Need help finding trojan

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

FrankB

Thread Starter
Joined
Mar 19, 2001
Messages
221
I believe I have a very quiet virus or trojan. It started a few weeks ago. I'm on XP SP2 and noticed that the first time I now go to any new web site there is a 7 to 25 second delay. It says opening page at the bottom of my screen (the correct page) I have dsl so it paints very fast once the page opens. Once I go to a site once the next time is immediate. If I close IE and reopen it, it again takes 7 to 25 seconds. I ran NAV, SystemWorks clean sweep, windoctor, Adaware, Spybot, and Hijack this. The hijack this looks the same as before the problem started. I installed a new router with a firewall and installed Norton Firewall. I've run netstat -a and don't see anything really abnormal. I've turned off sys.ini and win.ini and it didn't help. I then turned off almost all services and it works fine. I turned them on one at a time until I could narrow down the service that was causing the problem. It is Remote Access Auto connection manager or Rasauto. With Rasauto disabled I'm fine. I read about a trojan, Backdoor-AZF that replaces your rasauto.dll with a trojan. My rasauto.dll is 87KB. Can anyone help figure out if this is a new virus or trojan? I went to Microsoft chat support twice but they were not interested at all. Thank you!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
I very much suspect taht it is a trojan

I would strongly recommend downloading and running a specialised anti trojan
the antitrojan that I use for dealing with them is

TDS3 from http://tds.diamondcs.com.au/

download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

sit back with a cup of coffee and watch what it finds

NOTE:

Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

post back with the tds log after running please, just copy & paste the entries from the scandump.txt
 

FrankB

Thread Starter
Joined
Mar 19, 2001
Messages
221
Derak,
Thanks for the info and the great program. It didn't find anything. I've run every option and learned a lot. The interesting thing is the problem is also gone. I set rasauto to (manual) and went to a web site without a problem.

TDS found four files with MZ.EXE in my Windows fax program. After researching they are not a problem. I deleted one incoming and four sent faxes and reran the scan and it found nothing.

I checked the ports for listening and ports 25, 80,81,82,83,110, and 119 "closed connection immediately"

Local port scan showed loc-scan.exe listening for a connection.

One thing I did notice changed. On boot up lately I would hear a pop in the speaker like in the old days on dialup if you had the speaker off on your modem. I no longer hear this. It may be related. If it was someone monitoring maybe they saw that I was trying to track them down?
Thanks again
Frank
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top