Hello everyone, I could use a little help with this please.

Recently, a system on my network was infected with this trojan, BackDoor.Agent.BA.

AVG Antivirus found the virus on bootup, so I ran a complete scan. AVG did indeed find it, however it could not remove it.

Here is the message AVG displays:

*******************

Virus
Trojan horse BackDoor.Agent.BA

is found in file
C:\WINDOWS\system32\wincela.dll

**********************

I've tried running AVG and Norton AV 2004 on the same machine, both in normal and in safe mode, I've also tried several trojan removal tools and Kaspersky's BackDoor.Agent.AC removal tool. This tool does locate the trojan and at the end of the scan cycle, says the file will be removed at next reboot. However the file remains.

Another strange thing is the file wincela.dll only appears in normal mode. In safe mode, the file is nowhere to be found.

If anyone has any clues or information on this virus, I would appreciate it!

The files remains in your system rrestore files, which you must disable, read and do:

Disabling system restore in Win Xp
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?Open&src=sec_doc_nam&docid=2001111912274039&nsf=tsgeninfo.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl

Also read:

XP resource info:

www.blackviper.com

http://grc.com/dos/xpsummary.htm

http://www.annoyances.org/exec/forum/winxp

Also read:

http://grc.com/freepopular.htm

"XPdite" actually read the whole site.

Get a free browser check at:
Jason’s Browser Security Test:

http://www.jasons-toolbox.com/BrowserSecurity/

If problem persists try here:

http://www.pcguide.com/vb/forumdisplay.php?s=&forumid=34

Thresher

Thanks for the info Thresher! Some of it came in handy is slaying this beast! :)

hi joe,
joe, anti-virus software sometimes can not delete trojans as they don't have anti-trojan engines. the only one i can think of is kapersky labs
try this:
disable your system restore, this will flush out your system as the trojan is in your restore folder. then get your latest virus defs, also your adaware and spybot defs. if you don't have an anti-trojan go to www.thepublicworks.com, free anti-trojan, link to Ants for Free A Squared, download it and get the latest defs. once done reboot into safe mode and scan your computer with your anti virus, trojan, adaware and spybot, delete all files that they find. clean your temp internet files, your temp files, history folder, and cookie folder as well as your recycle bin.
reboot to normal mode and re enable your system restore.
all the best,
murve

Hello,

Thanks a lot for your advices ; that's (endly) ok for me. But...
...dans la mesure où il n'y a qu'ici qu'on parle de ce foutu machin, je pense à nos amis non anglophones, et je traduis-synthétise tous ces judicieux conseils.

1) Il y a des corrélations étranges entre AVG et ce foutu machin. Seul Avg le reconnaît, et pourtant il ne figure pas dans la liste des virus connus par AVG...tandis que seuls ceux qui utilisent AVG free edition se le fadent !

2) Il faut commencer par désactiver le processus de restauration du système (click droit sur poste de Travail / propriétés / restauration du système)C'est là que le fichier surprise se planque.

3) Puis redemander à Windows de chercher le vilain fichier qui ne veut pas se montrer (du genre C:\Windows\system32\saloperie.dll), qui normalement apparaît enfin.

4) Ragger le fichier sur le bureau (clicker droit sur le fichier, maintenir appuyer et le faire sortir de la fenêtre jusqu'au bureau)

5) Et si là, même en essayant de le renommer, ou de casser la lecture seule (click droit, propriétés), il ne veut pas se laisser ragger dans la corbeille, ben il ne reste plus qu'à désinstaller AVG (aller dans le panneau de configuration), et de rebooter la bécane ; et là, comme par miracle, le fichier se laisse ragger, et pof videz la corbeille.

Voilà....

did it finally clear?

John

Hello, I´m having the same problem. Can some one translate to Spanish some of the solutions please... All technical words are very dificult for me to understand.
I´ll appreciate your help

Thanks a lot

Mer

Yeah im having the same problem part form ti says the trojn is in windows\system32\hlpmfmf.dll
but ive looked and there is no file cllaed this ive tried booting of a dos disk but it just says there isnt a file.
any help?

How to remove backdoor.agent.ba;

1) disable restore, flush ie cache, temp files etc
-restart
2) logon as administrator
3) goto control panel/administrative tools/local security settings/security options,
change to classic - local users ...
4a) find the infected .dll file, right click, properties, security, advanced, owner
4b) set the owner to administrators.
4c) ok-ok-ok-ok e.tc until the properties window is cloed
4d) right click file again, properties, security
4e) give full control to administrator (tick all "allow" boxes)
4f) close properties box (with ok, not cancel)
5) move the f***en SOB to the desktop then nuke it to hell (or just delete it)

run regedit and search and delete any entries related to the virus infected .dll

done.

oops,

"goto control panel/administrative tools/local security settings/security options,
change to classic - local users ..."

should have been

goto control panel/administrative tools/local security settings/security options, network access: sharing and security model for local accounts,
change to classic - local users ...

THanks Big Kev, this worked like a charm. SHould I reenable restore?

Hey bigkev, i can't find local 'local security settings' under 'administrative tools'. if you could help me to find this, that would be great because i want to get rid of this thing as fast as i can.

i also got the virus "Trojan Horse: BackDoor.Agent.BA", the infected file is
C:\WINDOWS\system32\res.dll
i try the above method, bu ti cannot find that file, now i can only use with safe mode, can anybody help ?

To get rid of this Horse I first disabled my system restore files and did other things what Thresher told in his response. Then I couldn't delete the read only virusfile in \windows\system32\xxx. I tried the old good Winfile I had copied from NT4 to XP PRO and it worked. It let me handle the attributes and delete the virusfile without saving it to the recycle bin.

Okay.
You want the final and only fix you will ever need ?
Download "Antivir" (A free antivirus program) run a full scan and delete infected files.
It will pick it up as a startpage trojan.
That's it. This program is simply amazing and it is free.

Damn I spent 2 hrs on this bug before looking to the web for answers. I did finally get rid of it. I used a variation of Big Kev's answer above. Kudos to Kev for the idea. You can't delete it because of the user security. I copied it to the desktop and then did his owner take over and was able to delete. Thanks Big Kev...

Scott

The easiest way to get rid of this is pain in the butt. Is in regular mode rename the file that is in C:\windows\system32. Cut it and paste it to the desktop. Restart the computer go to safe mode. Log on as the administrator. Go to the username's desktop that this file is saved on and delete it.

hey, so i have this trojan and i have tried some things but not the disable restore idea b/c i cant figure out how to do it on windows 2000. i looked on the net and couldnt really find it. i would really like to get rid of this so if anyone has any ideas, i would appreciate it. thank you!

OK. Sounds good. I'm into my second day trying to clear this up. When I boot up, it appears that everything except the desktop is gone. The only way I can do anything is to run eTrust antivirus, then run the tools (Spybot, AdAware, iefix, etc.). It always comes back and I can't even get a "cmd" window to delete the dlls. Help!!!

i am having a big problem with trying to deleting this garbage.trogan horse back door it wont leave please help me iam a new computer user with little pc knowledge so iam just going to try until i get it i guess

I have Big Kev's directions printed off and I have been trying for a couple of days now to get this stupid thing off my computer it WILL NOT allow to do it. I get all the way to the last step and it tells me access denied - file in use check the disk or whatever to overwrite bullcrap and I'm about ready to kill my computer!!! Can anyone please give me some other ideas or help or anything? It's getting to the point now where is shuts my computer down and dumps the physical memory!!!

hi my friend, i know how to fix your problem because i was infected with the same virus: backdoor.agent.ba
antivirus scanners do detect it but doesn't delete or repair it.

First of all i have got good and bad news for you.
To get rid of the virus you need to reformat your hard drive, if you can't use your computer, which means you will have to delete all your data in the hard.
If you can use your computer then sava all your data to a cd or whatever u want to save to, then reformat your hard disk.

To reformat (or reload windows)your hard drive you need a windows reinstallation cd. it is also called restoration cd.
it normally comes with the computer in the box.find it if you didnt know about it.If u don't have that cd just like me, then you have to phone your computer shop that you bought your computer from and tell them about the problem(if you have a guarentee).

this virus almost destroyed my computer. i coudn't open my computer and it kept shutting down non-stop when i tried to open it .i then took my pc to a friend just around our street who sometimes works in a internet cafe fixing computer problems. since i didnt have my cd,he reformatted my hard drive and fixed the problem.

save your data and reformat hard drive.reload windows

by the way you are lucky that i surfed the internet just to help people with this problem. and u are the one who hit the jackpot.
also after you fix the problem go to start-all programs-windows update and download all the critical updates or go to microsoft.com and find the critical updates.
after reinstallation go to accessories-accesibility-communication-new connection wizard then establish a internet connection with your internet connection phone number if u are using a dial up connection
adios amigos

We are not lucky at all that you "surfed the internet" and handed us your wisdom.

DO NOT FORMAT because of this virus, its completely unnecessary, also, never rely on one idiots post, if he bothered to look further up, he would see the problem is easily solved.

In NOTEPAD write this:

@echo off
SET FILE=sqll

echo y | cacls c:\windows\system32\*FILE*.dll /g Everyone:f
attrib -r -s -h C:\Windows\system32\*FILE*.dll
ren C:\Windows\system32\*FILE*.dll *FILE*.old
del C:\Windows\system32\*FILE*.old

Than change the *FILE* to the filename infected and save this as REMOVE.BAT file. Run it in normal mode and the trojan BackDoor.Agent.BA is OUT.

Send me an e-mail for some questions.

Remove Backdoor.agent.ba when deteced by AVG antivirus

1. use Notepad to see the file where regular explorer fails to see it.

2. remember to select view all file types

3. once you see the file in the open menu drag it to desktop

4. rename file to whatever (I renamed the infected file to "a" with no file extension)

5. reboot in to Safe mode with dos prompt

6. delete file (del c:\...\a)

Worked for me

Infected computer: Windows XP Home Edition

To: Myro

Thank you so much....

very easy removal. I've been trying to get rid of this trogan for over a month.

thanks again

Ray

Take a look at your processes and you may see that the programs you are using to get this pain are what are creating it. Explorer.EXE and notepad.exe.... do you have .bak files of these? I can delete it and the next time a windows update is done the problem is back. I will reformat and restore, not because some idiot or another idiot said to but because I have already wasted so much time. All because of some idiots lack of better or more creative outlets. This trojan seams to be nothing more than a dll shell game. Mine started as kbdo.dll...... Woopty fricken dooooo Thats to the idiot who wrote the code that wasted my time, the rest of you I wish all the best

i cant even open notepad...i cannot get rid of this virus...can someone help me please?!?!?!

Maxx

I also have problem with the same so called trojan.
The infected file is c:\windows\system32\wdmmjgp.dll.
I cannot delete it or rename it.
My antivirus is a Symantec Corporate Edition and it can see it but cannot clean or quarantine it. I tried other antivirus programs(in fact, all those are available in the net and that are quoted above) but i was not capable to get rid of this b---tard.
I don't want to format the disk.
I also tried all the suggestion of this forum. Any other suggestion?

I have had this virus for three weeks. I have tried every previous post and none of them worked for me. This is how I FINALLY got rid of this virus. Open Word (cause notepad would not work) Look for the file, click on it and rename it. Start windows in safe mode and delete the file. Problem solved?. So far that is..

Good Luck!

Need assistance....help.

Have tried Norton, AntiVir, ad-Aware, SpyBot S&D, CWShedder, Hijack this etc. without any luck fixing or deleting this file.

system32\d3daok.dll

Have disabled system restore and restarted in safe mode then scan...no luck.

Can only locate this file in Word [notePad will not run] but can not delete, move, or rename. Can copy to my descktop only.

Tried Big Kevs take on fixing the problem but could not find the security setting\security options in aministrative tools.

XP Home edition.

Any help or should I reformat the machine?

thanks for your time.

fire 906

Once you move it to your desktop you can start your computer in safe mode and delete it?

can not drag the file to desktop...can only copy the file to desktop.

any help?

fire 906

carlnunes you are a god! drag and drop the offender to desktop worked for me, i didn't even rename it or go to dos prompt, just safe mode and deleted it off the desktop. But i had disabled all Start up items and services using msconfig first. this may be a coincidence, or the answer for others who can't do these steps

this little bugger has really got me stuffed. It is sitting in system32\hlpmied.dll. AVG can see it but can't fix or remove it. I tried to drag and drop it from wordpad to desktop but it wouldn't let me. Now I can't open any programs, as soon as I try to do anything my system reboots itself. There is valuable info on the drive and formatting it is not an option. please help

Working solution for all of you:
I had the same problem (backdoor agent b), tried symantec page (the only thing good of those instructions is registry cleanup and system restore off), otherwhys you all have a "filename".dll file that drives you crazy.
First of all you have to remove it! The easiest way, at least to me, is:
1.turn off system restore(symantec
2.clean up the registry keys (symantec)
3.Insert windows CD rom and reboot your machine(in bios you have to set to boot from CD)
4.boot from Cd and run recovery console
5.Under this path C:\windows\system32 delete your "filename".dll
6.Reboot and clean the registry again using (symantec instructions)
7.run full system scan and enjoy :)
Though, it seems that one registry key cannot be deleted ((O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup) still couldn't figure that out! but otherway, after this, my system was fully functional again and there was a noticeable difference in working system after and before

This is one stuborn virus. I have norton anti virus up to date with the restore feature turned off. Would downloading a free version of AVG help?
By adjusting my "show hidden files" and using the note pad trick mentioned earlier. I could finnally locate it. I have the "d3djceo.dll" variety. I can only find it in regular windows mode not in Safe mode.
I sent it to desk top and deleted it but that did not work.
Is there a step by step way of deleting it for novice computer users.