From: "Glenn Meadows" 

Yea, I think this was from that, a very early infection, prior to any of
the AVSig files being updated.  I just noticed that many of the virus folks
have done an update to detect W32.Loosky-k now.

I sent all the files I found to Sophos, because once that browseal.dll gets
in, unless they discover and know what process to kill, it's going to be an
interesting removal process.

--

Glenn M.
"Geo"  wrote in message
news:43b3f0de$1{at}w3.nls.net...
> Not sure if this is related or not but there is a brand new wmf exploit
> (which allows code execution via a wmf in an email) that is being used to
> install spyware on computers.
>
> Geo.
>
> "Glenn Meadows"  wrote in message
> news:43b33572{at}w3.nls.net...
>> OK, spent the day bashing one of our XP machines that seems to have been
> hit
>> by a Trojan, along with some other nefarious malware.
>>
>> Stared with a rouge install of Winhound, a bogus anti-spyware program.
>>
>> Got all that cleaned up, but there are remnants (active) of a Trojan
>> downloader that I've been unable to remove.
>>
>> The key to this, seems to be a file named:
>>
>> browsela.dll
>>
>> Goggling on that, give limited online information about it's removal, all
>> centered around using a tool called Killbox, which allows one to list
>> specific files to delete, as well as marking a file for deletion on the
> next
>> boot.  The info on this DLL, is that it loads way early in the Windows
> boot
>> process, such that it can't be killed or deleted while windows is running
> in
>> any fashion.  That includes running from a command line boot.
>>
>> When using Killbox to mark the file for deletion on the next boot, after
>> about 5 seconds, an error message comes up, that says that an external
>> process removed the entry for file rename at re-boot.  Ergo, I've been
>> unable to delete the file.  The info about the file is that it opens a
>> backdoor for hackers to download and run programs.
>>
>> I've even searched fully through the registry, and the running DLL will
>> re-add the registry keys when deleted.  Even if I've run 4-5 times
>> through
>> the registry, and deleted an browsela.dll entries/keys, and I get 2 full
>> searches of no entry found, then PULL THE PLUG on the computer, so that a
>> shutdown doesn't re-write the registry entry, the keys are back in place
> on
>> the next boot.  I've been unable to find the process/file/startup entry
>> that's re-writing these entries.  I've used HijackThis to scan the
> registry,
>> and all of the remaining entries LOOK like normal items.  I've compared
> that
>> list to various goggled links that list files/keys to delete.
>>
>> One last thing...the Sophos Anti-Virus CLAIMS to be able to remove this
>> item.  I'll be downloading a 30 day demo of their Small Business AV
> program,
>> to give it a try.  AVG sees it, identifies it as a threat, claims that
> it's
>> removed it, but it's still there.
>>
>> There's NO hit in the Symantec Knowledge base on this file (all goggled
>> links appear to be VERY recent infections, as in the past 4-5 days...
>>
>> Anyone here have any other brilliant suggestions?
>>
>> I'm seriously thinking of removing the HD, strapping it in as a second
> drive
>> on another system, and deleteing the file from a different booted system.
>> Thoughts on that approach?
>>
>>
>> --
>>
>> Glenn M.
>>
>>
>
>

--- BBBS/NT v4.01 Flag-5