BackDoor-CVT Trojan

[koala]

Hi folks.

I have a Trojan on my machine - BackDoor-CVT

This is what McAfee says about it;

When this dropper file is run, it creates the following file:

%SysDir%\winicd32.dll (18,944 bytes)This file is injected into Internet Explorer's memory space, to avoid triggering firewall software.

The following registry keys are created:

hkey_local_machine\software\microsoft\windows,
nt\currentversion\winlogon\notify\winxtx32,
hkey_local_machine\software\microsoft\mssmgr\

The dropped file will also try to connect to a remote website, like here4search.biz, where it can get an additional configuration file, named text.dat.

I have the latest update but the scan results say that the infected file
(C:\WINDOWS\SYSTEM32\WINBFI32.DLL) can not be removed.

If I delete these registry entries will the Trojan be removed or should I remove the WINBFI32.DLL file manually - or would I be screwing up my machine?

[Kernel_Killer]

Um..This is a Windows security problem.

It's probably been there for quite some time now, and McAfee just now found it. Run HijackThis, and remove the offending startup/winlogon entry (if you have issues with this, or questions. Post the output from the scan), and try running AVG, and AVG Anti-Rootkit in safe mode to get the rest removed.