Trojan Horse Dropper.Small.4.AG - Nested in my System Volume Information - *HELP*

Discussion in 'Trojan Defence Suite' started by Luke18, May 24, 2004.

Thread Status:
Not open for further replies.
  1. Luke18

    Luke18 Registered Member

    Joined:
    May 24, 2004
    Posts:
    15
    I run AVG and Norton 2004 - When I let the computer sit, I get multiple pop-ups notifying me that this virus is in my System Volume Information, neither virus scanners can pick it up during full system scans. What can I do to get rid of this? I've tried TDS-3, It found some Adware, and TrojanDownloer.Win32.Coment, They have been removed, i'm still afraid this dropper is still in my PC. Please help.
     

    Attached Files:

    Last edited: May 26, 2004
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  3. Luke18

    Luke18 Registered Member

    Joined:
    May 24, 2004
    Posts:
    15
    Both of that spyware/adware web-sites must be down. I can't follow through with those directions. Are there any other links to d/l that software?

    I really would like to get to the bottom of this problem. So far this Virus is giving me the impression that it isn't going anywhere.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Check if you have a HOSTS file with no extension, and open it in notepad.. it might have been modified to stop you getting to adware sites. If it has, edit it or just delete the HOSTS file altogether. Then you should be able to download AdAware and Spybot to clean up somewhat

    You should continue to the bottom of that thread and post a HijackThis log however, as we can help you manually clean most problems :)
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Or your HOSTS file is overtaken. Please find your HOSTS file on your system (not Hosts.sam but HOSTS without extension) and have a look or rename it temporaty to something else and have another try for the downloads.
    After that before running HiJackThis please rename the HOSTS file back to what it has to be.

    There is a download link for HiJackThis in the forum itself (in that message so that should not be blocked for downloading)
     
    Last edited: May 25, 2004
  6. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    WTG.. Running 2 AV products known to have almost no protection from Trojans, or unpacking support!

    After you clean it up, consider something other than Norton and AVG, thats about akin to locking your front door, and leaving the back door unlocked at night.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    We do believe in layered protection, but indeed a special Anti-Trojan like TDS would certainly be very advisable.
    The 2 AV products should never run both at the same time and TDS should not be actively scanning with one of the AV products active nor the opposite. You never need to close TDS if you're using one of the AV scanners though.

    If a scanner detects the nasty, it should be at least able to quarantine it. If you find such things, please be so kind as to submit the file(s) as it can always be a new version. submit@diamondcs.com.au
     
  8. Luke18

    Luke18 Registered Member

    Joined:
    May 24, 2004
    Posts:
    15
    I am unfamiliar with these HOST files you all speak of. Could you please enlighten me? Perhaps.. tell me where I can locate them to modify them? Thanks
     
  9. Luke18

    Luke18 Registered Member

    Joined:
    May 24, 2004
    Posts:
    15
    What would you consider using if not Norton or AVG? I have TDS-3. Do you recommend something else?
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Luke, in your search/find in windows search for HOSTS which can be in different locations, mine is in windows\HOSTS
    What surprises me is that you can get to the page with the description and not to the Hijackthis download (in step 2) on that same page which file is stored on this same server here.
    So now we're certainly interested in your HOSTS file. So if you can locate it, please only rename it to something else, get your download and rename the HOSTS file back before you make your HJT scan, as i hope if the HOSTS file is infected that it will show up in the HJT log so it can help the spyware/malware fighters.
    If the HOSTS file is infected with extra entries you did not ask for it can be it disabled your access to certain security sites, so of course i'm highly interested to know if even a local file on this forum server is blocked by any infection and which is causing this, so this is why it would be pity to lose your HOSTS file before we've seen that option.

    There is also a Hosts.sam on your system, a sample file with a few instructions how it works.
    The HOSTS file is either empty or has lines you did not put in yourself since you're not familiar with it, but it is the file your browser uses:
    Your localhost is 127.0.0.1 or 0.0.0.0
    Say this forum here would be IP 123.123.123.123 (it is not in reality) and you put an entry in the HOSTS like
    127.0.0.1 123.123.123.123
    (in reality you should have to make a line
    127.0.0.1 www.forum.com )
    then trying to go to that 123.123.123.123 IP address is not possible as it points back to your localhost address and thus you can never reach that forum page.
    It is used to protect yourself from getting to dangerous pages with known infections or other unwanted content or by infections trying to block your access to places where you can get real help, access to cleansing or detecting downloads, etc.
    In the forum here is written frequently about the HOSTS file and how to protect it from infections etc. but let's go deeper into this at another moment and first concentrate on your actual infection.


    For your scanners, it is no problem that you have two AV products, as long as you don't run them at the same time, many people have various scanners; the intention of the remark was to put a good AT product beside them, like TDS-3 to take the best immediately which also works fine together with the other products.
    There will always be discussion which scanners are best; many use NOD32 or KAV which both cover the virus detection and both are known to be very strong in heuristics and KAV in especially in most unpackers. But scanners are your personal taste, do you like them, can you work with them, do they work ok on your system, etc.
    But also this sidestep let's keep thjat for later, i really like first to concentrate on your original problem, the cleansing out of your system with that infection and possible infected HOSTS file.
     
    Last edited: May 26, 2004
  11. Luke18

    Luke18 Registered Member

    Joined:
    May 24, 2004
    Posts:
    15
    Here is a picture of the notification I get. Maybe it will help? Maybe not.
     

    Attached Files:

  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Luke, one more on the HOSTS file.
    I overlooked that very handy function in TDS (shame shame i know)
    System Analysis > View File > Network Hosts
    this opens the HOSTS file we are talking about all time, where you can look and edit it and even save your changes, and find out where it is located on your system if you click the "save as".
    Hope this helps!
     
  14. Luke18

    Luke18 Registered Member

    Joined:
    May 24, 2004
    Posts:
    15
  15. FanJ

    FanJ Guest

    Hi Luke,

    Please stay first now at that other thread about your HijackThis log.
    If you have questions about your log and advices given there, please post them there at the HijackThis forum.
     
  16. FanJ

    FanJ Guest

    Hi Jooske ! :D

    Please allow me to give a little comment on this:

    I have the feeling that this is not the way the HOSTS file works.

    As far as I know the grammar ("grammatica" you and me would say in Dutch) is:
    A line in HOSTS begins with an IP-address and ends with an URL.
    (I am not talking here about the comment lines in it beginning with a # and a space).

    So a good example is:
    64.91.255.87 www.dcsresearch.com

    A bad example is (something that would completely block your ability to get to this Wilders-forum):
    127.0.0.1 www.wilderssecurity.com

    A good site with more info about HOSTS is :
    http://accs-net.com/hosts/what_is_hosts.html
     
  17. my computer was just diagnosed with this a few seconds ago.
    <img src="http://buzzd.jumpingbaboon.com/_files/images/trojan.jpg">
    however, i was able to perform a system scan and locate the virus and put it away with AVG.
     
  18. defacedlawngnome

    defacedlawngnome Registered Member

    Joined:
    May 30, 2004
    Posts:
    1
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello defacedlawngnome and welcome!
    Thanks for adding to the discussion and your screenshot.

    Is it after cleaning from the last time STILL in your system restore or AGAIN?
    If it is there STILL please disable system restore - reboot - enable system restore and make manually a new restore point.
    If you did this and the file is there AGAIN then you really need to look much deeper and scanning where it comes from; if it is only in the system restore again the system restore wiping like described above should help.
    After have your TDS deep scan another time.

    But it is also very imperative to know how you got yourself infected again and where, so you know how to avoid it!

    It could be a good idea to post your complete HiJackThis log in the Hijackthis forum for experts to look deeper for you, as described earlier in this thread.
    https://www.wilderssecurity.com/showthread.php?t=15913
     
    Last edited: Jun 1, 2004
Thread Status:
Not open for further replies.