Trojan Virus

[sillygirl]

Help!

I've contracted a virus and can't seem to do anything with it. It is called backdoor.trojan and it references file name msb.dll in the windows\system32 folder. A symantec alert pops up periodically to let me know it's there but it can't be cleaned or quarantined.

I've tried to follow the instructions for manually removing it (disabling system restore, boot up in safe mode, run virus scan, ect.) I can't find any references to the virus when doing this.

Any suggestions?

Thanks,
Kim

PS I'm running Windows XP Professional

 

[Mictlantecuhtli]

Welcome to TechSpot Forums

Boot to Recovery Console and delete the file from there.

It might be hidden / system attributes set, and if you're using NTFS, you might not have ownership to it, that's why AV software won't delete it.

In addition, thanks to the way the operating system is designed, you can't delete files that are in use

 

[Goalie]

If you are using Norton Anti-Virus, try Updating your virus definitions, rebooting into safe mode, and rerunning the scan.

For a backdoor.trojan type "virus" you might try Spybot S&D 1.3. Get the most recent spyware definitions, it might be able to remove that for you.

This being said, I generally recommend reinstalling the operating system after a trojan has been installed. While you might remove the original trojan, this doesn't mean you've removed ALL trojans- many trojan users will first infect you with an obvious trojan, then use that hole to upload their own "homegrown" trojans that may, or may not, be detected. From a security standpoint, it's a nightmare- back up your data, reinstall, and patch your machine back up again.

When I get the chance later on tonight, I will try to research that particular file for you and let you know of anything I find.

Hope this helps!

 

[sillygirl]

trojan

Thanks Goalie -

I've already taken all the steps that you outline. The next step I will take will be to log into the Windows Recovery Console and see if it can be resolved from there. I have received 2 responses (one here - one elsewhere) advising this "fix." Hopefully it will do the trick.......

If you find additional info, please let me know

Kim

 

[Goalie]

Just to clarify- is this file msb.dll or msbb.dll? I see only one hit on the first, but quite a few on the second..

If the above solution didn't work for you, I'll keep on it.

 

[sillygirl]

Hi Goalie -

Definitely msb.dll - the symantec message pops up everytime I boot up - this particular file name is burned in my brain now. We haven't been able to try to recovery console thing yet. The laptop is company issued and an administrator's password has been set up. We are going back and forth now as to whether they are going to give me the password or if I have to ship it up to be fixed.

It's beyond me why they would limit access with viruses being so rampant these days.....

Thanks,
Kim

 

[Godataloss]

It's beyond me why they would limit access with viruses being so rampant these days.....

Well actually, this is exactly one of the reasons why they try to limit access.

 

[sillygirl]

yes, yes I know - i was really referring to the inability to fix a probem due to limited access

 

[Goalie]

in regards to msb.dll

http://www.computercops.biz/postp229922.html

Is the link I found googling to it. It has some pseduo-directions for fixing it which involve mucking around in the registry. Not for the meek.

It mentions CoolWebSearch.. you might look for CoolWebShredder and try it. I've never used the file myself, but I hear it's good for dealing with that nasty spyware.

Hope this helps.

 

[sillygirl]

Thanks Goalie:

I'll let you know how everything turns out.

Kim

PS We have used cwshredder - it does work, but when you hit an infected site, your browser gets hi jacked again. Sometimes it gets the whole thing, somtimes it justs picks up the search. We end up running this a couple of times a week, it seems.

 

[Goalie]

I'd suggest getting Spybot S&D 1.3 for that- the teatimer in it means you know EVERY program that tries to modify the registry, and you can stop it before it happens (unexpected activity)

Yeah, revisitng websites and getting it when you didn't know is a pain.

Perhaps time to try Mozilla Firefox? :grinthumb

 

[sillygirl]

Trojan Virus msb.dll

Hey you guys:

Problem solved. After a little snooping around, I found thru the administrative tools that the IT guys had disabled recovery console access. I simply enabled it, booted from CD to recovery console and was able to access, rename and modify the registry entries and then delete the offending file. Heh, heh - now I don't have to ship my computer anywhere....

Thanks for everyone's help.

Kim

 

[BrownPaper]

Also maybe you should consider using SpywareBlaster, Sillygirl. It blocks bad sites that can give you spyware. Kind of like preventing spyware from getting on to the computer in the first place. I use this program with Spybot S&D and Adaware. It is worth a try.

www.javacoolsoftware.com/spywareblaster.html

 

[sillygirl]

Thanks Brown Paper -

Believe it or not, I use all three of those - adaware, spybot and most recently Spyware blaster. Since I was finally able to delete the file, I haven't had anymore problems.

Kim

 

[SturmteK]

I hate trojans.
Those are a pain in the butt to get rid off.