deloader worm

[Bob Clark]

> Have you tried running through those instructions yet?
>
> Regards,
>   Beau

Yeah, did all that, and the splash screen still came up on boot.


> check your tasklist for explorer.exe, see if it's there twice...
> to remove it, download ANY vnc-server, run it like this;
> winvnc -kill
> winvnc -remove

Ah, worked like a charm, Vince.

There were NOT 2 instances of explorer running (although there were when I
first began the witch-hunt).  Even with only 1 instance of explorer, I was
getting the WinVNC startup screen, and this even after I did the regedits
Norton recommended.  I tried running winvnc -kill and got a message that
there wasn't such a program.  Reboot and the startup screen's still there.
Went and downloaded WinVNC and then ran the kill and remove commands and
Voila', no more startup screen on boot.  All I can figure is maybe this
thing changed the name to something else and I didn't know what to look for.
Unfortunately, I *think* I have the system completely clean.  Would have
been a good idea to find the copy of this virus and send it to an expert and
see if this is a variant that somehow morphs the progs name.  I've been
pretty lucky and avoided all but one viral infection in the past (one of
those D*** things buried in an e-mail jpeg attachment.), so I'm pretty naive
when it comes to this stuff.

Appreciate the help, guys!
Without you, I'd still be scratching my butt and getting nowhere.

Bob