Trojan horse Dropper Small.4.AG

Discussion in 'Trojan Defence Suite' started by DavidD, Apr 12, 2004.

Thread Status:
Not open for further replies.
  1. DavidD

    DavidD Guest

    Hello, I have a Trojan horse Dropper Small.4.AG, what's this virus? and how can remove it without problem? my antivirus is the AVG 6.0 and windowsXP
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello DavidD and welcome to the forum
    I googled a bit around for it, seeing all people with AVG mentioning it.
    The threads all recommend to run another scan with another scanner.
    Install TDS from www.diamondcs.com.au and after installing get on the same download page the latest update file to be able to scan. After installing please make sure you reboot.
    In the scan system console select all options and highest sensitivity to do a whole full system scan.
    Before you press to do so, make sure other av/at scanners and resident scanners are closed so TDS has full access to all files which might be blocked if other scanners are up.
    Also close as many programs and browsers as possible to give TDS all possible room to speed up the heavy scanning process. Can take a while so don't hesitate to step from the computer for a while.
    When it's finished, rightclick on one of the finds and choose from the menu "save as text". This will be saved to Scandump.txt in your TDS directory.
    Please post that text in your next posting here, before deleting anything at all.
    If you see anything named "suspicious" and not because of double extensions only don't hesitate to rightclick on it and click submit or find the file(s) in your system, zip them if possible and send them attached to an email to submit@diamondcs.com.au to get more instructions if needed.

    Depending on your scanresults we walk further with you.
    Also be prepared to get the Hijackthis latest version and to post your log results from that too! See this thread for instructions and where to get that:
    https://www.wilderssecurity.com/showthread.php?t=15913 , start with step 2 for the HijackThis instruction, after you might be instructed to use the other steps too etc.
    So looking with great interest to your scan results!


    BTW: if you prefer first to go for the hijackthis scan nothing against that, of course!
     
    Last edited: Apr 12, 2004
  3. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, DavidD

    Welcomed To Wilder's and TDS.


    How did you find, Small.4.AG, was it with TDS or AVG?

    Do you have the latest update's for your AV, or if you have TDS their latest update's?

    Have you searched Grisoft[AVG website] or what ever it's called?

    Please post back at anytime as some one I am sure will give you more info?

    Sorry I can not be of more help a this time.
    TheQuest :cool:
     
  4. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi. Jooske

    Sorry crossed Post's with you. :eek:

    TheQuest :cool:
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Please download TDS3 from here: http://tds.diamondcs.com.au/index.php?page=download
    Once dowloaded get the latest radius file from the same page and follow the instructions for manually updating TDS3.
    When you start TDS3 open the scan control window and select all the scan options. In generic detection enable Anti-Trojan & Anti-worm scripts move the generic Sensitivity too high.
    Select the drives to be scanned

    Please ensure that your Anti virus and other programmes are disablled and press "start scanning", this is a very deep scan and will tale quite a while to complete, after the scan you will see any alarms in the lower console, right click them and select what you want to do.
    If possible can you please zip up any file that is identified and send to submit@diamondcs.com.au before deleting
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    We all replied within minutes of each other :)
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Of course we do! High priority!
    We all added some part to the story so that's ok.

    Make sure you do submit the finds to submit@diamondcs.com.au anyway -- better one too many then one too few.
    Looking forward to the scanresults, we all do!
     
  8. DarleneBeavertd

    DarleneBeavertd Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    2
    Location:
    Oklahoma
    :eek: I have AVG 6.0 for my virus scan also. Today it notified me that it found: Dropper.Small.4.AG a Trojan Horse virus. I let it be locked in the fault.

    I also ran the basic TDS scan and this is the scandump for it:

    Scan Control Dumped @ 14:07:55 12-04-04
    Suspicious Filename: Dual extensions
    File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe

    Suspicious Filename: Dual extensions
    File: c:\program files\hewlett-packard\hp instant support di\temp\install.wse.exe

    I ran HijackThis and here is that log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:25:55 PM, on 4/12/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\TOUCHMGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\NETROPA\TOUCH MANAGER\MEDIACTR.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\UNZIPPED\HIJACKTHIS1977[1]\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Touch Manager] C:\Program Files\Netropa\Touch Manager\TouchMgr.exe
    O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
    O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE95\AUTOCHK.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [TWC App] C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Add to AD Black List - C:\PROGRAM FILES\AVANT BROWSER\AddToADBlackList.htm
    O8 - Extra context menu item: Block All Images from the Same Server - C:\PROGRAM FILES\AVANT BROWSER\AddAllToADBlackList.htm
    O8 - Extra context menu item: Search - C:\PROGRAM FILES\AVANT BROWSER\Search.htm
    O8 - Extra context menu item: Highlight - C:\PROGRAM FILES\AVANT BROWSER\Highlight.htm
    O8 - Extra context menu item: Open All Links in This Page... - C:\PROGRAM FILES\AVANT BROWSER\OpenAllLinks.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pctuneup.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
    O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://images.ancestry.com/asfiles/files/install/MFImgVwr.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38073.2855439815
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    Do I have another virus?? Are am I okay??

    Thanks
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So the file is on your system and TDS did not locate it? Did you update TDS recently?
    Was the AVG scanner still up so TDS could not reach it? did you configure the TDS scan console with all options checked?
    If you can locate the quarantined file (you might have to close AVG for that) can you please submit that to submit@diamondcs.com.au ? You might have another version of the nasty, as there are many different varieties of them.
    Would recommend now to wait for the HJT experts and after possible cleansing to rescan with TDS but the Full System Scan this time on highest sensitivity.

    For the HJT log we call in experts!
    What i can tell you (a minor thing so keep it in mind if there is more to fix) in the second line in your hosts file
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com that can be deleted; the first 64.... is the actual one to stay up.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Nothing to add. That log is clean.
    Can you tell us what the filename and the full path were for the trojan that AVG found?

    Regards,

    Pieter
     
  11. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I read another post about this very Trojan that AVG found and placed in the vault. Several online scans were done and nothing was showing apart from the AVG find for this.
    The user cleaned the vault and then deleted their Restore points and temp. Internet files and all seemed to be OK when the next scan was done with AVG.

    It is strange that it is only AVG that has found this o_O

    Make sure all you other security programs such as your firewall and Spybot etc are working.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Gavin would appreciate very much if the file could be located and submitted to him before it is deleted from your system, so he can look if there might be a new variant or Gavin might add new detection with that. So please submit@diamondcs.com.au is the place to go with the file. Doesn't AVG have a submission utility you can set to that emailaddress? Would be great if possible.

    Robyn it happens more with names one can see which software named a nasty by that specific name till there gets a general naming for the same thing. Bit confusing at least. :D
     
  13. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Hi Jooske

    AVG 7 Pro which I run has tech. support for the AV but with the free version this is one thing they do not support :'( I agree with the confusion with names o_O
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Then most probably it is not possible to touch the quarantined files, till you close down AVG and zip a copy to submit it.
    In fact if AVG is down TDS should be able to find those quarantined files and submit it with that.
     
  15. wizardavc

    wizardavc Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    31
    Jooske, the trojan was already detected by AVG. Talk about promoting a product for the sake of promoting it.

     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    H i Wizard
    What is your point? That was not stated in the first post of this thread that Jooske and others replied to.
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    1) google around and see it is found by AVG users asking for help in several forums
    2) all need additional help with other products as AVG seems not able to clean it properly.
    2a) even if it was cleansed by it i would always recommend another second opinion, depending on the nasty
    3) the message is posted for help in TDS forum so TDS is used
    4) the file is in the TDS detection database.
    5) it could be a variant though or even a false positive
    5a) hence the question to submit the file to be really sure and get additional advice if necessary or the advice to inform AVG about a possible false positive
    5b) no company loves false positives so TDS is doing other developers a great favor with analysing their finds and help with refining their databases too
    6) also hijackthis as a next step is used
    7) if needed we use next steps and additional tools
    :cool: we have many more in our help toolbox to help users cleansing their systems
    8a) we're here to support users with that
    8b) we have experience and many reasons why we do things the ways we do them
    8c) we're also here to educate users to stay out of trouble and in ways they understand why and how to do it next time
    9) quoting in a forum means cut out and post only the parts you're reacting on. We have all scrollers and sliders to look back to the posting you're referring to.
    10) hope this helps to answer all your questions and to have a good day
     
    Last edited: Apr 13, 2004
  18. TheBeezNeez

    TheBeezNeez Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    2
    Location:
    Waiheke Island, NZ
    Hi All,
    I too have had this TJ, “Dropper.Small.4.AG” appear in my “AVG 6.0 for Windows” Scan.
    I 've also been googling and found the same stories as indicated above in thread.
    I have run TrendMicro’s “Housecall” program after switching off AVG, but it hasn’t found anything.

    The file is located in; “c:\windows\iNetPal”.
    I have found one other forum that mentions this location also.
    I have been able to isolate the file and have sent it to submit@diamondcs.com.au as requested above, however I am unable to zip the executable, known as “M3TSP8.EXE” so have renamed the file (and guessing that your system won’t like a .exe turning up in the mail!) as a .YUK file. (seemed like an appropriate name….!)

    I hope that AVG have stuffed up here…..!

    TheBeezNeez
     
  19. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    The file is TrojanDropper.Win32.Small.ff, and drops ADWARE known as TrojanDownloader.Win32.Rameh.b - which is related to F1organiser.com
     
  20. TheBeezNeez

    TheBeezNeez Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    2
    Location:
    Waiheke Island, NZ
    Thanks Gavin - somewhat relieved now that I know what it is!
    Well impressed with this forum too - a great find!

    TheBeezNeez
     
  21. phanta (sk)

    phanta (sk) Guest

    I have had this horse Dropper Small.4.AG too. It had been in E:\WINNT\iNETPAL\M3TSP8.EXE. Can it be from mail?
     
  22. Hi. I first found a Trojan Horse on April Fool's Day, followed a couple of weeks later by this one. AVG cleans it up just fine so the next scan is okay, but here is my (to me serious) problem: I can't download and install anything that uses the Wise Wizard thing, and most of the themes and screen savers, and many other things, seem to. It looks like it is somehow related to Bonzi Buddy, as I have trouble with all files containing that mess, and haven't, as far as I know, had any trouble with those that didn't have it. But, what can I do about it? None of the spyware-killing programs will install on my computer, and even my pop-up killer is letting pop-ups through all the time. I've been everywhere, online and on my computer, trying to find an answer for this. I miss my downloads! Can anyone help?
     
    Last edited by a moderator: May 2, 2004
  23. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi cmelee115 :)

    seems like u need to follow the instructions here,

    https://www.wilderssecurity.com/showthread.php?t=15913

    then post your HijackThis log in the Hijack cleaning forum where one of the experts will give u recommendations on any Malware found.

    Hope this helps.

    I also removed your email addy for your own protection.


    snowbound
     
  24. marjo52

    marjo52 Guest

    J'ai un trojan horse Dropper Small.4.AG et ne sais pas comment m'en débarrasser!!!!
     
  25. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Juste suivre les instructions dans le lien que j'ai postée au-dessus. ;)


    snowbound
     
Thread Status:
Not open for further replies.