Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojandownloader.Small.azk [RESOLVED]


  • This topic is locked This topic is locked

#1
tractor

tractor

    New Member

  • Member
  • Pip
  • 5 posts
Trojandownloader.Small.azk - Trojan found can't remove, please help!

I have a laptop with XP Home 2002, Service Pack 2, ZoneAlarm Firewall (not Pro) which along with McAfee virus-scan and Teatimer are resident as my main protection. I scan with Ad-Aware & SpyBot & Hijackthis almost everyday.

I was online with IE and got a pop-up message that a trojan was found, it could not be deleted or quarantined. I got off-line(sytem restore off and "safe boot") and scanned with Ad-Aware, SpyBot and McAfee; found nothing. Concerned, got online and searched/read and tried using: smitRem, CWShredder, WinPFind, about:buster, ewido, remove.bat, and hsfix. All these programs were dl'd or updated this week so they are the latest or should be.

Ewido found 3 trojans and removed them, upon reboot ewido found trojandownloader.Small.azk again and I've tried numerous things but it won't stay away. Scan after scan (or deletion after deletion) ewido finds "trojandownloader.Small.azk". Can you help a tired fellow out?

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:30:11 PM, 10/6/2005
+ Report-Checksum: 7EC82375

+ Scan result:

C:\WINDOWS\SYSTEM32:ilaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup


::Report End
_________________________________________________________________________
I have never seen the ":" used this way; I assume it is similar to using "\". Where this indicates a file named "ilaa.dll" in the system32 directory?
__________________________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:14:47 PM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\tcpview\Tcpview.exe
C:\Program Files\Active Ports\aports.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WLMonWPC54G] C:\Program Files\Linksys\Wireless-G Notebook Adapter\WLMon.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123581359167
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123581349073
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Run an online scan at Kapersky to see if it finds anything. Post the log here.
  • 0

#3
tractor

tractor

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I hope these are acceptable as Kapersky needs to dl software to run.
-----------------------------------
Pandasoft Nothing Found

Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0
---------------------------------
www.trojanscan.com
no malware found
--------------------------------

I tried to dl and run TrojanHunter but it says my trial is up before I even get to run it. I dl'ed a scanner from www.nod32.com and it didn't find anything.

Is therea chance that ewido is incorrect?
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I'm sure there is a chance that Ewido is reporting it incorrectly, but to be honest, I have never seen it report a false positive before...it's pretty good at what it does. So if it's detecting it, I wouldn't ignore it just yet...at least not without running one or more tests just to be sure.

Run Kapersky and see what it reports back. Download the file required to run it. I don't think you need to be online for it once you downloaded the file.
  • 0

#5
tractor

tractor

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
>Run Kapersky and see what it reports back.

Okay this is what Kapersky says before dl :

Requirements and limitations:

When using this service for the first time, you have to run with Administrator privileges in order to install the product. Also, you will need to download and install files about 400 KB in size (about 1 minute on a 57.6 kbps connection) followed by 6 MB of virus definitions.
-----------------------

The only place I have seen "Administator rights" is in SAFE Mode, other than that I don't know how to access it. In SAFE Mode I don't believe I can access the internet. Am I wrong? I need a little help to access administrator rights in normal mode.

Thank you.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Are you the only user of this computer? If so, you most likely have the administrative rights in your Normal Mode account already. So run the scan.

Just for your info, Safe Mode may be able to go online. Try Safe Mode with Networking...see if it works. You may run it in Normal Mode though. Just telling you that about safe mode for your info :tazz:
  • 0

#7
tractor

tractor

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hello greyknight17

The scan is complete.
No malware has been detected. The sections that have been scanned are CLEAN.

Report is empty.

Total number of scanned files: 49779
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 4186.79 sec


I also re-ran this scan with the second option or selection, the one where it scans for dialers with the same result.
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, let's try this out:

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure that TeaTimer is closed/disabled now.

Run the Ewido scan and see if it still finds that Trojandownloader. If so, just remove it again. Go into your Ewido folder (C:\Program Files\...) and see if there is a Recovery/Quarantine folder. If so, go in there and delete everything.

Restart and run a new Ewido scan. Still found now?
  • 0

#9
tractor

tractor

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hello greyknight17

I am amazed at the volume of traffic on this site, thank you for your time in helping me.

I found two files in the Quarantine folder and deleted them, the tojan was still found after a scan was performed.
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP