Prev: Zlob Trojan - Newbie on group - Help please!
Next: Different packing = different scan results (remember Zlob posts?)
From: edgewalker on 15 Apr 2006 17:07 "Joe" <joedinmore(a)yahoo.com.au> wrote in message news:MPG.1eaaee4fa5e5db299896a1(a)news.aardvark.net.au... > In article <1240ei75rke7f26(a)corp.supernews.com>, null(a)null.invalid > says... > > > > "Joe" <joedinmore(a)yahoo.com.au> wrote in message news:MPG.1eaadb39da47fc6a9896a0(a)news.aardvark.net.au... > > > AntiVir has started reporting > > > (TR/Dldr.small.cml.7) on each bootup of Win XP > snip > > > > Where was it found, and what filename did it have? > > > Found it in windows/system32/winowk32.dll, which I suspect is a random > name. A name like that, and in that location, I suspect you're right. > > It might be a false positive declaration of that malware - or not. > > > I'm a bit worried that it might be a bagle variant, but I have no reason > for this. Bagle schmagle - it's bad enough you have a downloader and you don't know what it might have done if executed. Now that you have a filename, you can send that file to online single file scanners like jotti or virustotal to see what other detectors have to say about it. You can get more info to determine for yourself if it is a FP or not, and get some names that other vendors use for this piece of malware. Armed with new names, even more info becomes available.
From: Joe on 15 Apr 2006 22:19
In article <HM_%f.5956$L.280256(a)news20.bellglobal.com>, kurtw(a)sympatico.ca says... > Joe wrote: > > In article <1240ei75rke7f26(a)corp.supernews.com>, null(a)null.invalid > > says... > >> "Joe" <joedinmore(a)yahoo.com.au> wrote in message news:MPG.1eaadb39da47fc6a9896a0(a)news.aardvark.net.au... > >>> AntiVir has started reporting > >>> (TR/Dldr.small.cml.7) on each bootup of Win XP > > snip > >> Where was it found, and what filename did it have? > >> > > Found it in windows/system32/winowk32.dll, which I suspect is a random > > name. > > > ... hopefully that's all > you've got - a downloader trojan's purpose is to download other malware > onto your computer and run it... > > i suspect this page describing trojandownloader.win32.small > (http://www.f-secure.com/v-descs/trdlsmal.shtml) applies to what you've > got... > > Aha! yes - that appears to be it. I went looking in the file system, and found Adservice.bat, adservice.dll along with the winowk32.dll all with the same date and time. The dlls were both 17408bytes long and identical in content. I haven't checked the registry yet, but I'm feeling better about things now. Renaming the three files just mentioned makes the problem disappear. (Whether that is the same as "problem goes away" is yet to be determined. Thanks VERY much indeed. |