Trojan Dropper.Small.6.L and friends, need gone

Discussion in 'Trojan Defence Suite' started by Marja, Oct 4, 2004.

Thread Status:
Not open for further replies.
  1. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    HI!

    I got a message from AVG (free) while opening a zip file, that a trojan dropper was on my machine. AVG couldn't heal it.

    I updated TDS3 (trial) and closed ZA and AVG down, then ran a scan of all the files. I have 18 alarms, 4 are positive id's. The rest are repeated in different files (program, documents and settings).

    I also have the other zip files that I d/l'd with them not opened, do you want all those? Or just the scan dump for now? Or even that?

    Tried to send them by submitting the file, but, nothing came back, the firewall , maybe.

    Thanks for any help

    Marja
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Marja,
    when scanning there is no need to close your firewall, please leave that one up when you are still online.
    AVG needs to be closed including it's resident protection.
    Can you please paste your scandump.exe in your next posting so we have an idea what you're dealing with? Thanks!
     
  3. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    Well, it seems Mozilla won't let me paste anything here, some config file, do you know which setting I need to change?

    Thanks, Jooske,


    Marja
     
  4. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    Is it possible to upload the scandump? I don't know what javascript wants me to do?

    Sorry for all this:(

    Marja
     
  5. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    Finally! Here is the scandump! Marja


    Suspicious Filename: Dual extensions
    File: c:\documents and settings\xxxxxxxx\my documents\firefoxsetup-0.9.2.exe

    Positive identification <Adv>: Possible WebDownloader
    File: c:\documents and settings\xxxxxx\my documents\my downloads\copycat.exe

    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\documents and settings\xxxx\my documents\my downloads\leaktest1.2.exe

    Positive identification (embedded in file): Adware.NewDotNet (dll)
    File: c:\program files\filesubmit\watching\nnezta388.exe

    Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
    File: c:\program files\filesubmit\watching\tbeza127q.exe

    Positive identification (DLL): Adware.Toolbar.Quick.a (dll)
    File: c:\program files\quicksearch\quicksearchbar1_27.dll
     
    Last edited: Oct 4, 2004
  6. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    Part of it got cut off, this is the whole thing, Marja


    Scan Control Dumped @ 11:37:22 04-10-04

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\myname\my documents\firefoxsetup-0.9.2.exe

    Positive identification <Adv>: Possible WebDownloader
    File: c:\documents and settings\myname\my documents\my downloads\copycat.exe

    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\documents and settings\xxxxxxxx\my documents\my downloads\leaktest1.2.exe

    Positive identification (embedded in file): Adware.NewDotNet (dll)
    File: c:\program files\filesubmit\watching\nnezta388.exe

    Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
    File: c:\program files\filesubmit\watching\tbeza127q.exe

    Positive identification (DLL): Adware.Toolbar.Quick.a (dll)
    File: c:\program files\quicksearch\quicksearchbar1_27.dll

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\xxxxxxxx\my documents\firefoxsetup-0.9.2.exe

    Positive identification <Adv>: Possible WebDownloader
    File: c:\documents and settings\xxxxxxxxx\my documents\my downloads\copycat.exe

    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\documents and settings\xxxxxxxxx\my documents\my downloads\leaktest1.2.exe

    Positive identification (embedded in file): Adware.NewDotNet (dll)
    File: c:\program files\filesubmit\watching\nnezta388.exe

    Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
    File: c:\program files\filesubmit\watching\tbeza127q.exe

    Positive identification (DLL): Adware.Toolbar.Quick.a (dll)
    File: c:\program files\quicksearch\quicksearchbar1_27.dll

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\xxxxxxxxx\my documents\firefoxsetup-0.9.2.exe

    Positive identification <Adv>: Possible WebDownloader
    File: c:\documents and settings\xxxxxxxx\my documents\my downloads\copycat.exe

    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\documents and settings\xxxxxxxx\my documents\my downloads\leaktest1.2.exe

    Positive identification (embedded in file): Adware.NewDotNet (dll)
    File: c:\program files\filesubmit\watching\nnezta388.exe

    Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
    File: c:\program files\filesubmit\watching\tbeza127q.exe

    Positive identification (DLL): Adware.Toolbar.Quick.a (dll)
    File: c:\program files\quicksearch\quicksearchbar1_27.dll
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Can you zip the copycat.exe and submit to submit@diamondcs.com.au please?
    The positive identifications of the adware you can either delete from TDS or with Ad-aware or SpybotS&D.
    The dual extensions seem normal files.
    Was that the same file AVG mentioned?
     
  8. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    No, AVG said it was Dropper.Small.6.L and it is in the vault, because AVG said it couldn't heal it.
    But, there are two more unopened zips from the same place, so I am assuming they will be the same, delete them or send them?

    I have never opened copycat either, so I should be able to send it.

    Thanks Jooske!

    Marja
     
  9. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    It's sent, I will have to check back later.

    Thanks!!

    Marja
     
Thread Status:
Not open for further replies.