From: edgewalker on

"Joe" <joedinmore(a)yahoo.com.au> wrote in message news:MPG.1eaaee4fa5e5db299896a1(a)news.aardvark.net.au...
> In article <1240ei75rke7f26(a)corp.supernews.com>, null(a)null.invalid
> says...
> >
> > "Joe" <joedinmore(a)yahoo.com.au> wrote in message news:MPG.1eaadb39da47fc6a9896a0(a)news.aardvark.net.au...
> > > AntiVir has started reporting
> > > (TR/Dldr.small.cml.7) on each bootup of Win XP
> snip
> >
> > Where was it found, and what filename did it have?
> >
> Found it in windows/system32/winowk32.dll, which I suspect is a random
> name.

A name like that, and in that location, I suspect you're right.

> > It might be a false positive declaration of that malware - or not.
> >
> I'm a bit worried that it might be a bagle variant, but I have no reason
> for this.

Bagle schmagle - it's bad enough you have a downloader and you don't
know what it might have done if executed.

Now that you have a filename, you can send that file to online single file
scanners like jotti or virustotal to see what other detectors have to say
about it. You can get more info to determine for yourself if it is a FP or
not, and get some names that other vendors use for this piece of malware.
Armed with new names, even more info becomes available.


From: Joe on
In article <HM_%f.5956$L.280256(a)news20.bellglobal.com>,
kurtw(a)sympatico.ca says...
> Joe wrote:
> > In article <1240ei75rke7f26(a)corp.supernews.com>, null(a)null.invalid
> > says...
> >> "Joe" <joedinmore(a)yahoo.com.au> wrote in message news:MPG.1eaadb39da47fc6a9896a0(a)news.aardvark.net.au...
> >>> AntiVir has started reporting
> >>> (TR/Dldr.small.cml.7) on each bootup of Win XP
> > snip
> >> Where was it found, and what filename did it have?
> >>
> > Found it in windows/system32/winowk32.dll, which I suspect is a random
> > name.
> >

> ... hopefully that's all
> you've got - a downloader trojan's purpose is to download other malware
> onto your computer and run it...
>
> i suspect this page describing trojandownloader.win32.small
> (http://www.f-secure.com/v-descs/trdlsmal.shtml) applies to what you've
> got...
>
>
Aha! yes - that appears to be it. I went looking in the file system, and
found Adservice.bat, adservice.dll along with the winowk32.dll all with
the same date and time. The dlls were both 17408bytes long and identical
in content.
I haven't checked the registry yet, but I'm
feeling better about things now. Renaming the three files just mentioned
makes the problem disappear. (Whether that is the same as "problem goes
away" is yet to be determined.
Thanks VERY much indeed.