The Sophos scanner is here:
http://www.sophos.com/tools/sav32sfx.exeThe latest updates are here:
http://www.sophos.com/downloads/ide/403_ides.zipThe Sophos page recommends running the scanner from a CD, but it will run from the hard disk assuming the Trojan is not preventing this.
Run SAV32sfx.exe and move the folder produced to the root directory. (C:/)
[EDIT: just checked and C:/SAV32CLI is the default location when unzipping, so there is no need to move the folder.]
Unzip the updates file and move the contents to the same folder.
Reboot into safe mode with command prompt. Navigate to the folder you created:
[Edit: Navigate to the root directory using cd.. ]
CD SAV32CLI, I think it should be. [Edit: it is]
Type in this command and hit enter:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXT
Another possibility is TrojanHunter, which will remove process injecting Trojans. (It has a free working trial.)
http://www.misec.net/To attempt manual removal, delete or edit these registry values and reboot:
The following registry entries are created to run emgfx.exe, nwisse.exe, winspols.scr and svch0st.com on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(tt9381D8F2-0288-11D0-9501-00AA00B911A5)
StubPath
<System>\emgfx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwisse
<Windows>\nwisse.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe winspols.scr
[Delete winspols.scr NOT the whole key]
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe
to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
<System>\SVCH0ST.com
[Edit: regedit will run from the command prompt in safe mode. Explorer.exe is not running in safe mode with command prompt so you should be able to delete the winspols.scr entry from the explorer.exe key without any problem.]
Good luck!
