Author Topic: TrojanDownloader.Win32.Small.qe (Read 7758 times)

deltaplan · « **on:** August 13, 2004, 03:21:56 PM »

I have discovered file services.exe in C:\Windows folder and file mssyncr.exe in C:\Windows\System32 folder, both infected with TrojanDownloader.Win32.Small.qe as Kaspersky reports. They both have size arround 6K , packed with FSG packer. Unfortunately, Avast4 Home didn't detected it, the same as NOD32. Norton AV detected it as Trojan.Download .

Shuold I post these files to Avast team, or it's just false alarm ?

Eddy · « **Reply #1 on:** August 13, 2004, 03:51:30 PM »

If you have XP, services.exe in \windows\system32 is normal. If it is in \windows\ it is not. They other definatly is not system (windows) file. What happens if you right click them and choose scan? If Avast doesn't detect them, please put them in a password protected zip file and send them (along with the password ofcourse) to virus@avast.com

deltaplan · « **Reply #2 on:** August 13, 2004, 05:03:50 PM »

I have sent mail with infected files. Hope Avast guys will find fix soon. Right click and scan says nothing, I'm using virus definitions downloaded yesterday (12-Aug-2004), currently I'm not home, so I can't check if update from today will detect it.

deltaplan · « **Reply #3 on:** August 20, 2004, 03:06:24 PM »

I'm using VPS 0434-1 + Avast Home 4 ver. 4.1.418 , still no success

Eddy · « **Reply #4 on:** August 20, 2004, 05:04:34 PM »

Check the files with a online scanner. See if that tells something.

bob3160 · « **Reply #5 on:** August 21, 2004, 04:15:20 PM »

deltaplan

Quote

I'm using VPS 0434-1

Welcome to the Forum
Latest version is VPS 0434-2
Make sure your defenitions are uptodate.

bartmann22 · « **Reply #6 on:** August 28, 2004, 07:37:09 PM »

I was infected with this months ago and NOTHING detected it or cleaned it at the time.

I figured out how to remove it myself.

here is how I did it

http://computing.net/windowsxp/wwwboard/forum/108695.html

Bart

bob3160 · « **Reply #7 on:** August 28, 2004, 09:42:48 PM »

bartmann22
welcome to the forum.
You mention a program called Security Task Manager and say you used it to trace and destroy the trojan but, you never mention where you got the program or how it's used.
Referring someone to use other tools is fine. we do that all the time but, please be more specific. You also need to let people know that this is not a free program.

bartmann22 · « **Reply #8 on:** August 28, 2004, 11:22:35 PM »

Dear bob3160,

Let's see if I have this right.

- I am doing a Google search to see if anyone else has had a problem with services.exe and mssyncr.exe.

- I see someone from this forum had problems and needed help.

- I provide a link, that i previously posted on Computing.net months ago, with information that can possibly help someone with their problem.

- Now some clown is going to proceed to tell me that my post is incomplete, improper or not to their liking because i didn't write a book or tutorial telling them the exact, 6 hour, step by step procedure I used to remove it.

Let me guess, you are an 16 year old expert who considers themselves the authority on all things internet.

So much for trying to help.

P.S.

1. Try typing Security Task Manager into Google, It will be listed in the first link.

2. It is shareware, and works fine to look inside running processes.
You don't have to pay a dime if you don't want to keep it on your PC, though it is a fine program.

3. if you READ my posted link, I never said i used it to DESTROY it, only to look inside the executable.

I hope this posting is detailed enough for you. It was my second on this forum and it will be my last.

Bart

bob3160 · « **Reply #9 on:** August 29, 2004, 12:54:05 AM »

Dear Bart,
I don't know why you took an explanation and some friendly advice as a slap in the face. That was never my intention.
As you can see from my picture (Avatar), I'm not some 16 yr. old wizz kid even though we prob. have some on these Forums.
Unfortunately, a lot of people on here are new to computing and look forward to a thorough explanation.
I would much rather that you stayed and helped some of these people who have questions than go away angry.
If I've offended you, please accept my appology.

inthewildteam · « **Reply #10 on:** August 29, 2004, 02:22:13 AM »

Doesn't this trojan require some user intervention to install itself?

http://www.sophos.com/virusinfo/analyses/trojdloaderbm.html

deltaplan · « **Reply #11 on:** September 15, 2004, 10:23:13 AM »

Tried latest update 0438-1 and still nothing

deltaplan · « **Reply #12 on:** October 18, 2004, 08:31:32 PM »

Good work Avast team!
It is now detected as Win32:Trojano-545 [Trj] , VPS version 0442-3.

leof · « **Reply #13 on:** May 23, 2005, 07:04:34 PM »

I had this virus and my up-to-date Avast Home edition did NOT discover it. $:-\$
Leo

polonus · « **Reply #14 on:** May 25, 2005, 09:18:33 AM »

Halio Deltaplan,

My question to you. Did you get rid of the virus now? I like your nick. Deltaplan was the name of the dutch plan for the waterworks in the low lands to keep out the estuaries to the Northsea. Did you know that?

kind regards,

polonus