From: "cam35pilot" <cam35pilot@aol.com>

| Hi,
| I have this danged trojan (ironically got it clicking on a google
| link looking for a dvd) that I can't get rid of. I used Hi-jack this,
| ad-aware, spybot S&D, and ewido, all identify it, but say "cannot
| delete or clean file" with regards to the file "C:\Documents and
| Settings\All Users\Documents\Settings\artm_new.dll". I did this all in
| Safe Mode, by the way.
| Can anyone help? I have SP-1 on my Windows XP pro, but not SP-2
| (doh, I'm an idiot, I know). McAfee Enterprise 8.0 also can't delete
| the danged thing.
| If I can't get rid of it, can I block it from "transferring" if I
| take this Hard Drive out and hook it up as a slave to get my
| web-folders onto a new PC? I have three websites I created on this PC,
| so I'd like to save all that "cleanly" before reformatting, if need be.

| Thanks.
| Rich

Download MULTI_AV.EXE from the URL --

To use this utility, perform the following
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm

* * * Please report back your results * * *

* * * Please report back your results * * *
--

From: "cam35pilot" <cam35pilot@aol.com>

|
| Dave and Jim,
| Thanks so much. I took about 4 hours last night, and moved that
| sucker into dll-he!!
| My PC is clear, and though the old blood pressure hit 250/175, it
| was worth it! I got to kill it personally, and that was the kicker!
| Eternally grateful,
| Rich

YW Rich and thanx for updating the thread.

David H. Lipman Wrote:
From: "cam35pilot" <cam35pilot@aol.com>

| Thanks for your help, guys, but the results have been nothing but
| frustration. The "Multi_AV" thing just got to that dll and said
"file
| cannot be opened" and said "No infections found. Hi-Jack This and
Ewido
| find it (Ewido says threat is HIGH), and "say" they removed it, but
on
| next scan, it's there. I can't manually get rid of it (delete fails
due
| to the .dll "Being used by another person or program"), and removing
| the artm_new folder in the registry does nothing, it's back the next
| time I open the registry Editor.
|
| Is there any reg editing tool that will permanently DESTRY the
f'ing
| folder (it's:
"HKEY_LCAL_MACHINE\Software\Microsoft\WindowsNT\Cur rent
| Version\Winlogon\Notify\artm_new") in the registry? It would seem to
me
| that the key would be "tricking" it into devulging what "person or
| program" is using that artm_new.dll and deleting it.
|
| Any further help will be appreciated. It's more than a goal now,
it's
| an obsession! Thanks.
| Rich

The following will do what's needed by killing the Winlogon Process and
removing te
protected Registry key.

Download Haxdoor.exe from the URL --

Execute; Haxdoor.exe { Note: You must accept the default of C:\McAfee
}
Choose; Unzip
Choose; Close

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

NTE: You may have to disable your software FireWall or allow WGET.EXE
to go through your
FireWall to enable WGET.EXE to download the needed McAfee related
files.

It is suggested that you perform a Normal Mode then a Safe Mode scan.

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML
or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the
scan, it will be
displayed in your browser (, FireFox or Internet Explorer).
However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you
will have to manually
shutdown/reboot the PC. Win9x/ME platforms the report will not be
shown in your bowser
but your PC will automatically be shutdown. It is suggested that you
move the report out of
c:\mcafee before performing another scan.
It would be best to scan in both Safe Mode and in Normal Mode and save
a copy of the HTML
report for each session.

Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in
your reply.

* * * Please report back your results * * *
--

From: "Pepino" <Pepino.2ah4rh@DoNotSpam.com>

|
| I have the artm_new.dll file that I cannot delete also. I ran the above
| .bat file and here is the report:
|

< snip >

|
| There are also 2006.dll and 20242402.dll that the program could not
| delete - it couldn't access them and just left them alone; however, it
| did access and delete a similar file called 2014.dll in the very same
| folder.
|
| I also did install and ran Autorun and ProcessExpolre and disabled all
| processes that I did not recognize, but the above .dll files still
| insist that they're being used by something and therefore I cannot
| touch them. Is there something running so silently that 'Task Manager'
| nor ProcessExplore can detect?
|

Several Downloader Trojans and Backdoor Trojans were found.

Your PC needs more attention.

Run the other scanners as well and run them in Safe Mode.

I ran the McAffee program again today and although it did not delete the
3 trojan .dll's it must've disturbed the programs using them because
moments after the scan was finished my Norton anivirus picked up the
dll's and destroyed them. I think it this virus (brave.sentry) created
multiple copies of iexplore.exe to be ran by the system and I could not
delete them. The program (winlogon.exe) that was starting the whole
thing was also loading the 3 harmful .dll's but as soon as I would try
to do somthing with winlogon it would crash my system - a tricky sucker
indeed. I end up installing Zone Alarm Firewall - I don't know if it's
any good since it considers iexplore to be a safe program and it was
the one infected to begin with