Need help with Dropper.Small.5.J Trojan Horse

Discussion in 'malware problems & news' started by Adrian, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. Adrian

    Adrian Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    5
    I have the trojan horse - dropper.small.5.j on my computer, detected with AVG, but it can't get rid of it. please help.

    Adrian
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Adrian,

    What file did AVG find it in? That is a very important detail.

    Also, are you using TDS-3? That's the forum you've posted in. If not, we'll move this thread.
     
  3. Adrian

    Adrian Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    5
    Sorry im new here, im not sure what TDS-# is, so no probably not. I ran the scan twice, first time it found it in C:\Program Files\PWTAY.EXE and it just found it in C:\System Volume Information\_restore{B37680B2-BAQA-4E5D-BF30-83E44C588624}\RP302\A0021205.EXE

    Thank you

    Adrian
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Okay, were you able to delete or clean (or move to the virus vault) that first file (PWTAY.EXE), or is it still in the same place and being found in additional scans? It should have been taken care of by AVG, and in fact that action may very well have resulted in the existence of the second file....

    The A0021205.EXE file is actually in the System Restore folder (which is either "_RESTORE" on Windows ME or "System Volume Information..." on Windows XP). System Restore saves copies of any EXE file that gets deleted in case it is needed in a future restore operation. And no anti-virus cleans files from the system restore directly because that is a protected area. The only proper ways to remove files from there is to either cycle System Restore (disable then reenable it), or use the Cleanup option that allows you to remove old "restore points".

    However, when you do either of these operations, you will lose either all restore points, or all but the last one, depending upon which approach you take. Still it is recommended to clean out system restore to get rid of the old virus just so you don't ever restore it to the system again.

    Here's some instructions on how to clean System Restore:

    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
     
  5. Adrian

    Adrian Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    5
    When I tried to move the first file (PWTAY.EXE) to the virus vault, my virus scan froze, so im not sure if it got there. I'm assuming it did however as now it is only detecting the one in the System Restore folder. So do you suggest I carry on with cycling System Restore?
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Yes, I say proceed with cycling. The way I'd do it is: disable system restore. Reboot PC. Enable system restore and make a new restore point. Then run a new full scan with AVG and see if everything is clean.

    I'll move this thread elsewhere in a while. There will be a link here point to where it has been moved to.
     
  7. Adrian

    Adrian Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    5
    Thank You, I'll try that and see if it works, and I'll get back to you soon.
     
  8. Adrian

    Adrian Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    5
    It seemed to work AVG isn't picking it up anymore, thank you!!!

    Adrian.
     
  9. timmyc

    timmyc Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    2
    solution for Dropper.Small.5.J Trojan Horse

    I cleaned up an XP system today that was infected with this problem. Cycling the System Restore did no good. AVG identifies the file 96WU19RD.EXE and puts it into the vault, but every time the owner tried to open Windows Media Player, the file reappeared in the \windows folder. The WMP shortcut had been highjacked to call the virus named wmplayer2.exe

    I turned off System Restore and then I uninstalled the WMP through Control Panel ... Add/Remove Programs... Windows Components, but to no avail. I eventually went to the registry and removed all references to WMP, deleted the WU... file from \windows (make sure there are no odd folders in the Program Files folder with random character names as there were two in this system which I deleted. I then went to the Windows Update site and downloaded and installed WMP 9.0. The system seems to be perfectly fine now.

    There seems to be no other info regarding this particular behaviour in literature that I researched.
     
  10. Manny

    Manny Registered Member

    Joined:
    Aug 22, 2004
    Posts:
    1
    I also have this trojan. Ran the AVG and still there. It is lodge at C:\Documents and Settings\Preferred\Local Settings\TEMP\NETPAL.EXE:\AESS3.exe

    I need help on how to remove this. Thanks
     
  11. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    what is your operation system?

    if you have win xp use the task manager to kill the process C:\Documents and Settings\Preferred\Local Settings\TEMP\NETPAL.EXE:\AESS3.exe
    press CTRL+ALT+DEL to launch task manager, select the processes tab , right click the process and select end process

    then locate the file C:\Documents and Settings\Preferred\Local Settings\TEMP\NETPAL.EXE:\AESS3.exe and delete it, or rescan with AVG
     
  12. pampeerey

    pampeerey Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    4
    I also have this trojan horse, but I have windows 2000 and can't find the system restore option (and even if I did, would not know how to disble it). Can someone help please!!!! AVG says it's at atgames.exe, but I can't seem to find that file.
     
  13. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  14. stella starr

    stella starr Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    1
    Location:
    new york city
    greetings! i have the same problem. now another trojan is attackig.. the same source, paltalk.com. dropper.small.5.1 and tvm_b5.exe were found in the paltalk folder in my system. how do i prevent this? i tried delete and new download of paltalk. the new trojan appeared with the dropper.
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Stella Starr, welcome to Wilders, see the following thread for more info:

    https://www.wilderssecurity.com/showthread.php?t=45508

    Post number 7

    Hope this helps...

    Let us know how you go...

    Cheers :D
     
  16. alexis_1025

    alexis_1025 Guest

    Please help!!

    I just got the Dropper.Small.5.J Trojan Horse virus on my computer. AVG says that the infected file is in my Temporary Internet Files folder. I tried "Move to Virus Vault" but AVG said it could not be removed. I'm running Windows 2000 and am not even sure whether it's better to keep the computer off or if restarting it later will cause the virus to spread??

    Thank you so much for your help!!
     
  17. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  18. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Make sure u Delete all offline content also.

    It's in the instructions in that link.



    snowbound
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Re: Please help!!

    Hi Alexis, welcome to Wilders, see the following thread for more info:

    https://www.wilderssecurity.com/showthread.php?t=45508

    Post number 7

    Hope this helps...

    Let us know how you go...

    Cheers :D
     
  20. alexis_1025

    alexis_1025 Guest

    I deleted the temp internet files and the virus scan is coming up clean now. Will continue to scan once in a while just in case. You guys are awesome, thanks again!
     
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see...

    Cheers :D
     
  22. Atarihero

    Atarihero Guest

    I get this virus pop-up 3 times a day during AVG active scans. But when I run Complete test It finds no Virus threato_O?
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Atarihero, welcome to Wilders, see post number 7 in the following thread https://www.wilderssecurity.com/showthread.php?t=45508

    Hope this helps...

    Let us know how you go...

    Cheers :D
     
  24. And

    And Guest

    Hi,

    I am wondering if someone could help me out.

    I am infected with Trojan Horse Dropper Small.5.J today. I have been very careful but I am still infected. It not only changed my homepage but also my google toolbar into some wierd toolbar.

    Does anyone know what it will do except those mentioned above?

    I am using Windows xp. I have AVG (free version) and it detects the virus for me but unable to clean it.

    Location of the virus: C:\\WINDOWS\System32\SG.exe:\03kd97fg.exe

    Thanks. Any help is appreciated.

    An
     
  25. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
Loading...
Thread Status:
Not open for further replies.