS folder. This should permanently destroy that tricky SOB.

0

Well, here's my story. FIRST: I wish I had read the last post in this thread first. My analytical mind caused me to go through the suggestions in order and believe me I tried every trick listed here before the last one which worked! Aero (Post #55) had the correct fix. SECOND: NEVER format your hard drive unless you have done everything else you can and have spoken with an expert. Hackers are ingenious s, but there aren't very many bugs out there that can't be fixed. It just might take time for a fix to be released. Especially on Trojan Horses. THIRD: Deleting your AV program, or a program that notifies you that you have a virus that no other program recognizes is a dumb idea. The virus hasn't gone away, you've just deleated the only program that's telling you it's there. Now, for those of you who care: I first became aware of the trojan when Norton told me that it had detected the backdoor.trojan virus but was unable to correct it. When I closed that window a second alert popped up saying that Norton could not delete the file ctl.dll. This was an endless loop. I had to use Task Manager to close the Norton Windows, which closed Auto Protect and relinquished the windows. Whenever I re-enabled Auto Protect, or re-booted, the warnings came back and I could not close the windows without the three-finger salute. I attempted updating Windows and Norton. I scanned with Norton but it did not detect any viruses. I had Spybot Search & Destroy on my 'puter, so I scanned with it. It i.d.'d several signatures and corrected those. It did not fix the prolem, however. I found the file ctl.dll, but was unable to delete, rename or move it at all as was noted in some of the previous posts. I could not see it in safe mode. While in Safe mode, I tried to copy another benign dll file and rename it ctl.dll with the intent of making it a +R+S+A+H file, but, even though I could not see ctl.dll, Windows would not let me rename the new file as it said that a file with that name already existed. I downloaded four AV and Spy Killer programs in addition to the three or four I already had and nothing worked. To make a very long story short,I did try everything here. Nothing worked. Norton's site was useless and their suggestion did not work. Two-and-a-half days later, my system is squeaky clean and virus free. Thanks Aero!

0

For those of you that have norton, they now have a fix for this, and it works well. It is an update to the software with autoupdate. run the anti virus and it is gone. I did get rid of AVG and all it parts but could not take control of the infected part. (could not make it something other than a dll, there for in use and not deletable. now that that is fixed how do i get my task manager back to the way it should be? thanks for all the help.

0

When you find the dll in question (in System32) just right click on the file. You will see as one of the choices Delete file(s) on the next boot. Click on that choice and restart your computer. So far, this has deleted the NAV alert that previously would not go away!

0

Most variants of Backdoor.Trojan will not delete, even if you delete on the next boot. I still find it odd that Norton could not fix this originally. This might possibly suggest that the variants that it could not detect are fairly new, but its good to see that Norton finally has a fix on this. For those of you who don't have Norton, the best method so far is post #55.

0

I used the fix from Post #55, but the NAV alert pop-up still came back. Then I used the method (from my Post #58) to finally get rid of the thing. So far, it is still GONE!

0

ARRRGGGHHH!!!! Okay, I feel rather alone here. I've been researching this problem for three days, so I'm not some ignorant idiot here. Before I get into my unique problem (which has to do with this virus... but with a twist), I want to inform you that I've tried every available solution at this point (scan by NAV, scan by at least three non-NAV website virus scanners, hijackthis, CWS Shredder, adaware, spybot, spysweeper). I've also dabbled heavily with editing my registery. The problem is my registry doesn't contain anything like AppInit_DLLs or the (virus file).dll!! That's right, I did a search of kbdifac.dll (which is the infected file) and couldn't find it in any key value or data! Every time I got to the key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows (from Aero's post) I find absolutely no value or data that contains the file name (kbdifac.dll) or AppInit.dll! I've also gone to alternative locations, such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but there's nothing there of what I'm looking for. Believe me, I've done multiple searches for the infected file and the AppInit_DLLs using variable names but I must profess that they are simply NOT in my registry. I feel like I've exhausted my search and that my options have run out. And because none of the listed solutions seem applicable for me, I feel so alone and defeated. Any extra advice would be nice. By the way, I use XP Home.

0

If you can locate the file, this free software is worth a try: http://www.snapfiles.com/get/moveonboot.html It lets you delete files on the next boot.

0

Also, if you haven't already disabled System restore, that could be the problem.

0

Disabling system restore was one of the first things I did (thanks to Symantic)

0

I will try that snap files thingie in a couple hours. Looks promising. The problem seems to be just an infected dll file and not the registry. Thank you.

0

Thank you, Architect. Response 50 did the trick for me after many hours of frustration. Antivir XP also cleaned up the hijacked homepage without having to resort to CWS Shredder and Hijackthis. Thanks again.

0

Update: Well, I've determined that the reason I can't remove the virus is because it has infected an encrypted file (kbdifac.dll), and those are impossible to deleve by moveon or antivir. I really appreciate your suggestions... Since the virus hasn't affected my registry. I think I'll just try to live with it (or reinstall windows XP).

0

Thanks Aero, response 55 was the answer to my problem. Tried everything I knew and everything else on this page and finally yours was the answer. You da bomb! The virus wont show up inthe registry until it attempts to run itself then you can make the changes aero suggests. It worked for me. HankV

0

I do not know to much about this web site but I sure would like to know who posted #55, I would like to thank that person for that post and personally that he/she for that post. I don't think I have the words to express my thankfulness!!! Who ever you are you are a GENIUS.

0