backorifice.trojan
sondra rose
Version: 4.0
Help! My daughter saved an incoming chat message to a disk on the A
drive. When NAV detected a virus, she didn't open the file and even
threw the disk in the trash. But now, whenever we turn on the
computer, a message says "virus detected
c:\windows\system\windll.dll". It wont repair and when I run NAV on
the C drive, the message says "no viruses found". Do I have to
reinstall windows as the book suggests??? How did the viurs get to
my C drive when the file was never opened??? Please help me fix
this. Thanks.
Srose
LaVonne Perry [Symantec]
drive. When NAV detected a virus, she didn't open the file and even
threw the disk in the trash. But now, whenever we turn on the
computer, a message says "virus detected
c:\windows\system\windll.dll".<<
Hello Sondra,
Thanks for using the Online Support newsgroup for Norton AntiVirus.
Executing the Back Orifice Trojan causes the program to copy a ".exe" and
windll.dll file to the Windows\System folder, as well as creating a Registry
entry under the RunServices key that will load the program during startup.
Have you checked to see if the windll.dll file is in the Windows\System folder?
If it is not, are you running Norton Utilities/System Doctor? Sometimes the
Virus Sensor doesn't refresh properly and it may be mistakenly alerting on
this. If the windll.dll file is not on your system and you are still getting
the alert from the System Doctor Virus Sensor, then try refreshing the Sensor
by doing the following:
1) Empty your recycle bin.
2) Open System Doctor
3) Right click on the Virus Sensor and tell it to scan again.
If you do find the windll.dll file, and NAV is not detecting it using the
latest virus definitions, please let me know.
Thanks,
--
LaVonne Perry
Senior Support Analyst
Symantec Corporation
Please continue to post your messages to the public discussion group as
Symantec does not provide support via private e-mail. Thank you.
If you have difficulty getting a response, please read the following article:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/1998527114414
For free technical support newsletters, Knowledge Base support articles, our
Online Support Genie, and FAQs, visit our Norton AntiVirus support page:
http://www.symantec.com/techsupp/nav.html
Personalize your technical support pages at:
sondra rose
mail.bk by NAV but when trying to delete it - says "access denied -
can't delete file." Also tried to rename it but that was denied
also. My printer has now stopped working - wonder what's next? I'll
try to let you know what happens but my system took forever to log
on. I may not get on next try.
sondra rose
system doctor to open and refresh. I'll await your next response but
I think the next thing I have to do is reinstall windows. Oh joy!
Hope you can come up with something that will delete this thing.
Again thanks for your help.
LaVonne Perry [Symantec]
system doctor to open and refresh. I'll await your next response but
I think the next thing I have to do is reinstall windows. Oh joy!
Hope you can come up with something that will delete this thing.
Again thanks for your help.<<
Hello Sondra,
You should be able to remove the file by booting into Safe Mode, Command Prompt
Only. Press the F8 key during startup (when you see Starting Windows.....) to
get to the boot menu for this option. Once at the DOS prompt, change to the
directory where the infected file was found and try deleting it from there.
You should be able to since the file will not be in use by the system.
When the file has been removed, restart the system and note what happens. It
may be necessary to remove an entry from the Registry. If so, it will be
referred to when you restart the system. Please let me know what you find.
Regards,
sondra rose
Thank you a million. That worked. But I still dont understand why
the warning message said the virus was in System\windll.dll and that
file couldnt be found. But when I ran NAV on System, the file
infected was mail.bak???? Oh well, I'm very thankful to you for
figuring this out.