I have a system that detects Backdoor.ProRat. Norton AV 2003 was installed, but I could not run a system scan with it. Have tried installing Etrust, Panda, AVG, and McAfee & was unable to scan with any of these AV's. We pulled the drive and put it in another machine to scan it, but the scan came up clean (virus defs are up to date). Booted back up and keeps detecting ProRat again. Tried to remove virus manually, but it comes back every time I boot up. Procedure used to remove virus manually: PS -- Windows XP Home Edition.

1. Turn off System Restore.
2. Boot in safe mode and log on as Administrator
3. In registry, Remove any of the following entries from the following keys:
ENTRIES:
"MSNMESENGER"="%System%\Main.exe"
"DirectX for Microsoft Windows"="%Sstem%\Sservice.exe"
"StubPath"="C:\Windows\system\Sservice.exe"

KEYS:
HKLM\Software\Microsoft\Windows\Current Version\Run
HKLM\Software\Microsoft\Windows\Current Version\Policies\Explorer\Run
HKLM\Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dw-BE53-Y67078979Y}
HKCU\SOFTWARE\Microsoft\Windows\Current Version\Run

4. Through Windows Explorer, My Computer, or DOS Prompt: Delete winkey.dll & wininv.dll from the c:\Windows\System32 folder. (can't delete from any of the above -- Access is denied). Tried checking attributes (Archive is the only attribute selected). I can rename and move the files, but still can't delete them. Also tried slaving the drive in another machine and deleting them there, but they reappear on the next boot. If I log off of Administrator and log back on as User, I can delete them, but they reappear on the next boot, whether it is in normal mode or safe mode.

Figured something was starting them up on boot (obviously), so I set the msconfig to diagnostic startup (no startup items, unnecessary services, win.ini, boot.ini, or system.ini), but the problem persists.

Machine cannot be reloaded as the user has NO FREAKIN' BACKUPS. :butt:

Sorry about the long rant, but I've been screwing with this piece of #$@% all day.

Any help would be greatly appreciated.