Hello, I have a Trojan horse Dropper Small.4.AG, what's this virus? and how can remove it without problem? my antivirus is the AVG 6.0 and windowsXP

Hello DavidD and welcome to the forum
I googled a bit around for it, seeing all people with AVG mentioning it.
The threads all recommend to run another scan with another scanner.
Install TDS from www.diamondcs.com.au and after installing get on the same download page the latest update file to be able to scan. After installing please make sure you reboot.
In the scan system console select all options and highest sensitivity to do a whole full system scan.
Before you press to do so, make sure other av/at scanners and resident scanners are closed so TDS has full access to all files which might be blocked if other scanners are up.
Also close as many programs and browsers as possible to give TDS all possible room to speed up the heavy scanning process. Can take a while so don't hesitate to step from the computer for a while.
When it's finished, rightclick on one of the finds and choose from the menu "save as text". This will be saved to Scandump.txt in your TDS directory.
Please post that text in your next posting here, before deleting anything at all.
If you see anything named "suspicious" and not because of double extensions only don't hesitate to rightclick on it and click submit or find the file(s) in your system, zip them if possible and send them attached to an email to submit@diamondcs.com.au to get more instructions if needed.

Depending on your scanresults we walk further with you.
Also be prepared to get the Hijackthis latest version and to post your log results from that too! See this thread for instructions and where to get that:
http://www.wilderssecurity.com/showthread.php?t=15913 , start with step 2 for the HijackThis instruction, after you might be instructed to use the other steps too etc.
So looking with great interest to your scan results!


BTW: if you prefer first to go for the hijackthis scan nothing against that, of course!

Hi, DavidD

Welcomed To Wilder's and TDS.

-{ Quote: "Hello, I have a Trojan horse Dropper Small.4.AG, what's this virus? and how can remove it without problem? my antivirus is the AVG 6.0 and windowsXP" }-


How did you find, Small.4.AG, was it with TDS or AVG?

Do you have the latest update's for your AV, or if you have TDS their latest update's?

Have you searched Grisoft[AVG website] or what ever it's called?

Please post back at anytime as some one I am sure will give you more info?

Sorry I can not be of more help a this time.
TheQuest 8)

Hi. Jooske

Sorry crossed Post's with you. :o

TheQuest 8)

Please download TDS3 from here: http://tds.diamondcs.com.au/index.php?page=download
Once dowloaded get the latest radius file from the same page and follow the instructions for manually updating TDS3.
When you start TDS3 open the scan control window and select all the scan options. In generic detection enable Anti-Trojan & Anti-worm scripts move the generic Sensitivity too high.
Select the drives to be scanned

Please ensure that your Anti virus and other programmes are disablled and press "start scanning", this is a very deep scan and will tale quite a while to complete, after the scan you will see any alarms in the lower console, right click them and select what you want to do.
If possible can you please zip up any file that is identified and send to submit@diamondcs.com.au before deleting

We all replied within minutes of each other :)

Of course we do! High priority!
We all added some part to the story so that's ok.

Make sure you do submit the finds to submit@diamondcs.com.au anyway -- better one too many then one too few.
Looking forward to the scanresults, we all do!

:o I have AVG 6.0 for my virus scan also. Today it notified me that it found: Dropper.Small.4.AG a Trojan Horse virus. I let it be locked in the fault.

I also ran the basic TDS scan and this is the scandump for it:

Scan Control Dumped @ 14:07:55 12-04-04
Suspicious Filename: Dual extensions
File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe

Suspicious Filename: Dual extensions
File: c:\program files\hewlett-packard\hp instant support di\temp\install.wse.exe

I ran HijackThis and here is that log:

Logfile of HijackThis v1.97.7
Scan saved at 2:25:55 PM, on 4/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS1977[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Touch Manager] C:\Program Files\Netropa\Touch Manager\TouchMgr.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE95\AUTOCHK.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [TWC App] C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Add to AD Black List - C:\PROGRAM FILES\AVANT BROWSER\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\PROGRAM FILES\AVANT BROWSER\AddAllToADBlackList.htm
O8 - Extra context menu item: Search - C:\PROGRAM FILES\AVANT BROWSER\Search.htm
O8 - Extra context menu item: Highlight - C:\PROGRAM FILES\AVANT BROWSER\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\PROGRAM FILES\AVANT BROWSER\OpenAllLinks.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - [url]http://www.pctuneup.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - [url]http://www.worldwinner.com/games/shared/uninstall.cab[/url]
O16 - DPF: Yahoo! Dominoes - [url]http://download.games.yahoo.com/games/clients/y/dot2_x.cab[/url]
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - [url]http://images.myfamily.net/isfiles/downloads/MrSIDI.cab[/url]
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - [url]http://fdl.msn.com/zone/Z4/heartbeat.cab[/url]
O16 - DPF: Yahoo! Chat - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab[/url]
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - [url]http://images.ancestry.com/asfiles/files/install/MFImgVwr.cab[/url]
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - [url]http://www.lizardtech.com/plugins/en_US/DjVuControl.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38073.2855439815[/url]
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - [url]http://www.zillabar.com/toolbar/bin/dwnldr.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab[/url]

Do I have another virus?? Are am I okay??

Thanks

So the file is on your system and TDS did not locate it? Did you update TDS recently?
Was the AVG scanner still up so TDS could not reach it? did you configure the TDS scan console with all options checked?
If you can locate the quarantined file (you might have to close AVG for that) can you please submit that to submit@diamondcs.com.au ? You might have another version of the nasty, as there are many different varieties of them.
Would recommend now to wait for the HJT experts and after possible cleansing to rescan with TDS but the Full System Scan this time on highest sensitivity.

For the HJT log we call in experts!
What i can tell you (a minor thing so keep it in mind if there is more to fix) in the second line in your hosts file
O1 - Hosts: 203.161.127.141 www.dcsresearch.com that can be deleted; the first 64.... is the actual one to stay up.

Nothing to add. That log is clean.
Can you tell us what the filename and the full path were for the trojan that AVG found?

Regards,

Pieter

I read another post about this very Trojan that AVG found and placed in the vault. Several online scans were done and nothing was showing apart from the AVG find for this.
The user cleaned the vault and then deleted their Restore points and temp. Internet files and all seemed to be OK when the next scan was done with AVG.

It is strange that it is only AVG that has found this ???

Make sure all you other security programs such as your firewall and Spybot etc are working.

Gavin would appreciate very much if the file could be located and submitted to him before it is deleted from your system, so he can look if there might be a new variant or Gavin might add new detection with that. So please submit@diamondcs.com.au is the place to go with the file. Doesn't AVG have a submission utility you can set to that emailaddress? Would be great if possible.

Robyn it happens more with names one can see which software named a nasty by that specific name till there gets a general naming for the same thing. Bit confusing at least. ;D

Hi Jooske

AVG 7 Pro which I run has tech. support for the AV but with the free version this is one thing they do not support :'( I agree with the confusion with names ???

Then most probably it is not possible to touch the quarantined files, till you close down AVG and zip a copy to submit it.
In fact if AVG is down TDS should be able to find those quarantined files and submit it with that.

Jooske, the trojan was already detected by AVG. Talk about promoting a product for the sake of promoting it.

-{ Quote: "Hello DavidD and welcome to the forum
I googled a bit around for it, seeing all people with AVG mentioning it.
The threads all recommend to run another scan with another scanner.
Install TDS from www.diamondcs.com.au and after installing get on the same download page the latest update file to be able to scan. After installing please make sure you reboot.
In the scan system console select all options and highest sensitivity to do a whole full system scan.
Before you press to do so, make sure other av/at scanners and resident scanners are closed so TDS has full access to all files which might be blocked if other scanners are up.
Also close as many programs and browsers as possible to give TDS all possible room to speed up the heavy scanning process. Can take a while so don't hesitate to step from the computer for a while.
When it's finished, rightclick on one of the finds and choose from the menu "save as text". This will be saved to Scandump.txt in your TDS directory.
Please post that text in your next posting here, before deleting anything at all.
If you see anything named "suspicious" and not because of double extensions only don't hesitate to rightclick on it and click submit or find the file(s) in your system, zip them if possible and send them attached to an email to submit@diamondcs.com.au to get more instructions if needed.

Depending on your scanresults we walk further with you.
Also be prepared to get the Hijackthis latest version and to post your log results from that too! See this thread for instructions and where to get that:
http://www.wilderssecurity.com/showthread.php?t=15913 , start with step 2 for the HijackThis instruction, after you might be instructed to use the other steps too etc.
So looking with great interest to your scan results!


BTW: if you prefer first to go for the hijackthis scan nothing against that, of course!" }-

H i Wizard
-{ Quote: "Jooske, the trojan was already detected by AVG. " }-

What is your point? That was not stated in the first post of this thread that Jooske and others replied to.

1) google around and see it is found by AVG users asking for help in several forums
2) all need additional help with other products as AVG seems not able to clean it properly.
2a) even if it was cleansed by it i would always recommend another second opinion, depending on the nasty
3) the message is posted for help in TDS forum so TDS is used
4) the file is in the TDS detection database.
5) it could be a variant though or even a false positive
5a) hence the question to submit the file to be really sure and get additional advice if necessary or the advice to inform AVG about a possible false positive
5b) no company loves false positives so TDS is doing other developers a great favor with analysing their finds and help with refining their databases too
6) also hijackthis as a next step is used
7) if needed we use next steps and additional tools
8) we have many more in our help toolbox to help users cleansing their systems
8a) we're here to support users with that
8b) we have experience and many reasons why we do things the ways we do them
8c) we're also here to educate users to stay out of trouble and in ways they understand why and how to do it next time
9) quoting in a forum means cut out and post only the parts you're reacting on. We have all scrollers and sliders to look back to the posting you're referring to.
10) hope this helps to answer all your questions and to have a good day

Hi All,
I too have had this TJ, “Dropper.Small.4.AG” appear in my “AVG 6.0 for Windows” Scan.
I 've also been googling and found the same stories as indicated above in thread.
I have run TrendMicro’s “Housecall” program after switching off AVG, but it hasn’t found anything.

The file is located in; “c:\windows\iNetPal”.
I have found one other forum that mentions this location also.
I have been able to isolate the file and have sent it to submit@diamondcs.com.au as requested above, however I am unable to zip the executable, known as “M3TSP8.EXE” so have renamed the file (and guessing that your system won’t like a .exe turning up in the mail!) as a .YUK file. (seemed like an appropriate name….!)

I hope that AVG have stuffed up here…..!

TheBeezNeez

Hi,

The file is TrojanDropper.Win32.Small.ff, and drops ADWARE known as TrojanDownloader.Win32.Rameh.b - which is related to F1organiser.com

Thanks Gavin - somewhat relieved now that I know what it is!
Well impressed with this forum too - a great find!

TheBeezNeez

I have had this horse Dropper Small.4.AG too. It had been in E:\WINNT\iNETPAL\M3TSP8.EXE. Can it be from mail?

Hi. I first found a Trojan Horse on April Fool's Day, followed a couple of weeks later by this one. AVG cleans it up just fine so the next scan is okay, but here is my (to me serious) problem: I can't download and install anything that uses the Wise Wizard thing, and most of the themes and screen savers, and many other things, seem to. It looks like it is somehow related to Bonzi Buddy, as I have trouble with all files containing that mess, and haven't, as far as I know, had any trouble with those that didn't have it. But, what can I do about it? None of the spyware-killing programs will install on my computer, and even my pop-up killer is letting pop-ups through all the time. I've been everywhere, online and on my computer, trying to find an answer for this. I miss my downloads! Can anyone help?

Hi cmelee115 :)

seems like u need to follow the instructions here,

http://www.wilderssecurity.com/showthread.php?t=15913

then post your HijackThis log in the Hijack cleaning forum where one of the experts will give u recommendations on any Malware found.

Hope this helps.

I also removed your email addy for your own protection.


snowbound

-{ Quote: "Hello, I have a Trojan horse Dropper Small.4.AG, what's this virus? and how can remove it without problem? my antivirus is the AVG 6.0 and windowsXP" }-

J'ai un trojan horse Dropper Small.4.AG et ne sais pas comment m'en débarrasser!!!!

-{ Quote: "J'ai un trojan horse Dropper Small.4.AG et ne sais pas comment m'en débarrasser!!!!" }-

Juste suivre les instructions dans le lien que j'ai postée au-dessus. ;)


snowbound

-{ Quote: "Hi. I first found a Trojan Horse on April Fool's Day, followed a couple of weeks later by this one. AVG cleans it up just fine so the next scan is okay, " }-


***hi!r u using the avg free edition? also,did avg clean both trojan horses found on ur pc?thanks! :)

hi!what is/are the effects of this trojan horse?im using the avg free edition and my OS is win xp.also,what is a TDS?i had this trojan horse yesterday and the avg cannot heal it..help please?

Puzzling. I don't find a definition for that as given even on AVG's site. No Google results for that name, either. Is the name given ( Dropper.Small.4.AG ) spelled and punctuated correctly? Exactly as presented by AVG? Pete

I'm really losing my trail here:
you guys post in the TDS forum, Trojan Defence Suite, the infection you write about is in the TDS primaries and thus can detect it just fine and you can delete it.
But to be sure find your infection, zip it and send it to submit@diamondcs.com.au so Gavin can look for you if you might have a new version.
BUT: when you are going to scan with TDS: first open your AVG GUI and uncheck all scan options, the resident protection everything, you'll see the AVG systray icon grey out and then with your fully updated TDS and all unnecessary programs closed you do your TDS scan.
For those who write in the TDS forum without knowing nor having TDS installed yet get your free evaluation copy at the DiamondCS site
http://tds.diamondcs.com.au/index.php?page=download
install, go back to that page to get your last update manually, reboot the system and make sure the AVG is closed (and other scanners you might have) and start TDS, and it's Full system Scan with all scanoptions selected and worm slider on the second page to highest sensitivity.
If you know about any files AVG did detect and TDS not, please be so kind as to locate those files and (preferable zipped) send them in to submit@diamondcs.com.au , if TDS sees something "suspicious" other then double filename extensions send them to the same address or in the TDS bottom console rightclick the file and press submit (for this you need to have your proper email address in the Configuration upper left)
When scanning is finished rightclick on one of the finds and save the finds as text, a scandump.txt will popup which you can select and post here for us to look at it.

See also up in this thread the urgent question to PLEASE go to the HijackThis forum to post your log there, as is exactly explained in that place how to do it.
Hope this helps; looking forward to your postings.

My Trojan horse Dropper.Small.4.AG is nested in my C:\System Volume Information

AVG and Norton cannot pick it up during full system scans, neither can TDS.
I posted a HiJack This thread.

Nothing appears to be working.

If you scan:
open the AVG console uncheck all scan options so it is really closed completely.
now open norton and close that all completely, so none of the two has a resident protection running either.
Now you can scan with TDS.
If TDS is not actively scanning you can leave that up if you start your scan with ONE of the other scanners and that one you close if you scan with the other. Only one of those two can be set for resident protection.
If TDS detects that individual file in your system restore, guess a file like _a123456.exe, send it to the lab with a rightclick on it before you delete it.

Now you say it's in your system-restore -- only there? for something in the system restore must have been or is also somewhere else on your system --
just disable system restore, reboot enable system restore and make manually a new restore point and all the older points have gone. Complete with your infection.
Make it a ruleif you cleaned out infections in future to do this again or that system restore puts the infections back each time.
Wished the windows creators had thought of possibilities to have system restores cleansed out as well, but that was not yet in their concept, for the current situation keeps bringing users into the same trouble over and over again completely unnecessary.
Anyway, after this clean restore operation post your hijackthis log please!

I have split several non relevant posts off from this 6 month old thread

and moved them to http://www.wilderssecurity.com/showthread.php?t=49966

& am locking this thread now to prevent any further confusion