FCS don't remove Backdoor:Win32\Agent.CR from Win32l.dll Hi,<br><br>I'm having problems removing Win32\Agent.CR from Windows\System32\Win32l.dll (Windows 2003 Server) with Forefront Client Security.<br><br>It is classified as a backdoor and risk as <strong>Severe</strong>.<br><br>If a choose SmartClean button it saids that it needs to restart the server because to remove it. But after restart, if I scan, it is there again.<br><br>I used tasklist to identify the program that is using it. It is msiexc.exe.<br>I killed the process at task manager and try it again. It seams to remove it. But if I restart the server and scan again. Yes, it is there again!<br><br>How can I remove it? Could it be a false positive?<br><br>Thanks,<br>Pedro Gonçalves<br>© 2009 Microsoft Corporation. All rights reserved.Sat, 31 Oct 2009 20:08:34 Z2271a815-8ded-4808-ac3b-5cbc32c4afc8http://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/2271a815-8ded-4808-ac3b-5cbc32c4afc8#2271a815-8ded-4808-ac3b-5cbc32c4afc8http://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/2271a815-8ded-4808-ac3b-5cbc32c4afc8#2271a815-8ded-4808-ac3b-5cbc32c4afc8Pedro Gonçalveshttp://social.technet.microsoft.com/Profile/en-US/?user=Pedro%20Gon%u00e7alvesFCS don't remove Backdoor:Win32\Agent.CR from Win32l.dll Hi,<br><br>I'm having problems removing Win32\Agent.CR from Windows\System32\Win32l.dll (Windows 2003 Server) with Forefront Client Security.<br><br>It is classified as a backdoor and risk as <strong>Severe</strong>.<br><br>If a choose SmartClean button it saids that it needs to restart the server because to remove it. But after restart, if I scan, it is there again.<br><br>I used tasklist to identify the program that is using it. It is msiexc.exe.<br>I killed the process at task manager and try it again. It seams to remove it. But if I restart the server and scan again. Yes, it is there again!<br><br>How can I remove it? Could it be a false positive?<br><br>Thanks,<br>Pedro Gonçalves<br>Sun, 15 Feb 2009 23:39:24 Z2009-02-15T23:39:24Zhttp://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/2271a815-8ded-4808-ac3b-5cbc32c4afc8#7c95d7f8-1b7b-402d-b979-6e67d2ce2faahttp://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/2271a815-8ded-4808-ac3b-5cbc32c4afc8#7c95d7f8-1b7b-402d-b979-6e67d2ce2faaKurt Faldehttp://social.technet.microsoft.com/Profile/en-US/?user=Kurt%20FaldeFCS don't remove Backdoor:Win32\Agent.CR from Win32l.dll Get a copy of the file and submit it at <a href="http://www.microsoft.com/security/portal">http://www.microsoft.com/security/portal</a> use the submit a sample button.<br> Guessing our detection/removal rules may not be just right for the variant you are seeing and need to be updated.  Be sure to include details when submitting it.<hr class="sig">CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfaldeFri, 13 Mar 2009 19:43:25 Z2009-03-13T19:43:25Z