This is a very new variant of a known-Trojan.
First of all, keep an eye on this thread:
http://castlecops.com/postp318334.html Yellowhammer, he dah man! <wink>
Now, don't make a "Me, too!" post to that thread, just lurk. If you want,
begin your own thread on the topic, but first... <deep breath>
Dealing with Trojans & Hijackware (do Parts A *and* B)...
A. Trojans
1. Check in at Windows Update and install all critical updates & reboot.
[If you're not already running SP2, do *not* install it until you've gotten
rid of all hijackware!]
2. Download and run Stinger (
http://vil.nai.com/vil/stinger/); then...
3. Update your virus definitions, enable Show Hidden Files
(
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
Note the files identified and removed then find the corresponding page for
the file at your AV maker's online support pages (e.g.,
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html)
and follow *all* Removal steps, including editing the Registry if directed
to do so. (You will be!)
If this scan finds anything, after doing the above,
(a) create a new Restore Point then:
Disk Cleanup > More options [tab] >
(b) Delete all but the most recent Restore Point.
B. Hijackware
Help with Hijackware (MS MVP sites all)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm
CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html
Run these tools in the following order with nothing else running in
background:
1. CWShredder v1.59.1 (no updates available currently; fix all found)
2. Ad-Aware SE (reconfigure per Post #2 in
http://aumha.org/forum/viewtopic.php?t=5877; fix all found)
3. Spybot (RTFM; Immunize (Default mode, left-hand window) then scan;
generally, fix everything in red)
Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(
http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to
http://forums.spywareinfo.com/, Castle Cops forum or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**
[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]
So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP
WinXP SP2: What's New for Internet Explorer and Outlook Express
http://www.microsoft.com/windowsxp/sp2/ieoeoverview.mspx
What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx
"There is no 'silver bullet' solution."
http://go.microsoft.com/fwlink/?LinkId=33131
Wondering if anyone has information regarding removal of vtd_16.exe? Have
found some limited info about it online, but not sufficient. McCafee and
AdAware don't seem to see it. Tried deletion in safe mode, it returned
(something else there I dont see).
Running XP Pro. Someone suggested using recovery console on XP disk, but
it
is command prompt and I'm unclear what command(s) I would use.
Thanks for any help. If more info is needed, please advise.
