1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need help finding trojan

Discussion in 'Virus & Other Malware Removal' started by FrankB, Sep 9, 2004.

Thread Status:
Not open for further replies.
  1. FrankB

    FrankB Thread Starter

    Mar 19, 2001
    I believe I have a very quiet virus or trojan. It started a few weeks ago. I'm on XP SP2 and noticed that the first time I now go to any new web site there is a 7 to 25 second delay. It says opening page at the bottom of my screen (the correct page) I have dsl so it paints very fast once the page opens. Once I go to a site once the next time is immediate. If I close IE and reopen it, it again takes 7 to 25 seconds. I ran NAV, SystemWorks clean sweep, windoctor, Adaware, Spybot, and Hijack this. The hijack this looks the same as before the problem started. I installed a new router with a firewall and installed Norton Firewall. I've run netstat -a and don't see anything really abnormal. I've turned off sys.ini and win.ini and it didn't help. I then turned off almost all services and it works fine. I turned them on one at a time until I could narrow down the service that was causing the problem. It is Remote Access Auto connection manager or Rasauto. With Rasauto disabled I'm fine. I read about a trojan, Backdoor-AZF that replaces your rasauto.dll with a trojan. My rasauto.dll is 87KB. Can anyone help figure out if this is a new virus or trojan? I went to Microsoft chat support twice but they were not interested at all. Thank you!
  2. dvk01

    dvk01 Moderator Malware Specialist

    Dec 14, 2002
    First Name:
    I very much suspect taht it is a trojan

    I would strongly recommend downloading and running a specialised anti trojan
    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds


    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
  3. FrankB

    FrankB Thread Starter

    Mar 19, 2001
    Thanks for the info and the great program. It didn't find anything. I've run every option and learned a lot. The interesting thing is the problem is also gone. I set rasauto to (manual) and went to a web site without a problem.

    TDS found four files with MZ.EXE in my Windows fax program. After researching they are not a problem. I deleted one incoming and four sent faxes and reran the scan and it found nothing.

    I checked the ports for listening and ports 25, 80,81,82,83,110, and 119 "closed connection immediately"

    Local port scan showed loc-scan.exe listening for a connection.

    One thing I did notice changed. On boot up lately I would hear a pop in the speaker like in the old days on dialup if you had the speaker off on your modem. I no longer hear this. It may be related. If it was someone monitoring maybe they saw that I was trying to track them down?
    Thanks again
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271972

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice