I've been asked to document my encounter with a trojan on my (work) computer. I've successfully managed to reconstruct the gories in excruciating detail, just in case any of it might help someone sometime.

I have an FTP server called Serv-U that , along with FTP Voyager, I use to keep my work and home computer directories synchronized. One day I found that my Serv-U license had changed to some bogus 'enterprise' version, and that I could not log in to my computer via FTP as usual. (Error messages were returned written in German!) I could shut down the FTP server, but that in itself was odd since I had to shut it down, then shut it down again, before it'd finally stop. Weird. I think the trojan must've been somehow running as a layer on top of the valid server process. Anyway, upon restarting the server it seemed normal. For a time. If I closed the admin program, or if I rebooted, then the trojan would again take over. I never found any bogus files on my disk or mysterious internet traffic, so I don't know what if anything this trojan was supposed to do aside from being an annoyance.

I thought at the time I must've somehow picked up a virus, perhaps an infected version of the server since I'd recently upgraded. So I removed the server and re-installed. No dice. Rolled back to the previous version. No joy. Re-downloaded and re-installed the latest version. Still no joy. I then ran four different virus checking programs (McAfee, Norton, Earthlink (which I think is the same as Norton), and an open-source one called clamwin), also adware programs Spybot S&D and Ad-Aware SE. None of them found anything of interest on my hard drive or in my registry or amongst any of the running processes. Sigh.

I emailed the FTP server company and described the problem (including a screen shot of the bogus license). They said I most likely had a trojan. They pointed me to this page and this page and wished me luck (for real -- they weren't being callous or flip). The latter is about how one might set about removing a rootkit trojan. Rootkits are nasty. If you've got one of those, you might be in serious trouble. The former has several useful security-related links. One of the links is to SysInternals, where I downloaded a rootkit detector. Whew, probably not a rootkit.

Another link is to an online trojan scanner. The scanner is actually an ActiveX bastardization of a standalone scanner called a-squared, written by a guy in Germany. (Funny how much, or even most, of the best software these days is not written by Americans.) Since the online scanner uses ActiveX, you have to use IE to run it. Oh, the irony. I downloaded and installed the free version of a-squared and ran that instead. It correctly found my RealVNC server and identified it as "riskware", meaning it can (legitimately) be used to gain access to my machine. It also found AdmDll.dll, lsas.exe, and pskill.exe, also flagged as riskware. I didn't know what any of these last three were.

Google AdmDll.dll: valid Windoze remote admin program (which I'd by default disabled in system services anyway, long long ago), also used by certain trojans. Mine seemed to be in the right place, so probably not a problem. Google pskill.exe: another valid executable, but a name also used by certain trojans. My pskill was in the correct directory; probably not a problem. Lsas.exe? WTF? It's a misspelling of the Windoze security process lsass.exe (oh, the irony!). Hah! Trojan!

The page I was reading recommended using WinTasks to remove it. Huh, sounds simple. I even own the program. Fired up WinTasks. Yup, lsas.exe was running. Killed the process, then deleted the file. That was easy; didn't even have to boot up in safe mode to do it. Wondered what else WinTasks, which has a large library of process descriptions, might unearth. Regsvc32.exe!? Misspelling of regsvr32.exe, and a(n apparently harmless) html homepage hijacker. I don't use IE so didn't even think to check if my homepage setting had been hijacked. Killed and deleted it (the hijacker, not IE). Whatever. Nothing else suspicious was revealed in the running process list, which -- it is very much worth noting (cf. next paragraph) -- is spit out by the Windoze API.

How about the registry autostart list (a convenient button on WinTasks)? Hmm.... Updater.exe? Specifically, C:\updater.exe!? WTF? It was running, but it didn't show up on the running process list. Clever. Killed and deleted it. Now I was really surprised I didn't have to do that in safe mode! Nothing else suspicious on the autostart.

After a reboot, it appeared that whatever was causing my FTP server problem had been zapped. I don't know if the culprit was updater.exe or lsas.exe or both. No problems since.