NEED HELP

You may find some help on these pages, but don't expect this to be simple:

<A HREF="http://www.symantec.com/avcenter/venc/data/backdoor.rtkit.html" target="_new">Backdoor.Rtkit</A>

I'd turn off System Restore, boot up in <A HREF="http://windows.about.com/library/tips/bltip601.htm" target="_new">Safe Mode</A>, kill the Rtkit/NPF processes/Services, delete any files related to the Trojan, and remove any Registry keys mentioned in the Symantec link. Then run the <A HREF="http://www.trendmicro.com/download/dcs.asp" target="_new">Trend Micro Sysclean Package</A> (also in Safe Mode) with the latest <A HREF="http://www.trendmicro.com/download/pattern.asp" target="_new">pattern file</A>.

Expect this to take quite a while ... this is <i>not</i> a fast program. And you may have to run it more than once.

You'll also want to run MSCONFIG and check for anything loading from the Registry that looks odd, such as Load= and Run= entries under the Startup tab and uncheck them. This will cause the system to run as a Selective Startup, so you may need this .vbs file (right column, <A HREF="http://www.kellys-korner-xp.com/xp_tweaks.htm" target="_new">number 148</A> ) to remove disabled entries so the system can again run as a Normal Startup.

Afterwards, if you have an antivirus program installed, you may want to manually delete the virus definition files and replace them with the newest versions, just in case they have gotten infected, and then run your normal antivirus on the system (also in Safe Mode.)

Toey

<A HREF="http://forums.btvillarin.com/index.php?act=ST&f=41&t=328&s=91c282f2e5207e99b7a652ee13b3512a" target="_new"><font color=green>My System Rigs</font color=green></A>
___________________________________________

<A HREF="http://forums.btvillarin.com/" target="_new"><b><font color=purple>BTVILLARIN.com</font color=purple></b></A> - <i><font color=orange>Your Computer Questions Answered</font color=orange></i>

I didn't suggest that because he might have NFTS partitions that could be inaccessible from DOS, and/or the antivirus CD virus definition files could be out-of-date, and not be able to recognize or remove a newer, modified Trojan.

DOS-based rescue disks on floppies are also an option, but not if the virus definition files on the hard drive are corrupted, because these files are often accessed by the rescue disks. I've seen a few of these W32 worms attack an antivirus program, corrupt the files, and even download other worms from the 'Net when the antivirus program is "supposedly" updated.

His best bet is to remove the Registry keys, so that the worm doesn't automatically start with Windows; delete any files that have been installed with the worm, and remove the worm with a virus scanner that can run in Safe Mode, due to all of the above.

I successfully removed three worms off a system a couple of weeks ago using the method I've described. And it took a few hours of research to find the best way to remove the worms without being forced to format.

He should also download and install the latest <A HREF="http://www.microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en" target="_new">patch</A> from Microsoft so that the security holes that have been breached are closed. Running an updated firewall so that any unprotected ports that have been previously accessed can be closed is also a good idea.

Toey

<A HREF="http://forums.btvillarin.com/index.php?act=ST&f=41&t=328&s=91c282f2e5207e99b7a652ee13b3512a" target="_new"><font color=green>My System Rigs</font color=green></A>
___________________________________________

<A HREF="http://forums.btvillarin.com/" target="_new"><b><font color=purple>BTVILLARIN.com</font color=purple></b></A> - <i><font color=orange>Your Computer Questions Answered</font color=orange></i>