From: "Glenn Meadows" 

OK, spent the day bashing one of our XP machines that seems to have been
hit by a Trojan, along with some other nefarious malware.

Stared with a rouge install of Winhound, a bogus anti-spyware program.

Got all that cleaned up, but there are remnants (active) of a Trojan
downloader that I've been unable to remove.

The key to this, seems to be a file named:

browsela.dll

Goggling on that, give limited online information about it's removal, all
centered around using a tool called Killbox, which allows one to list
specific files to delete, as well as marking a file for deletion on the
next boot.  The info on this DLL, is that it loads way early in the Windows
boot process, such that it can't be killed or deleted while windows is
running in any fashion.  That includes running from a command line boot.

When using Killbox to mark the file for deletion on the next boot, after
about 5 seconds, an error message comes up, that says that an external
process removed the entry for file rename at re-boot.  Ergo, I've been
unable to delete the file.  The info about the file is that it opens a
backdoor for hackers to download and run programs.

I've even searched fully through the registry, and the running DLL will
re-add the registry keys when deleted.  Even if I've run 4-5 times through
the registry, and deleted an browsela.dll entries/keys, and I get 2 full
searches of no entry found, then PULL THE PLUG on the computer, so that a
shutdown doesn't re-write the registry entry, the keys are back in place on
the next boot.  I've been unable to find the process/file/startup entry
that's re-writing these entries.  I've used HijackThis to scan the
registry, and all of the remaining entries LOOK like normal items.  I've
compared that list to various goggled links that list files/keys to delete.

One last thing...the Sophos Anti-Virus CLAIMS to be able to remove this
item.  I'll be downloading a 30 day demo of their Small Business AV
program, to give it a try.  AVG sees it, identifies it as a threat, claims
that it's removed it, but it's still there.

There's NO hit in the Symantec Knowledge base on this file (all goggled
links appear to be VERY recent infections, as in the past 4-5 days...

Anyone here have any other brilliant suggestions?

I'm seriously thinking of removing the HD, strapping it in as a second
drive on another system, and deleteing the file from a different booted
system. Thoughts on that approach?


--

Glenn M.

--- BBBS/NT v4.01 Flag-5