Re: Can't get rid of Trojan horse Backdoor

From: BH2 (NOSPAMfurness50_at_hotmail.com)
Date: 11/17/04 

Date: Wed, 17 Nov 2004 19:17:45 +0800

Thanks for all your help I do appreciate it thankyou
Bob H

"Jim Byrd" <jrbyrd@spamlessadelphia.net> wrote in message
news:u$g8wxmyEHA.2568@TK2MSFTNGP11.phx.gbl...
> Hi Bob - Here's what I would suggest that you try. Use the Clean Boot
> approach and then do the following in order - read carefully first. Note
> the file deletion tools, particularly Delete Invalid File at the
> end,
> if the AV's can't remove it and/or you have problems doing so manually:
>
> #########IMPORTANT#########
> Before you try to remove spyware using any of the programs below, download
> both a copy of LSPFIX here:
>
> http://www.cexx.org/lspfix.htm
>
> AND a copy of Winsockfix for W95, W98, and ME
> http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
> Directions here: http://www.tacktech.com/display.cfm?ttid=257
>
> or here for Win2k/XP
> http://files.webattack.com/localdl834/WinsockxpFix.exe
> Info here: http://www.spychecker.com/program/winsockxpfix.html
> Directions here: http://www.iup.edu/house/resnet/winfix.shtm
>
>
> The process of removing certain malware may kill your internet connection.
> If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable
> you
> to regain your connection.
>
> NOTE: It is reported that in XP SP2, the command netsh winsock reset
> will fix this problem without the need for these programs. (You can also
> try this if you're on XP SP1. There has also been one, as yet
> unconfirmed,
> report that this also works there.) Also, one MS technician suggested the
> following sequence:
>
> netsh int reset all
> ipconfig /flushdns
>
> See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
> info/approaches using the netsh command.
> #########IMPORTANT#########
>
>
>
>
> #########IMPORTANT#########
> Show hidden files and run all of the following removal tools from Safe
> mode
> or a "Clean Boot" when possible. Reboot and test if the malware is fixed
> after using each tool.
> HOW TO Enable Hidden Files
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
>
> Clean Boot: 1. Start|Run enter msconfig.
> 2. In the Startup tab, click the "Disable All" button.
> 3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
> and then click the "Disable All" button.
> 4. Click OK and then reboot.
> #########IMPORTANT#########
>
>
> Download and run Stinger.exe, here:
> http://download.nai.com/products/mcafee-avert/stinger.exe or from the
> link
> on this page: http://vil.nai.com/vil/stinger/ ME/XP users be sure to
> read:
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
>
>
> Download sysclean.com , from Trend Micro, here:
> http://www.trendmicro.com/download/dcs.asp along with the latest pattern
> file, here: http://www.trendmicro.com/download/pattern.asp Be sure to
> read
> the "How-to" info here:
> http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also
> want
> to get Art's updater, SYS-UP.Zip, here for future updating of these:
> http://home.epix.net/~artnpeg/). (If you download and use the updater
> from
> the beginning, it will automatically handle downloading the other files.
> This is my Recommended approach.) Place them in a dedicated folder (or
> use
> the updater from one) after appropriate unzipping. Show hidden and system
> files (HowTo here:
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
> Disable Restore if you're on XP or ME (directions here:
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then boot to
> Safe mode (HowTo here:
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
> Read tscreadme.txt carefully, then do a complete scan of your system
> in Safe mode and clean or delete anything it finds. Reboot to normal mode
> and re-run the scan again.
>
> This scan may take a long time, as Sysclean is VERY extensive and
> thorough.
> For example, one user reported that Sysclean found 69 hits that an
> immediately prior Norton AV v. 11.0.2.4 run had missed.
>
>
>
> Sometimes these tools will find files which they are unable to delete
> because they are in use. A program called Copylock, here,
> http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
> "replacing, moving, renaming or deleting one or many files which are
> currently in use (e.g. system files like comctl32.dll, or virus/trojan
> files.)" Another is Killbox, here:
> http://www.downloads.subratam.org/KillBox.zip
> A third which is a bit different but often useful is Delete Invalid File,
> here: http://www.purgeie.com/delinv.htm which handles invalid/UNC
> file/folder name deleting, rather than the in use problem
>
> --
> Please respond in the same thread.
> Regards, Jim Byrd, MS-MVP
>
>
>
> In news:OGrRNojyEHA.4004@tk2msftngp13.phx.gbl,
> BH2 <NOSPAMfurness50@hotmail.com> typed:
>> Jim,
>> Will give that a try, so far all I ever get is that the file cannot be
>> accessed, looks like I may have to format the drive to get rid of it.
>> What will Happen it I just delete the infected file ?,
>> (C\WINDOWS\system32\d3dcfo.dll) that is if it lets me !!
>> regards
>> Bob H
>>
>> "Jim Byrd" <jrbyrd@spamlessadelphia.net> wrote in message
>> news:%23iI2X1eyEHA.2804@TK2MSFTNGP15.phx.gbl...
>>> Hi BH2 - To suppliment what David said, you can also try a "Clean
>>> Boot" approach:
>>>
>>> Clean Boot:
>>>
>>> 1. Start|Run enter msconfig.
>>> 2. In the Startup tab, click the "Disable All" button.
>>> 3. In the Services tab, check the "Hide All Microsoft Services"
>>> checkbox, and then click the "Disable All" button.
>>> 4. Click OK and then reboot.
>>>
>>>
>>> --
>>> Please respond in the same thread.
>>> Regards, Jim Byrd, MS-MVP
>>>
>>>
>>>
>>> In news:OlJCwsdyEHA.3376@TK2MSFTNGP12.phx.gbl,
>>> BH2 <NOSPAMfurness50@hotmail.com> typed:
>>>> For some reason it won't let me start the computer in the safe mode,
>>>> I go to and accept the safe mode, It also load some drivers and
>>>> shows them in text what it is loading, then just stops with a
>>>> blank screen. Regards
>>>> Bob
>>>>
>>>> "BH2" <NOSPAMfurness50@hotmail.com> wrote in message
>>>> news:OMz3ocWyEHA.260@TK2MSFTNGP10.phx.gbl...
>>>>> Hi,
>>>>> I need some help please. I run AVG virus checker, it has picked
>>>>> up a Trojan
>>>>> horse in C\WINDOWS\system32\d3dcfo.dll Trojan
>>>>> horse.Backdoor.agent.BA. AVG
>>>>> has detected the virus, but it will not delete or rename it or
>>>>> isolate it.
>>>>> I downloaded the AVG cleaner but can't get into the safe mode to
>>>>> run it. Everytime I open any program the AVG splash screen comes
>>>>> up and tells me about the virus and where it is.
>>>>> Would appreciate any help in getting rid of it, it is driving me
>>>>> nuts. Also because I am infected does this mean that AVG is not
>>>>> very good. Thanks for any help
>>>>> Regards
>>>>> Bob H
>