Backdoor Trojan: 1090297506.dll (Cannot delete this file)

Discussion in 'Trojan Defence Suite' started by GRAYmatter, Dec 23, 2004.

Thread Status:
Not open for further replies.
  1. GRAYmatter

    GRAYmatter Registered Member

    Joined:
    Sep 15, 2004
    Posts:
    11
    Hello Forum Moderators & Fellow Members,

    On a recent full system scan the following file was detected:

    Positive identification (DLL): RAT.Agent.aq1 (dll)
    File: c:\windows\1090297506.dll

    This file is being detected as a "Backdoor Trojan" and I have tried to delete it from both TDS-3 and Norton, but in both instances the file cannot be deleted, fixed, modified or quarantined.

    Can someone please assist me with the eradication of this file?

    As always thank you in advance for any and all help.

    GRAYmatter
     
  2. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Have you tried booting into safe mode (press F8 when booting up) and deleting the file?

    Happy Christmas
    Tom
     
  3. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi GRAYmatter,
    Go into Safe mode by pressing F8 a few times just before windows starts.
    Open TDS3 and then Scan Control - select all the scans then Re-Scan your machine. You should then be able to Delete any of the listed items.

    Pleas report back if this works.

    Thanks. Pilli
     
  5. GRAYmatter

    GRAYmatter Registered Member

    Joined:
    Sep 15, 2004
    Posts:
    11

    I did restart my machine in safe mode and I went through a complete spyware scan including AdAware & SpyBot and a full system scan using TDS-3 & Norton. Both detected the file but neither application was able to delete it in safe mode.

    Any other thoughts or suggestions?

    GRAYmatter
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Can you find the File: c:\windows\1090297506.dll in safe mode? If so you should be able to delete it, though If you get a cannot delete because it is still running then has been injected into one of your running processes.
    If, however, it says cannot delete maybe it's permissions need altering so that it can be deleted.
    Two programs can help you here both free and from DCS.
    DlLater and AutoStart Viewer
    link: http://www.diamondcs.com.au/index.php?page=products

    You must read the instructions regarding deletion using DelLater If this fails
    Start AutoStart Viewer and in the AS viewer menu select all three options then post a cut paste of the output in this thread.

    I'm off out for a Christmas drink now so hopefully someone else will assist :)

    HTH Pilli
     
  7. GRAYmatter

    GRAYmatter Registered Member

    Joined:
    Sep 15, 2004
    Posts:
    11
    Thanks for the help pilli! I took your suggestion and used the "DelLater" executable and sure enough it deleted the file after reboot.

    i'm going to run a new HijackThis scan just to make sure all is good. I noticed two additioanal running processes when I rebooted. It may be nothing but it doesn't hurt to check.

    Hope you enjoyed your holiday drinks!

    Have a happy holiday!

    GRAYmatter
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for the feedbak GREYmatter, I hope you get everything sorted out.


    The Seasons greetings. Pilli :)
     
Thread Status:
Not open for further replies.