From: "Geo" 

Not sure if this is related or not but there is a brand new wmf exploit
(which allows code execution via a wmf in an email) that is being used to
install spyware on computers.

Geo.

"Glenn Meadows"  wrote in message
news:43b33572{at}w3.nls.net...
> OK, spent the day bashing one of our XP machines that seems to have been
hit
> by a Trojan, along with some other nefarious malware.
>
> Stared with a rouge install of Winhound, a bogus anti-spyware program.
>
> Got all that cleaned up, but there are remnants (active) of a Trojan
> downloader that I've been unable to remove.
>
> The key to this, seems to be a file named:
>
> browsela.dll
>
> Goggling on that, give limited online information about it's removal, all
> centered around using a tool called Killbox, which allows one to list
> specific files to delete, as well as marking a file for deletion on the
next
> boot.  The info on this DLL, is that it loads way early in the Windows
boot
> process, such that it can't be killed or deleted while windows is running
in
> any fashion.  That includes running from a command line boot.
>
> When using Killbox to mark the file for deletion on the next boot, after
> about 5 seconds, an error message comes up, that says that an external
> process removed the entry for file rename at re-boot.  Ergo, I've been
> unable to delete the file.  The info about the file is that it opens a
> backdoor for hackers to download and run programs.
>
> I've even searched fully through the registry, and the running DLL will
> re-add the registry keys when deleted.  Even if I've run 4-5 times through
> the registry, and deleted an browsela.dll entries/keys, and I get 2 full
> searches of no entry found, then PULL THE PLUG on the computer, so that a
> shutdown doesn't re-write the registry entry, the keys are back in place
on
> the next boot.  I've been unable to find the process/file/startup entry
> that's re-writing these entries.  I've used HijackThis to scan the
registry,
> and all of the remaining entries LOOK like normal items.  I've compared
that
> list to various goggled links that list files/keys to delete.
>
> One last thing...the Sophos Anti-Virus CLAIMS to be able to remove this
> item.  I'll be downloading a 30 day demo of their Small Business AV
program,
> to give it a try.  AVG sees it, identifies it as a threat, claims that
it's
> removed it, but it's still there.
>
> There's NO hit in the Symantec Knowledge base on this file (all goggled
> links appear to be VERY recent infections, as in the past 4-5 days...
>
> Anyone here have any other brilliant suggestions?
>
> I'm seriously thinking of removing the HD, strapping it in as a second
drive
> on another system, and deleteing the file from a different booted system.
> Thoughts on that approach?
>
>
> --
>
> Glenn M.
>
>

--- BBBS/NT v4.01 Flag-5