Trojan horse Dropper Small.4.AG

Hello, I have a Trojan horse Dropper Small.4.AG, what's this virus? and how can remove it without problem? my antivirus is the AVG 6.0 and windowsXP

 

Hello DavidD and welcome to the forum
I googled a bit around for it, seeing all people with AVG mentioning it.
The threads all recommend to run another scan with another scanner.
Install TDS from www.diamondcs.com.au and after installing get on the same download page the latest update file to be able to scan. After installing please make sure you reboot.
In the scan system console select all options and highest sensitivity to do a whole full system scan.
Before you press to do so, make sure other av/at scanners and resident scanners are closed so TDS has full access to all files which might be blocked if other scanners are up.
Also close as many programs and browsers as possible to give TDS all possible room to speed up the heavy scanning process. Can take a while so don't hesitate to step from the computer for a while.
When it's finished, rightclick on one of the finds and choose from the menu "save as text". This will be saved to Scandump.txt in your TDS directory.
Please post that text in your next posting here, before deleting anything at all.
If you see anything named "suspicious" and not because of double extensions only don't hesitate to rightclick on it and click submit or find the file(s) in your system, zip them if possible and send them attached to an email to submit@diamondcs.com.au to get more instructions if needed.

Depending on your scanresults we walk further with you.
Also be prepared to get the Hijackthis latest version and to post your log results from that too! See this thread for instructions and where to get that:
https://www.wilderssecurity.com/showthread.php?t=15913 , start with step 2 for the HijackThis instruction, after you might be instructed to use the other steps too etc.
So looking with great interest to your scan results!


BTW: if you prefer first to go for the hijackthis scan nothing against that, of course!

 

Hi, DavidD

Welcomed To Wilder's and TDS.

How did you find, Small.4.AG, was it with TDS or AVG?

Do you have the latest update's for your AV, or if you have TDS their latest update's?

Have you searched Grisoft[AVG website] or what ever it's called?

Please post back at anytime as some one I am sure will give you more info?

Sorry I can not be of more help a this time.
TheQuest

 

Hi. Jooske

Sorry crossed Post's with you.

TheQuest

 

Please download TDS3 from here: http://tds.diamondcs.com.au/index.php?page=download
Once dowloaded get the latest radius file from the same page and follow the instructions for manually updating TDS3.
When you start TDS3 open the scan control window and select all the scan options. In generic detection enable Anti-Trojan & Anti-worm scripts move the generic Sensitivity too high.
Select the drives to be scanned

Please ensure that your Anti virus and other programmes are disablled and press "start scanning", this is a very deep scan and will tale quite a while to complete, after the scan you will see any alarms in the lower console, right click them and select what you want to do.
If possible can you please zip up any file that is identified and send to submit@diamondcs.com.au before deleting

 

We all replied within minutes of each other

 

Of course we do! High priority!
We all added some part to the story so that's ok.

Make sure you do submit the finds to submit@diamondcs.com.au anyway -- better one too many then one too few.
Looking forward to the scanresults, we all do!

 

I have AVG 6.0 for my virus scan also. Today it notified me that it found: Dropper.Small.4.AG a Trojan Horse virus. I let it be locked in the fault.

I also ran the basic TDS scan and this is the scandump for it:

Scan Control Dumped @ 14:07:55 12-04-04
Suspicious Filename: Dual extensions
File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe

Suspicious Filename: Dual extensions
File: c:\program files\hewlett-packard\hp instant support di\temp\install.wse.exe

I ran HijackThis and here is that log:

Logfile of HijackThis v1.97.7
Scan saved at 2:25:55 PM, on 4/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS1977[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Touch Manager] C:\Program Files\Netropa\Touch Manager\TouchMgr.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE95\AUTOCHK.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [TWC App] C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Add to AD Black List - C:\PROGRAM FILES\AVANT BROWSER\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\PROGRAM FILES\AVANT BROWSER\AddAllToADBlackList.htm
O8 - Extra context menu item: Search - C:\PROGRAM FILES\AVANT BROWSER\Search.htm
O8 - Extra context menu item: Highlight - C:\PROGRAM FILES\AVANT BROWSER\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\PROGRAM FILES\AVANT BROWSER\OpenAllLinks.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pctuneup.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://images.ancestry.com/asfiles/files/install/MFImgVwr.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38073.2855439815
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

Do I have another virus?? Are am I okay??

Thanks

 

So the file is on your system and TDS did not locate it? Did you update TDS recently?
Was the AVG scanner still up so TDS could not reach it? did you configure the TDS scan console with all options checked?
If you can locate the quarantined file (you might have to close AVG for that) can you please submit that to submit@diamondcs.com.au ? You might have another version of the nasty, as there are many different varieties of them.
Would recommend now to wait for the HJT experts and after possible cleansing to rescan with TDS but the Full System Scan this time on highest sensitivity.

For the HJT log we call in experts!
What i can tell you (a minor thing so keep it in mind if there is more to fix) in the second line in your hosts file
O1 - Hosts: 203.161.127.141 www.dcsresearch.com that can be deleted; the first 64.... is the actual one to stay up.

 

Nothing to add. That log is clean.
Can you tell us what the filename and the full path were for the trojan that AVG found?

Regards,

Pieter

 

I read another post about this very Trojan that AVG found and placed in the vault. Several online scans were done and nothing was showing apart from the AVG find for this.
The user cleaned the vault and then deleted their Restore points and temp. Internet files and all seemed to be OK when the next scan was done with AVG.

It is strange that it is only AVG that has found this

Make sure all you other security programs such as your firewall and Spybot etc are working.

 

Gavin would appreciate very much if the file could be located and submitted to him before it is deleted from your system, so he can look if there might be a new variant or Gavin might add new detection with that. So please submit@diamondcs.com.au is the place to go with the file. Doesn't AVG have a submission utility you can set to that emailaddress? Would be great if possible.

Robyn it happens more with names one can see which software named a nasty by that specific name till there gets a general naming for the same thing. Bit confusing at least.

 

Hi Jooske

AVG 7 Pro which I run has tech. support for the AV but with the free version this is one thing they do not support I agree with the confusion with names

 

Then most probably it is not possible to touch the quarantined files, till you close down AVG and zip a copy to submit it.
In fact if AVG is down TDS should be able to find those quarantined files and submit it with that.

 

Jooske, the trojan was already detected by AVG. Talk about promoting a product for the sake of promoting it.

 

H i Wizard

What is your point? That was not stated in the first post of this thread that Jooske and others replied to.

 

1) google around and see it is found by AVG users asking for help in several forums
2) all need additional help with other products as AVG seems not able to clean it properly.
2a) even if it was cleansed by it i would always recommend another second opinion, depending on the nasty
3) the message is posted for help in TDS forum so TDS is used
4) the file is in the TDS detection database.
5) it could be a variant though or even a false positive
5a) hence the question to submit the file to be really sure and get additional advice if necessary or the advice to inform AVG about a possible false positive
5b) no company loves false positives so TDS is doing other developers a great favor with analysing their finds and help with refining their databases too
6) also hijackthis as a next step is used
7) if needed we use next steps and additional tools
we have many more in our help toolbox to help users cleansing their systems
8a) we're here to support users with that
8b) we have experience and many reasons why we do things the ways we do them
8c) we're also here to educate users to stay out of trouble and in ways they understand why and how to do it next time
9) quoting in a forum means cut out and post only the parts you're reacting on. We have all scrollers and sliders to look back to the posting you're referring to.
10) hope this helps to answer all your questions and to have a good day

 

Hi All,
I too have had this TJ, “Dropper.Small.4.AG” appear in my “AVG 6.0 for Windows” Scan.
I 've also been googling and found the same stories as indicated above in thread.
I have run TrendMicro’s “Housecall” program after switching off AVG, but it hasn’t found anything.

The file is located in; “c:\windows\iNetPal”.
I have found one other forum that mentions this location also.
I have been able to isolate the file and have sent it to submit@diamondcs.com.au as requested above, however I am unable to zip the executable, known as “M3TSP8.EXE” so have renamed the file (and guessing that your system won’t like a .exe turning up in the mail!) as a .YUK file. (seemed like an appropriate name….!)

I hope that AVG have stuffed up here…..!

TheBeezNeez

 

Hi,

The file is TrojanDropper.Win32.Small.ff, and drops ADWARE known as TrojanDownloader.Win32.Rameh.b - which is related to F1organiser.com

 

Thanks Gavin - somewhat relieved now that I know what it is!
Well impressed with this forum too - a great find!

TheBeezNeez

 

I have had this horse Dropper Small.4.AG too. It had been in E:\WINNT\iNETPAL\M3TSP8.EXE. Can it be from mail?

 

Hi. I first found a Trojan Horse on April Fool's Day, followed a couple of weeks later by this one. AVG cleans it up just fine so the next scan is okay, but here is my (to me serious) problem: I can't download and install anything that uses the Wise Wizard thing, and most of the themes and screen savers, and many other things, seem to. It looks like it is somehow related to Bonzi Buddy, as I have trouble with all files containing that mess, and haven't, as far as I know, had any trouble with those that didn't have it. But, what can I do about it? None of the spyware-killing programs will install on my computer, and even my pop-up killer is letting pop-ups through all the time. I've been everywhere, online and on my computer, trying to find an answer for this. I miss my downloads! Can anyone help?

 

Hi cmelee115

seems like u need to follow the instructions here,

https://www.wilderssecurity.com/showthread.php?t=15913

then post your HijackThis log in the Hijack cleaning forum where one of the experts will give u recommendations on any Malware found.

Hope this helps.

I also removed your email addy for your own protection.


snowbound

 

J'ai un trojan horse Dropper Small.4.AG et ne sais pas comment m'en débarrasser!!!!

 

Juste suivre les instructions dans le lien que j'ai postée au-dessus.


snowbound