FCS don't remove Backdoor:Win32\Agent.CR from Win32l.dll RRS feed

  • Question

  • Hi,

    I'm having problems removing Win32\Agent.CR from Windows\System32\Win32l.dll (Windows 2003 Server) with Forefront Client Security.

    It is classified as a backdoor and risk as Severe.

    If a choose SmartClean button it saids that it needs to restart the server because to remove it. But after restart, if I scan, it is there again.

    I used tasklist to identify the program that is using it. It is msiexc.exe.
    I killed the process at task manager and try it again. It seams to remove it. But if I restart the server and scan again. Yes, it is there again!

    How can I remove it? Could it be a false positive?

    Pedro Gonçalves
    Sunday, February 15, 2009 11:39 PM

All replies

  • Get a copy of the file and submit it at http://www.microsoft.com/security/portal use the submit a sample button.
     Guessing our detection/removal rules may not be just right for the variant you are seeing and need to be updated.  Be sure to include details when submitting it.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, March 13, 2009 7:43 PM
  • Also check windows firewall and make sure it is on too.

    As Kurt said, submit all samples.

    Friday, July 16, 2010 8:16 AM