From: Ellen K. 

Wow, whoever wrote that is good.   :(

On Wed, 28 Dec 2005 19:04:03 -0600, "Glenn Meadows"
 wrote in message :

>OK, spent the day bashing one of our XP machines that seems to have been hit
>by a Trojan, along with some other nefarious malware.
>
>Stared with a rouge install of Winhound, a bogus anti-spyware program.
>
>Got all that cleaned up, but there are remnants (active) of a Trojan
>downloader that I've been unable to remove.
>
>The key to this, seems to be a file named:
>
>browsela.dll
>
>Goggling on that, give limited online information about it's removal, all
>centered around using a tool called Killbox, which allows one to list
>specific files to delete, as well as marking a file for deletion on the next
>boot.  The info on this DLL, is that it loads way early in the Windows boot
>process, such that it can't be killed or deleted while windows is running in
>any fashion.  That includes running from a command line boot.
>
>When using Killbox to mark the file for deletion on the next boot, after
>about 5 seconds, an error message comes up, that says that an external
>process removed the entry for file rename at re-boot.  Ergo, I've been
>unable to delete the file.  The info about the file is that it opens a
>backdoor for hackers to download and run programs.
>
>I've even searched fully through the registry, and the running DLL will
>re-add the registry keys when deleted.  Even if I've run 4-5 times through
>the registry, and deleted an browsela.dll entries/keys, and I get 2 full
>searches of no entry found, then PULL THE PLUG on the computer, so that a
>shutdown doesn't re-write the registry entry, the keys are back in place on
>the next boot.  I've been unable to find the process/file/startup entry
>that's re-writing these entries.  I've used HijackThis to scan the registry,
>and all of the remaining entries LOOK like normal items.  I've compared that
>list to various goggled links that list files/keys to delete.
>
>One last thing...the Sophos Anti-Virus CLAIMS to be able to remove this
>item.  I'll be downloading a 30 day demo of their Small Business AV program,
>to give it a try.  AVG sees it, identifies it as a threat, claims that it's
>removed it, but it's still there.
>
>There's NO hit in the Symantec Knowledge base on this file (all goggled
>links appear to be VERY recent infections, as in the past 4-5 days...
>
>Anyone here have any other brilliant suggestions?
>
>I'm seriously thinking of removing the HD, strapping it in as a second drive
>on another system, and deleteing the file from a different booted system.
>Thoughts on that approach?

--- BBBS/NT v4.01 Flag-5