trojan horse backdoor.agent.nrb-unable to heal

Assistance with AVG Anti-Malware, legacy ewido and AVG Anti-Spyware applications

Moderator: Moderators

trojan horse backdoor.agent.nrb-unable to heal

Postby jjk1951 » Sun Jun 01, 2008 1:51 am

Trojan horse backdoor.agent.NRB virus. Unable to delete hidden file.

Everything below is being done from administrator.
I recently attempted to install Nero 7 on a Windows XP Pro SP2 system, the install fail with an error "unable to create c:\windows\system32\nerocom.dll file". Subsequent investigations have led me thru a mine field of strange issues.

I have discovered:
- I cannot create any file (under any folder) with a name "xxxCOM.dll", even a simpe text file from Notepad can't be saved with a name containing "com.dll" : I get the same error as with the Nero install. I can create files with names like "xxxCOM1.dll, xxxCOM2.dll" but not "xxxCOM.dll"
- I cannot display the security property information for any file on the system that has a name"xxxCOM.dll"

I then a variety of virus and spyware tools, with the following results
- Win Defender - nothing
- SpyBot - nothing
- AVG - continually pops up a threat warning "Trojan horse backdoor.agent.NRB in file c:\windows\system\COM.dll" but AVG can't heal the problem
- NOD32 - does not detect a virus in the file c:\windows\system\COM.dll but issues a message that it cannot open file c:\windows\system\COM.dll

I have formed the opinion that this mysterious file is somehow behind the problems I am having in trying to install Nero/create a file with a name "xxxCOM.DLL" etc. Seems reasonable to me.

This file c:\windows\system\COM.dll is a mysteriously hidden file. Windows Explorer does not show it (and I have all options set properly to display system and hidden files). I have tried booting up in safe mode and entering commands like "attrib c:\windows\system\COM.dll" but they all say "file not found". I have tried specialised PC file management tool packages to walk the NTFS tree and locate it and they can't find it either. I have searched the registry for any references to "com.dll" and found nothing. But both AVG and NOD32 detect the existence of the file (but can't open or delete it).

I am seeking any further suggestions anybody may have on understanding this problem.

I am thinking of trying the following rather radical step as a way of deleting this mysterious "COM.dll" file
- create a new folder "system32new"
- one by one copy every sub-folder and file from the existing system32 folder to the new one using Explorer (on the belief/hope that the mysterious "COM.dll" file will not be copied")
- checking the resultant system32 total storage used vs the system32new storage used and hoping to see a small difference (to account for the fact that the mysterious "COM.dll" file is not present under "system32new")
- then (risky), boot up in safe mode and do 2 commands
* ren system32 system32old
* ren system32new system32
- hopefully this will create a new instance of system32 with the mysterious file absent

I am worried there may be unique file identifier linkages present in the registry or other parts of the system which will cause problems with this approach (and I am not even sure the renames will work on system32).

Any comments on this strategy.
jjk1951
AVG Wannabee
 
Posts: 2
Joined: Sat May 31, 2008 7:40 pm

Advertisement

Web Hosting

Postby sc123 » Mon Jun 02, 2008 7:45 am

I can't find anything that says that com.dll is a legit Windows system file. I would log in as an administrator, open a command prompt and type "ren c:\windows\system32\com.dll com_old.dll" and see if that runs. Then reboot and try Nero.

If it does and your problems are solved, viola! If your system experiences problems after this, just reverse that command to rename the file back to com.dll.
Regards,
SC123 - Founder, http://www.AVGForums.com
-------------------------------------------------------
Complete uninstall/reinstall method | Other tools to try | Search the forums!
User avatar
sc123
Forum Administrator
 
Posts: 2095
Joined: Tue Jul 24, 2007 3:50 pm
Location: Virginia, USA

Postby jjk1951 » Tue Jun 03, 2008 6:25 am

This file is totally invisible to Windows explorer and you cannot find it from the DOS shell so the rename does not work. The good news is I have found and fixed the problem. This was a "rootkit" style virus which was able to intercept API calls to the kernel and modify the behaviour (of calls like "open") to "hide" the file from the user. I finally discovered what it was using the Microsoft rootkit reveal tool (see http://technet.microsoft.com/en-us/sysi ... 97445.aspx). I tried many anti-virus, anti-rootkit programs in an attempt to remove this file but the only one I finally found that fixed it was from sophos.

Thanks for your interest and I hope other people gain benefit from my experience.
jjk1951
AVG Wannabee
 
Posts: 2
Joined: Sat May 31, 2008 7:40 pm

Postby sc123 » Tue Jun 03, 2008 6:34 am

Thanks for coming back and letting us know what you did to resolve your issue! I'm glad all is well.
Regards,
SC123 - Founder, http://www.AVGForums.com
-------------------------------------------------------
Complete uninstall/reinstall method | Other tools to try | Search the forums!
User avatar
sc123
Forum Administrator
 
Posts: 2095
Joined: Tue Jul 24, 2007 3:50 pm
Location: Virginia, USA


Return to AVG Anti-Malware

Who is online

Users browsing this forum: No registered users and 1 guest