A client of mine has told me he has the Backdoor.Trojan 'virus' on his
system (WinXP Home) being reported by his anti-virus program. He is using
NAV 2002 as his anti-virus program. He has told me that he has been
regularly updating NAV. I will be going to his home tomorrow (22 July) to
attempt to get things straightened out for him.

Here's my question (or questions):

1. I've Googled and visited the Symantec website to familiarize myself
about the Backdoor.Trojan 'virus'. From what I've read, it seems that
Backdoor.Trojan refers to a group (or family) of Backdoor virii. Is this
correct? Or, is there in fact a virus named Backdoor.Trojan and I'm just
too stupid to pick up on it?

2. If there is in fact a virus called Backdoor.Trojan, is there a removal
tool available? If so, does anyone know where I can dl it? I'm able to
find removal tools for other Backdoor-type virii (for example,
Backdoor.Autoupder), but can't find one for Backdoor.Trojan (which is
something which leads me to believe Backdoor.Trojan refers to a group of
Backdoor-type virii).

3. Does anyone have any suggestions/ideas that might help in cleaning this
Backdoor.Trojan?


Thanks much!

Loren

On Thu, 22 Jul 2004 13:25:10 -0500, "LPV"
<(E-Mail Removed)> wrote:

>A client of mine has told me he has the Backdoor.Trojan 'virus' on his
>system (WinXP Home) being reported by his anti-virus program. He is using
>NAV 2002 as his anti-virus program. He has told me that he has been
>regularly updating NAV. I will be going to his home tomorrow (22 July) to
>attempt to get things straightened out for him.
>
>Here's my question (or questions):
>
>1. I've Googled and visited the Symantec website to familiarize myself
>about the Backdoor.Trojan 'virus'. From what I've read, it seems that
>Backdoor.Trojan refers to a group (or family) of Backdoor virii. Is this
>correct? Or, is there in fact a virus named Backdoor.Trojan and I'm just
>too stupid to pick up on it?

Take a look at this Project VGREP hit for NAV's backdoor.trojan alert.

http://www.virusbtn.com/resources/vg...ct=11&offset=0

As you go through the various pages (1-5), (6-10) .... you'll see that
NAV does indeed produce that alert for a large number of malwares. It
very much looks like it produces that alert for spyware or adware as
well. So you don't know what you're dealing with. You'll have to scan
with Spybot and AdAware. And you might want to use at least one other
av scanner as well.


Art
http://www.epix.net/~artnpeg

On Thu, 22 Jul 2004 13:25:10 -0500, "LPV"
<(E-Mail Removed)> wrote:

>A client of mine has told me he has the Backdoor.Trojan 'virus' on his
>system (WinXP Home) being reported by his anti-virus program. He is using
>NAV 2002 as his anti-virus program. He has told me that he has been
>regularly updating NAV. I will be going to his home tomorrow (22 July) to
>attempt to get things straightened out for him.
>
>Here's my question (or questions):
>
>1. I've Googled and visited the Symantec website to familiarize myself
>about the Backdoor.Trojan 'virus'. From what I've read, it seems that
>Backdoor.Trojan refers to a group (or family) of Backdoor virii. Is this
>correct? Or, is there in fact a virus named Backdoor.Trojan and I'm just
>too stupid to pick up on it?
>
>2. If there is in fact a virus called Backdoor.Trojan, is there a removal
>tool available? If so, does anyone know where I can dl it? I'm able to
>find removal tools for other Backdoor-type virii (for example,
>Backdoor.Autoupder), but can't find one for Backdoor.Trojan (which is
>something which leads me to believe Backdoor.Trojan refers to a group of
>Backdoor-type virii).
>
>3. Does anyone have any suggestions/ideas that might help in cleaning this
>Backdoor.Trojan?
>
>
>Thanks much!
>
>Loren

I responded recently to someone using AVG Free which had identified
something called Backdoor.Agent.BA The only help I could give was to
post a Google link
http://www.google.com/search?sourcei...kdoor.Agent.BA

There may be variations but not known to me, Sorry. I do not use XP
but am aware that the System Restore feature should be closed down
prior to removal as this can continually re-infect. My apologies if I
am attempting to teach my Granny to suck eggs. Good luck with the
problem.

Reg

On Thu, 22 Jul 2004 19:20:20 +0000 (UTC), Reg Mouatt
<(E-Mail Removed)> wrote:

>On Thu, 22 Jul 2004 13:25:10 -0500, "LPV"
><(E-Mail Removed)> wrote:
>
>>A client of mine has told me he has the Backdoor.Trojan 'virus' on his
>>system (WinXP Home) being reported by his anti-virus program. He is using
>>NAV 2002 as his anti-virus program. He has told me that he has been
>>regularly updating NAV. I will be going to his home tomorrow (22 July) to
>>attempt to get things straightened out for him.
>>
>>Here's my question (or questions):
>>
>>1. I've Googled and visited the Symantec website to familiarize myself
>>about the Backdoor.Trojan 'virus'. From what I've read, it seems that
>>Backdoor.Trojan refers to a group (or family) of Backdoor virii. Is this
>>correct? Or, is there in fact a virus named Backdoor.Trojan and I'm just
>>too stupid to pick up on it?
>>
>>2. If there is in fact a virus called Backdoor.Trojan, is there a removal
>>tool available? If so, does anyone know where I can dl it? I'm able to
>>find removal tools for other Backdoor-type virii (for example,
>>Backdoor.Autoupder), but can't find one for Backdoor.Trojan (which is
>>something which leads me to believe Backdoor.Trojan refers to a group of
>>Backdoor-type virii).
>>
>>3. Does anyone have any suggestions/ideas that might help in cleaning this
>>Backdoor.Trojan?
>>
>>
>>Thanks much!
>>
>>Loren
>
>I responded recently to someone using AVG Free which had identified
>something called Backdoor.Agent.BA The only help I could give was to
>post a Google link
>http://www.google.com/search?sourcei...kdoor.Agent.BA
>
>There may be variations but not known to me, Sorry. I do not use XP
>but am aware that the System Restore feature should be closed down
>prior to removal as this can continually re-infect. My apologies if I
>am attempting to teach my Granny to suck eggs. Good luck with the
>problem.
>
>Reg

PS
http://www.google.com/search?sourcei...ackdoor+trojan

Reg

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 22 Jul 2004 13:25:10 -0500, "LPV"
> <(E-Mail Removed)> wrote:
>
> >A client of mine has told me he has the Backdoor.Trojan 'virus' on his

(snip)

Thanks, Art!

> Take a look at this Project VGREP hit for NAV's backdoor.trojan alert.
>
>
http://www.virusbtn.com/resources/vg...ct=11&offset=0

Good site. I've got it bookmarked.


> As you go through the various pages (1-5), (6-10) .... you'll see that
> NAV does indeed produce that alert for a large number of malwares. It
> very much looks like it produces that alert for spyware or adware as
> well. So you don't know what you're dealing with. You'll have to scan
> with Spybot and AdAware. And you might want to use at least one other
> av scanner as well.


That's pretty much the conclusion I'd drawn based on my research. Your
cited source and explanation seems to confirm that. I'll be loading up with
Spybot 1.3 and AdAware (thinking about taking CWShredder, also) to do
battle. I've got some other av apps that I'll use in addition to NAV.

Thanks again!

Loren

"Reg Mouatt" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 22 Jul 2004 13:25:10 -0500, "LPV"
> <(E-Mail Removed)> wrote:
>
> >A client of mine has told me he has the Backdoor.Trojan 'virus' on his

(snip)

> I responded recently to someone using AVG Free which had identified
> something called Backdoor.Agent.BA The only help I could give was to
> post a Google link
>
http://www.google.com/search?sourcei...kdoor.Agent.BA

Thanks for the link, Reg. Although it refers only to a specific version of
a Backdoor Trojan, it was still helpful. It gave me insight relative to a
potential trojan I may have to deal with.

> There may be variations but not known to me, Sorry. I do not use XP
> but am aware that the System Restore feature should be closed down
> prior to removal as this can continually re-infect. My apologies if I
> am attempting to teach my Granny to suck eggs. Good luck with the
> problem.

I think you're right about there being different variations of
Backdoor.Trojan.

Please don't apologize for "attempting to teach Granny to suck eggs". As an
old egg-sucker myself, there's no such thing as knowing everything (for me,
anyway). That's why I appreciate each and every effort to help me in my
Backdoor.Trojan ass-kicking attempt.

Thanks again.

Loren

p.s. I agree about disabling System Restore - Microsoft and Symantec both
recommended the same thing for specific types of Backdoor trojan removal, so
it seems logical that it should be done when dealing with a 'family' of this
type of trojan.

"Reg Mouatt" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 22 Jul 2004 19:20:20 +0000 (UTC), Reg Mouatt
> <(E-Mail Removed)> wrote:
>
> >On Thu, 22 Jul 2004 13:25:10 -0500, "LPV"
> ><(E-Mail Removed)> wrote:
> >
> >>A client of mine has told me he has the Backdoor.Trojan 'virus' on his

(snip)

> PS
>
http://www.google.com/search?sourcei...ackdoor+trojan
>
> Reg

Thanks, Reg!

Loren

On Thu, 22 Jul 2004 19:16:33 GMT, (E-Mail Removed) wrote:

> On Thu, 22 Jul 2004 13:25:10 -0500, "LPV"
> <(E-Mail Removed)> wrote:
>
>>A client of mine has told me he has the Backdoor.Trojan 'virus' on his
>>system (WinXP Home) being reported by his anti-virus program. He is using
>>NAV 2002 as his anti-virus program. He has told me that he has been
>>regularly updating NAV. I will be going to his home tomorrow (22 July) to
>>attempt to get things straightened out for him.
>>
>>Here's my question (or questions):
>>
>>1. I've Googled and visited the Symantec website to familiarize myself
>>about the Backdoor.Trojan 'virus'. From what I've read, it seems that
>>Backdoor.Trojan refers to a group (or family) of Backdoor virii. Is this
>>correct? Or, is there in fact a virus named Backdoor.Trojan and I'm just
>>too stupid to pick up on it?
>
> Take a look at this Project VGREP hit for NAV's backdoor.trojan alert.
>
> http://www.virusbtn.com/resources/vg...ct=11&offset=0
>
> As you go through the various pages (1-5), (6-10) .... you'll see that
> NAV does indeed produce that alert for a large number of malwares. It
> very much looks like it produces that alert for spyware or adware as
> well. So you don't know what you're dealing with. You'll have to scan
> with Spybot and AdAware. And you might want to use at least one other
> av scanner as well.
>
>
> Art
> http://www.epix.net/~artnpeg

I have a similar problem with my boss's computer. Norton reported a
backdoor sdbot virus in a file called aolmsngr.exe. I did a search for the
backdoor virus group and found out how to remove that file so I did that.
The message that Norton was giving went away (you could not get it off the
screen by clicking "ok" before, it stayed onscreen). That said... I ran
Norton in Safe Mode. It repaired 3 files (haven't a clue what they were
since I could see no way to find out) and it found hundreds of malware and
spyware files. But, it said it could not remove them all (this is in safe
mode). So, I ran spybot which removed some files. I ran adaware which
removed more. I believe, however, he's still infected with something since
I can't run msconfig or regedit in regular windows mode, only in safe mode.
One file that ZoneAlarm kept asking about (and which I denied internet
access for) was MSNGuyen.exe. I did a google search of this file and found
a mention to a "bestfriends.scr" which can be picked up through AIM. The
information alsos mentions that having this virus will prevent you from
running regedit or msconfig (they just flash on the screen for a second and
close). I have instructions to remove that now. But, my question is, why
didn't Norton remove this stuff when I ran it in Safe Mode? Is Norton not
all that it's cracked up to be? And why do none of virus encyclopedias
(Norton or McAfee) even mention this virus? And how did they get infected
in the first place since he runs Norton Antivirus in the background?

Thanks, sorry this is so long, but I'm trying to get his home computer
cleaned up before I leave for vacation next week.

Patty

On Fri, 23 Jul 2004 07:39:11 -0400, Patty <(E-Mail Removed)>
wrote:

<snip>

> I have instructions to remove that now. But, my question is, why
>didn't Norton remove this stuff when I ran it in Safe Mode?

Norton can't remove what it can't pinpoint.

>Is Norton not
>all that it's cracked up to be?

Is that a surprise?

>And why do none of virus encyclopedias
>(Norton or McAfee) even mention this virus?

What did other av products have to say when you scanned with them?

>And how did they get infected
>in the first place since he runs Norton Antivirus in the background?

Easy. He doesn't practice safe hex.

>Thanks, sorry this is so long, but I'm trying to get his home computer
>cleaned up before I leave for vacation next week.

Here's some reading for you and your boss:

http://www.claymania.com/safe-hex.html

Have fun on your vacation


Art
http://www.epix.net/~artnpeg

On Fri, 23 Jul 2004 13:23:50 GMT, (E-Mail Removed) wrote:

> On Fri, 23 Jul 2004 07:39:11 -0400, Patty <(E-Mail Removed)>
> wrote:
>
> <snip>
>
>> I have instructions to remove that now. But, my question is, why
>>didn't Norton remove this stuff when I ran it in Safe Mode?
>
> Norton can't remove what it can't pinpoint.
>
>>Is Norton not
>>all that it's cracked up to be?
>
> Is that a surprise?
>
>>And why do none of virus encyclopedias
>>(Norton or McAfee) even mention this virus?
>
> What did other av products have to say when you scanned with them?
>
>>And how did they get infected
>>in the first place since he runs Norton Antivirus in the background?
>
> Easy. He doesn't practice safe hex.
>
>>Thanks, sorry this is so long, but I'm trying to get his home computer
>>cleaned up before I leave for vacation next week.
>
> Here's some reading for you and your boss:
>
> http://www.claymania.com/safe-hex.html
>
> Have fun on your vacation
>
>
> Art
> http://www.epix.net/~artnpeg

Thanks, Art. I know all about safe hex, but sadly he and his teenage sons
do not. <sigh> I have to go over to his house regularly and clean this
junk out of his computer. He does know to run adaware on a regular basis,
I changed his settings on Norton to update automatically too.

I finally got it all cleaned out. There's just only so much I can do in a
couple hours. Hopefully he'll be good for a few weeks now.

Patty