Trojan Dropper.Small.6.L and friends, need gone [Archive]

View Full Version : Trojan Dropper.Small.6.L and friends, need gone

Marja

October 4th, 2004, 02:23 PM

HI!

I got a message from AVG (free) while opening a zip file, that a trojan dropper was on my machine. AVG couldn't heal it.

I updated TDS3 (trial) and closed ZA and AVG down, then ran a scan of all the files. I have 18 alarms, 4 are positive id's. The rest are repeated in different files (program, documents and settings).

I also have the other zip files that I d/l'd with them not opened, do you want all those? Or just the scan dump for now? Or even that?

Tried to send them by submitting the file, but, nothing came back, the firewall , maybe.

Thanks for any help

Marja

Jooske

October 4th, 2004, 02:33 PM

Hi there Marja,
when scanning there is no need to close your firewall, please leave that one up when you are still online.
AVG needs to be closed including it's resident protection.
Can you please paste your scandump.exe in your next posting so we have an idea what you're dealing with? Thanks!

Marja

October 4th, 2004, 02:45 PM

Well, it seems Mozilla won't let me paste anything here, some config file, do you know which setting I need to change?

Thanks, Jooske,

Marja

Marja

October 4th, 2004, 03:14 PM

Is it possible to upload the scandump? I don't know what javascript wants me to do?

Sorry for all this:(

Marja

Marja

October 4th, 2004, 03:39 PM

Finally! Here is the scandump! Marja

Suspicious Filename: Dual extensions
File: c:\documents and settings\xxxxxxxx\my documents\firefoxsetup-0.9.2.exe

Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\xxxxxx\my documents\my downloads\copycat.exe

Positive identification: Demo.Leaktest 1.1 (Not a trojan)
File: c:\documents and settings\xxxx\my documents\my downloads\leaktest1.2.exe

Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\filesubmit\watching\nnezta388.exe

Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
File: c:\program files\filesubmit\watching\tbeza127q.exe

Positive identification (DLL): Adware.Toolbar.Quick.a (dll)
File: c:\program files\quicksearch\quicksearchbar1_27.dll

Marja

October 4th, 2004, 03:44 PM

Part of it got cut off, this is the whole thing, Marja

Scan Control Dumped @ 11:37:22 04-10-04

Suspicious Filename: Dual extensions
File: c:\documents and settings\myname\my documents\firefoxsetup-0.9.2.exe

Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\myname\my documents\my downloads\copycat.exe

Positive identification: Demo.Leaktest 1.1 (Not a trojan)
File: c:\documents and settings\xxxxxxxx\my documents\my downloads\leaktest1.2.exe

Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\filesubmit\watching\nnezta388.exe

Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
File: c:\program files\filesubmit\watching\tbeza127q.exe

Positive identification (DLL): Adware.Toolbar.Quick.a (dll)
File: c:\program files\quicksearch\quicksearchbar1_27.dll

Suspicious Filename: Dual extensions
File: c:\documents and settings\xxxxxxxx\my documents\firefoxsetup-0.9.2.exe

Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\xxxxxxxxx\my documents\my downloads\copycat.exe

Positive identification: Demo.Leaktest 1.1 (Not a trojan)
File: c:\documents and settings\xxxxxxxxx\my documents\my downloads\leaktest1.2.exe

Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\filesubmit\watching\nnezta388.exe

Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
File: c:\program files\filesubmit\watching\tbeza127q.exe

Positive identification (DLL): Adware.Toolbar.Quick.a (dll)
File: c:\program files\quicksearch\quicksearchbar1_27.dll

Suspicious Filename: Dual extensions
File: c:\documents and settings\xxxxxxxxx\my documents\firefoxsetup-0.9.2.exe

Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\xxxxxxxx\my documents\my downloads\copycat.exe

Positive identification: Demo.Leaktest 1.1 (Not a trojan)
File: c:\documents and settings\xxxxxxxx\my documents\my downloads\leaktest1.2.exe

Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\filesubmit\watching\nnezta388.exe

Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
File: c:\program files\filesubmit\watching\tbeza127q.exe

Positive identification (DLL): Adware.Toolbar.Quick.a (dll)
File: c:\program files\quicksearch\quicksearchbar1_27.dll

Jooske

October 4th, 2004, 04:21 PM

Can you zip the copycat.exe and submit to submit@diamondcs.com.au please?
The positive identifications of the adware you can either delete from TDS or with Ad-aware or SpybotS&D.
The dual extensions seem normal files.
Was that the same file AVG mentioned?

Marja

October 4th, 2004, 04:26 PM

No, AVG said it was Dropper.Small.6.L and it is in the vault, because AVG said it couldn't heal it.
But, there are two more unopened zips from the same place, so I am assuming they will be the same, delete them or send them?

I have never opened copycat either, so I should be able to send it.

Thanks Jooske!

Marja

Marja

October 4th, 2004, 05:14 PM

It's sent, I will have to check back later.

Thanks!!

Marja