Anyone had experience removing this bugger?

I've got most of it killed off I think but i've found it hiding a few items around and there's no info on the net about any of it.

Every ~30 minutes winlogon.scr would run showing an add for Viagra and using enditall2 I figured out what files it is linking itself to in order to run.

comclt32.dll ver 6.0.0.0 or 6.0.2900.2180 (or .2982) which looks like a spoofed version of 5.82.2900.2982 available with XP-32 SP3.

Spoofed comctl32.dll files (there's 3 of them) are found in the directories:
c:\windows\winsxs\x86_microsoft.windows.common-controls>6595b641444ccf1df_6.0.0.0_x-ww_1382d70a
c:\windows\winsxs\x86_microsoft.windows.common-controls>6595b641444ccf1df_6.0.2600.2180_x-ww_a84f1ff9
c:\windows\winsxs\x86_microsoft.windows.common-controls>6595b641444ccf1df_6.0.2600.2982_x-ww_ac3f9c03

It also appears to link itself to runtime.exe and winlogon.exe... :down:

Also if anyone know of a program that will list file/registry dependencies for a specific file that'd be great..


edit - what happened to active-x.com?? Used to be a nice registry explorer there that worked great for getting to run/startup/services/runonce registry areas.. :(

edit - got it figured out, new variant of mydoom that bypasses windows malicious software thingy :rofl: