TROJ_SMALL.AAL - removal from /windows/system32/exp.exe and wintask.exe

Posted on 2005-05-01
Last Modified: 2010-08-05
Hi.  I noticed my system running slower and it crashed a couple times today.  The black error screen (looks like a dos screen) closed so fast, I couldn't see what the error was.

So I ran complete system tests using V-Com Fix-it -  It found a virus called trojan_small.aal.   I found reference to it in the TrendMicro virus encyclopedia.  I tried to follow the manual removal instructions located here
but I couldn't find the files in registry or in processes.

The V-Com Fix-it asks me if I want to delete exp.exe and wintask.exe - which are both infected.
     ****Is there any reason why I SHOULD NOT delete these two files?****  

I'm disappointed in Norton's AntiVirsus (version 9.06.02a ) software as it didn't even detect the Trojan and it doesn't have it in it's virus encyclopedia.

I wonder if I should spend $50 to buy TrendMicro's PC-cillin Internet Security

I also run and keep updated Aluria Spyware eliminator.  

I understand the Troj_Small.AAL may not be the cause of my system crash - but I need to remove it as a first step.
Question by:aprillougheed
    LVL 9

    Accepted Solution

    "Is there any reason why I SHOULD NOT delete these two files?"

    Both are known trojans.  I can't image any reason *not* to delete them. But, that may not fix your problems as there may be separate program that is creating/recreating them...

    I helped someone out with a new spyware program called "Aurora".  It also used those files and can be a real pain to remove.  In my post I included a link to a removal tool and instructions.  It seemed to help this person out, maybe it will help you:


    Norton's AV seems to classify this as spyware instead of a virus or trojan.  Kind of a cop-out if you ask me.


    Author Comment

    Ah, just what I needed to hear.  I didn't want to go blindly off making a bunch of changes.

    thank you for the reference to the other post.

    I'll try it too.

    I so appreciate your time and knowledge.

    LVL 9

    Expert Comment

    You're welcome.

    It is common for spyware programs to download/install numerous trojan-like programs in the hopes that you will not find them all.  It is best if you can figure which root spyware package was installed and then research specific removal techniques for that package.  Otherwise, the "master" program will continuously download/re-install its child programs.

    Also, it helps to keep more than one spyware tool available for use.  HijackThis and the MS Anti-Spyware programs are popular spyware tools.

    Best of luck!
    LVL 32

    Assisted Solution

    I agree that you should remove exp.exe and wintask.exe

    Another useful program to have is Autoruns from sysinternals:

    It can quickly list most of the programs that get started when you log-in, and further you can quickly un-check (disable) the suspicious ones so they don't start the next time.

    Good luck.

    Author Comment

    Thank you so much.  The Troj_small is gone as far as I can ell - but my computer is still running slow as heck.

    I'll run some more tests and post some results.

    I have a toshiba satiliate notebook and it's the best computer I've ever had.  This is the first time it's ever had troubles.  (well, of course I've had virus, spyware before but never any system crashing.)

    Well, maybe my Internet Connection (cable) is just slow today - hopefully.

    LVL 32

    Expert Comment

    If you think the computer is slow: (assuming you have Win/XP SP2)

    (1) Task Manager: Check Performance and Network tabs. Check memory usage in Performance tab also.

    (2) If any unusual activity in above, get list of tasks and network connections and post it here if not sure:

      > tasklist /svc > task.txt
      > netstat -ab > net.txt

    (3) If nothing suspicious noticed above, then:

     (a) Clear all files from Temp folder (under c:\Documents and Settings\Username\Local Setting)
    (b) Clear you Internet Explorer Cache
    (c) Make sure disk is not too full.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
    Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now