This trojan horse has raised it's head again. New variant reported/added to definitions by AVG June 22/23, 2007.
Note that this was not detected by Symantec Corporate edition with latest updates. Was detected, but not cured by AVG. AVG also deleted sfc.dll in my Windoze/System32 directory.
After many hours of searching the web and hair pulling, here's the best removal I was able to come up with.
If you look at http://www.symantec.com/security_response/writeup.jsp?docid=2007-052710-0541-99&tabid=2
you will get the removal hints for a prior variant. Good start to getting your registry cleaned up. In addition, look at your windoze folder (probably WinNT under W2K). You will see a hidden, system file called srvrmgr.exe with a June 2007 date. This be the malware in question. Rename it. It also appends itself to the registry entry HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/WinLogin Shell (should just read explorer.exe). AVG did clean up the rest of the problems, but until this guy gets blown away, this trojan will reinstall itself.
Note that this was not detected by Symantec Corporate edition with latest updates. Was detected, but not cured by AVG. AVG also deleted sfc.dll in my Windoze/System32 directory.
After many hours of searching the web and hair pulling, here's the best removal I was able to come up with.
If you look at http://www.symantec.com/security_response/writeup.jsp?docid=2007-052710-0541-99&tabid=2
you will get the removal hints for a prior variant. Good start to getting your registry cleaned up. In addition, look at your windoze folder (probably WinNT under W2K). You will see a hidden, system file called srvrmgr.exe with a June 2007 date. This be the malware in question. Rename it. It also appends itself to the registry entry HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/WinLogin Shell (should just read explorer.exe). AVG did clean up the rest of the problems, but until this guy gets blown away, this trojan will reinstall itself.
