“BackDoor-CFB” virus, how do I get rid of it?

Norton tells me that my computer is infected with a backdoor trojan residing at c:\windows\system32\wdmh.dll, but that it cannot repair the file. I tried locating the file using windows explorer, but the file isn't in the system32 folder. I made sure that hidden files were visible. I did a file search of my c: drive, and still no such file is found. I tried running Norton in Safe Mode and it says no infections are found, but when I go back to normal mode... BAMMO! There's Norton's popup again telling me that I have a backdoor trojan. What's up?!

 

Hi Matt,

I'm sorry to hear that the Trojan Agent didn't fix the problem for you.
Quite a nasty virus this little bugger is;-)

Hopefully Fero can help you get rid of it.

I also expect that mcafee will add the solution within a month or so to their 'stinger' which you can dowload for free at:
http://us.mcafee.com/virusInfo/default.asp?id=stinger.

Let me know whether Fero had the solution for you.
I'll probably check this forum daily/weekly.

 

I went through every step and every advice i have read on practically every forum, but it keeps coming back. Just a few days more, and i will throw my laptop in the garbage-can. Im getting so mad about this.

 

If you're ready to donate your system there are better places, like my mailbox.

http://66.102.9.104/search?q=cache:.../vil/content/v_126106.htm “BackDoor-CFB&hl=nl

You looked at this too i'm sure.

Which scanners did you try, did you have AVG running so Norton could not deal with it?

Did TDS (www.diamondcs.com.au) find it for you with the latest update (after installing get it from the website, reboot after the install and scan with all other scanners completely closed)

Did you try from the same DiamondCS site the APM tool to locate the AppInit_dlls file which is part of the infection?

Registry modifications are made such that the DLL is loaded at system startup. The name of the Registry key added may vary, but it always starts with '**', followed by 1-4 random characters. For example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
"**xx" = RUNDLL32, %SysDir%\(DLL filename).DLL,StreamingDeviceSetup
The following Registry key modification will also present:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"="%SysDir%\(DLL filename).DLL"

On this site i see there is hope, did you try that killbox too?
http://66.102.9.104/search?q=cache:...index.php?showtopic=12171 “BackDoor-CFB&hl=nl

 

Jooske,

I have tried Killbox and it did not work for me. I have gotten rid of the registry modifications though, and the virus file is no longer attached to my AppInit_dlls key, under data it used to say "wdmh.dll" but that has been gone since I renamed the virus and deleted that "wdmh.dll" data from the AppInit_dlls key, so now the virus no longer loads with each app, and McAfee no longer pops up saying "access to file denyied" so that is good. I have not tried TDS yet however, maybe I should. Right now my best hope is from that post on Computing.net where a few people where able to delete the file by changing it’s access rights though the command prompt.

 

Yes, that computing net solution looks reliable; did you try the DiamondCS APM tool too?

 

Thanks to Fero at Computing.net! The DLL is GONE!

The solution in response 15 seemed a little intimidating when I first read it, but it turned out to be not so bad.

For you Windows XP users, here's a recap of what I did:

1) From START menu, select Run and type regedt32. Click OK to open the registry editor.

2) In the left pane, navigate to:
HKEY_LOCAL_MACHINE\software\microsoft\windowsNT\currentversions\
windows

3) In the right pane, select AppInit_Dlls. If you were to right click and select Modify, you'd see the path of wdmh.dll in the value data field. Don't bother trying to delete the value because it'll come right back when you close the dialog box. Instead, with AppInit selected, go to the Edit menu and select Permissions...

4) Click Advanced, and on the Advanced Settings window, uncheck "Inherit from parent...blahblahblah". Another small window will pop up. Select REMOVE. All of the permission entries will disappear, and a warning window wil ask if you wish to continue. Be brave and select YES. Choose OK to finally close the permissions dialog. You're done here for now.

 

Cooksd,

That’s about the same method I used to remove the DLL as well, except instead of un-checking the “inherit for parent” I removed all read/write permissions from the key (see earlier posts in this thread for details), I have since changed them back to normal and the key has not come back, this keeps the virus from activating every time I open something. But the infected file is still on my computer; did you manage to delete the infected file yet? And how did you contact Fero? BTW I would recommend that you put the check back in that “inherit from parent” option, to my knowledge it could mess something up if you leave it the way it is.

 

Sorry. I somehow submitted the previous message prematurely. Here's the rest...

5) Exit the registry.

6) I wanted to reboot into safe mode, so I clicked START -> RUN and typed msconfig. Click OK. You'll be prompted to restart, so go ahead.

7) When the computer came up in safe mode, I opened a dos prompt by selecting START -> All Programs -> Accessories -> Command Prompt. type:
cd c:\windows\system32 to change to that directory.

type: ren wdmh.dll infected then <return> This will rename the file to 'infected'

9) type: cacls infected /g administrator:f <return> and type 'y' when it asks if you are sure.

10) type: attrib -r infected <return> I got denied when I tried, but Fero said to do it.

11) type: del infected <return> This should delete the file once and for all! But now there's some clean up to do.

12) Close the Command Prompt window and prepare to boot back into normal mode by running msconfig again by going to START -> Run. Go ahead and restart.

13) Once you've restarted, use START -> RUN and regedt32 to reopen the registry editor. Navigate back to HKEY_LOCAL_MACHINE...

14) Select Edit -> Permissions and click Advanced. Re-check the "Inherit..." box and select Apply. All of your permissions should be restored. Select OK to close the dialog, then exit the registry editor. You're done.

I don't guarantee that all of those steps were necessary, but that's what I did and it worked. Best of luck!

 

I also left out some very important stuff about booting into safe mode using msconfig...

When you run msconfig, you get a dialog with several tabs across the top. Go to BOOT.INI and select /SAFEBOOT, then click OK. Now you will get prompted to restart. Go ahead. Your machine will reboot into safe mode.

When you're done working in safe mode and want to reboot back into normal mode, run msconfig again. On the first tab, simply click the top radio button (it refers to normal operation) and then click OK. Again, you'll be prompted to restart. When you do, the machine will reboot in normal mode.

Sorry to leave this important info out earlier, but this is my first time contributing to a message board.

Cheers.

 

Cooksd,


Ok I already have steps 1-7 done (file gone from registry and renamed to infected). I was able to do step 9, and 10 (although it said denied), but once I got to 11 it kept saying “invalid switch”, I have no idea what that means. This is what I was typing del c:/WINDOWS/SYSTEM32/infected is that right? I was not doing it in safe mode though, I am going to try that now.

 

I just tried it in safe mode and got the same thing, once I type del c:/WINDOWS/SYSTEM32/infected in says invalid switch “windows” I have no idea why this is not working for me when it has worked for others, this virus is so damn stubborn and frustrating!

 

Matt,

Check the direction of your slashes. They should lean \ not /.

The filepath is c:\windows\system32\wdmh.dll Type it exactly that way!

 

Sorry... c:\windows\system32\infected

Also, when you get around to resetting the permissions in the registry editor, you should delete wdmh.dll from AppInit's value field. It won't come back now that the file is gone.

 

Matt_Smi

I am such an Idiot! My computer will not even boot now! By accident when in the command promt I typed cacls c:/windows/system32 /g administrator:f and this removed access to the system32 folder, I tried to reboot to safe mode (BIG MISTAKE) I should have just used system restore to roll back the change and now after the windows XP loading screen I get a blue screen saying "fatal system error" and my computer shuts itself down. I am screwed and have no idea what to do.

 

Bummer, Matt.

Do you have your system disks? Maybe you can boot from CD and get back in long enough to correct the damage.

 

It is a Dell, so I have some system restore disks but I doubt those will help. The Windows XP loading screen comes up but once that is done loading the blue screen comes in and my Hard Drive shuts down. I guess I am going to call tech support and see what they say, I know my computer is screwed though. Thankfully I have all my data backed up on an external hard drive! So while I am very upset I am thankfull at the same time as it could be a lot worse if I lost all of my data!

 

If you have an XP cd, run the installer, choose to install to the hard drive you have your OS on and then choose REPAIR when it finds the old installation

Then visit Windows Update

 

Well I ended up staying up the whole night to re-install Windows; it was not as bad as I thought it would be. I wanted to do it sometime this summer anyway, but was putting it off. I am just really happy that I had everything backed up on my external hard drive, I have only had the thing for like two weeks, and I would have been extremely upset if I lost all of my data. This also taught me just how easy it is to mess up you computer by playing around with windows. Well at least that damn virus is gone now and my computer is running great. I also did not bother to re-install a bunch of Dell crap and other useless programs back onto my computer, so it is nice not having that junk on there. I did lose my McAfee virus scan however, my college provided it for free, but did not give a backup of it. So now I don’t have a scanner and I really want to get one, guess I need to start re-searching which is best.

 

Hi guys,

I went through the forum and found great advice.

What I did was, in safemode, set the permissions to allow for the admin under the system32 folder, and deleted the file. I also did a search in the registry and found two entries of the file that I was infected with, which was wdmll.dll. I hope the file isn't important. I emptied the recycle bin as well. This seems to have worked for me. Thanx everyone, for all the input.

 

Hey Digiram,

Glad to hear that you where able to get rid of the virus, the wdmll.dll file should not be important as I believe the virus creates that file itself and “lives” there.

 

Hi Matt,

Good to read that you finally got rid of the virus.
Although your solution was a quite drastic one, re-installing
windows;-) I hope I didn't offend you, by laughing out loud,
reading your adventure. Good fun!

 

I NEED TO GET RID OF THIS VIRUS COULD SOMEBODY TELL ME HOW TO REMOVE IT FROM MY COMPUTER

 

my friend told me a site where you can get rid of the virus go to http://www.download.broadbandmedic.com/ and download pocket killbox and type the file name in the space after you downloaded from there and the virus will be history

 

I got this bug 2 days ago...been up with it since...I'm not a "computer guy" and have had some trouble following some of thee instrustions....COOKSD...seems to be pointing me in the right direction but has the info too "scattered".
I have currently rebooted from a "pre~backdoorCFB" date and seem ok so far...M/V's is'nt hitting on it.

Has any1 found a fail safe way to kill this bug yet?How bought this "pocket killbox" FRANK 101 has suggested?
M/V's says my file path for this bugger is...C:\Windows\System32


Status Infected.
File: CTLLJ.DLL
VirusBackdoorCFB
Trojan/Agent-AC