PWsteal.kuang.b & MSTASK32

I am being driven out of my mind trying to get rid of the PWsteal.kuang.b Trojan horse that has apparently infected a file called MSTASK32. How it got past Norton AntiVirus 2002 which has Auto Protect turned on I am not sure, but it is definitely stuck in wherever it is. The Compuserve AntiVirus forum has been helpful, and Duane White suggested that I try sending an attachment of MSTASK32.dll to Hijack This. When I tried looking up Hijack This, I stumbled into Major Geek, which may or may not be connected to Hijack This in some way. Anyway, beyond using Norton, it was suggested that I try using something from Germany called AntiVir, which also was able to find MSTASK32, but it was also not able to get rid of it completely.

What happens is when I delete MSTASK32 (which is supposed to be the trojan for pwsteal, I think) the blasted thing comes back when I reboot. In a recounting of my latest attempt to remove it:

1. In safe mode, I went to Regedit, went to Local_Machine\Software\Microsoft\Windows\Current Version\Run and deleted MSTASK32.exe and anything else that said MSTASK32.

2. I then used the File Manager to navigate to Windows\System and deleted and removed from the recycling bin anything that said MSTASK32.

3. I then ran full system scan with Norton Antivirus, and after about an hour and 40 minutes got a clean bill of health.

4. I rechecked Local_Machine and Windows\System and found nothing with MSTASK32, and then used the find files feature off the START menu to search for MSTASK32, and came up with an MSTASK32.LGC at something called APPLOG, which I deleted and cleared from Recycle.

5. I rechecked for MSTASK32, and this time came up with nothing. I then hit restart.

6. At restart in Normal Mode, the system came up normally, with the scheduler, sound, real player, compuserve, norton antivirus, epson, fineline (an internal messaging program) popping into the tray, with no interuptions. The Norton Antivirus did not have the Auto Protect start up, so I went to Norton Configure and checked the boxes that make it start up each time. (I had turned this off when I had been using the AntiVir program, which has since been uninstalled). I entered the UNIX system we have on the computer with no problems.

7. I attempted to log on to Compuserve, but before it could get to step 2 of the dialup, the harddrive goes "BRRRT" (a curious sound that only happens when Norton finds something) and I am back to having MSTASK32 infected with PWSteal.kuang.b

8. I tried going back to safe mode, cleaning out Local_Machine and Windows\System, and I ran a quick Norton scan of Windows\System and searched using the File feature, which came up with a new version of the problem MSTASK32.zip at Compuserve2000a (?), which I deleted.

9. I tried rebooting in Normal mode, and Norton hit MSTASK.exe twice before the tray had fully filled.

Duane White had suggested that I try sending a message with an attachemnt of the MSTASK32.dll, but when I tried doing this earlier, any attempt to open this file to attach it would bring Norton into action.

This raw recruit needs help from the officer corps. Any advice would be appreciated. Has MSTASK32 written itself into my startup files? When I use safe mode, which I think bypasses the startup files, there is no hit by Norton. However when I scan for anything with MSTASK32 while in safe mode, and delete the offending malware, it comes back. Is there a possibility that MSTASK32 or PWsteal is calling itself something else that simply rewrites itself in MSTASK32 form whenever a boot-up is initiated and it doesn't find itself in the registery? Norton/Symantec lists this as "easy" to remove. If this is easy, I'd hate to see hard.

Stuart McKinney