I am running XP SP2 with all of the latest security updates. I use AVG
anti virus (always updated) and Zone alarm. I also use SpyBot and Ad
Aware regularly. Just for fun, once a week I also run Housecall. This
week when running Housecall 6.0 beta it detected bkdr_small.ai but
could or would not take any action. If I run the regular Housecall it
stops when scanning the system files and reports ?Found malaware
bkdr_small.ai and deleted it?. However if I immediately run Housecall
again I get the same message.

I have tried doing this with restore turned off and in safe mode but
the end result is that Housecall always finds bkdr_small.ai.  (But
AVG, Spybot and Ad Aware do not). I have also searched the web but not
found any information on how to shift this Trojan.

I would surely appreciate any help with this

DGP

Hi there,

Don't you just want to take these Trojan writers and throttle the life
right out of them?  Slowly, and maybe dig their hearts out with a
blunted spoon, so it really hurts?

The Trojan bkdr_sm.ai is actually a dropped DLL file from another Trojan:

TROJ_DROPPER.AX
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DROPPER.AX


It looks like this one is a really stubborn one, and it's going to
require some hideous tinkering to get your system scrubbed out. 
According to TrendMicro, you're going to have to take this bad boy out
manually, and you're going to need a clean (non-infected) hard disk
with your operating system installed on it to get the job done
thoroughly.

[ If you don't have spare hard drive lying about and aren't in a
position to drop $80 on another one at the moment, try your local
Freecycle list:  http://www.freecycle.org  Computer bits come up on
offer all the time, and many people who post WANTED notices for such
end up with several offers of help. ]

First, make sure System Restore is turned off, then go back and run
Housecall again.  WRITE DOWN the path for EVERY occurence of
bkdr_small.ai.

Next, shut down your computer and remove the infected hard disk.  Set
it to function as a slave, install a clean Master disk (and make sure
to keep System Restore OFF), then connect the infected drive.  Start
up your computer, browse to the slave drive, then browse to all
occurences of bkdr_small.ai (consult your list from the first step to
make sure you get them all) and delete them.

Disconnect both drives, return the slave to Master function, and
reconnect it.  Boot your computer and open up Regedit.  You'll need to
delete a number of Autostart entries from the registry to make sure
this thing is good and gone:

# Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
# In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion>Winlogon>Notify>
# In the right panel, locate and delete the entry or entries whose
data value is the malware path and file name of the file(s) detected
earlier.
# In the left panel, locate and delete the following entries:

    * HKEY_LOCAL_MACHINE>Software>Classes>CLSID>
      {1C044AAD-7955-4cbd-8175-501A165C4E5D}
    * HKEY_CLASSES_ROOT>CLSID>
      {1C044AAD-7955-4cbd-8175-501A165C4E5D} 

# Close Registry Editor.

Now reboot your computer.

Info here:

BKDR_SMALL.AI
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FSMALL%2EAI&VSect=Sn

Surprisingly, neither Grisoft nor Symantec has information about this
Trojan in their virus lists, even though the Trojan appears to be
about a month old.  I'm not surprised you had a hard time finidning
information about this!

Good luck with the system scrubbing.  If I can be of further
assistance, please do let me know.

--Missy

Search terms:  [ bkdr_small.ai ] at Grisoft, Symantec and TrendMicro

you can give a try...

http://castlecops.com/check101817next.html
http://forums.techguy.org/t352359.html

Thanks
Bala

Thank you Missy, this sounds like a lot of fun. I am sure I can find
another hard drive and I will give this a go early next week. I will
get back to you as soon as possible.
As an aside (and this not part of the question) does anyone know what
this trojan does? I am curious as my PC seems to be working fine.