Trojan Horse Dropper.small.4.Ag

Hi...can anyone here tell me how to get rid of the Trojan Horse Dropper.small.4.ag? My AVG sends me this lil note saying it is there but when I do the scan (With the newest updated version) it does not find it...I also run Ad-aware and spy bot search and distroy. Can anyone please help me with this...I really would like to get rid of it. Thanks in advance.

 

Hi,

You are posting in the dedicated TDS-3 forum.
So I might assume that you are using TDS-3.
Am I right?

 

Oh sorry I am not...where should I post this then?

 

Don't worry!
You can solve this by starting to use TDS (Trojan Defence Suite) from DiamondCS (see my sig)
or i can move this thread to the viruses and trojan area, although it might belong in the spyware section, not sure yet, i'll look for it, so no need to post in another place yet this moment, i'll move you complete with thread!

Remember, if you scan with any of the other scanners, even SpybotS&D and Adaware, during that time make sure your AVG is completely closed by opening it's GUI and uncheck every scanoption, resident protection, everything, so all other scanners have full access to every file on your system.

What surprises me your AVG sends you a warning about an infection on your system and after doesn't locate it? Or did you get an email warning of somebody of a bounced message which most probably was not sent by you at all?

The dropper you mention was cleansed successfully countless times, as you can see also in the HijackThis logs forum around [thread]15913[/thread]
You might consider to post your own HJT log there too, in the thread i just mentioned you can see how to do that.

 

ok I have done the Hijack this log (Did it yesterday and posted it) I dont' have TDS but if you can tell me how to remove this Trojan that would be great.

AVG sends me a warning...but never finds it when it scans the pc...but any time the pc is idle very long it sends those warnings. I just want this thing gone...*SIGH*

 

Download TDS3 from http://tds.diamondcs.com.au then update the database, and scan your system. Disinfection should be a matter of simply right-clicking on the infected files and choosing the Delete File option.

Best regards,
Wayne

 

is this a free program I don't have a lot of money right now...so if it's not...*SIGH*

 

Before installing TDS, make sure the AVG and any other scanner is closed completely including their resident protection.

After installing TDS and reboot, get the latest radius update before starting TDS and let it do it's startups.
When you scan with TDS, please again make sure AVG is completely closed again including the resident protection so TDS has full access to every file on your system.

 

Well ok. I have down loaded the trial version but you can't update that unless you buy it. Also what about if the trojan it finds is in a file that you can't just delete? I will prolly just buy the program tonight when my hubby gets home. He wants to look at it. With this program does it scan your pc all the time for Trojans or do you need to run it like once or twice a week? Thanks for the help so far.

 

Hi Highland Angel.

You can update TDS-3 trial version manually.
Take a look at the page where you downloaded TDS and see where it says "Click HERE to download the latest TDS radius database update."
Just right click on that and choose 'save as' and put that radius update file in your TDS folder.

 

ok I have done that and now it is doing a full scan. (Had to figure out how to use it. lol)

 

I've had it scan and it does not seem to find anything...*SIGH*

 

Hope in TDS scan controll you clicked all the available scanoptions to see everything.
When TDS is ready with it's scanning, you'll have some alerts in the bottom console.
Rightclick on one of them and choose "save to text"
That scan result i would like you to include in yoiur next posting. (it's the scandump.txt in the TDS directory)

Till now it's getting great, isn't it?

 

After I did the scan control thing what should I do...should I scan C with that where you can click C and then Scan...or should I open System Testing and then do Full System Scan? (Sorry this program is a lil confusing for me...*I normally don't have problems with most software but this one confuses me*)

 

ok I have scaned with the update and it found several things...The one it would let me save as text I have copied and pasted so you can see as requested. But if put a few other things into the alert section as well...so let me know what to do from here.

Scan Control Dumped @ 10:55:05 08-07-04
Positive identification (DLL): Adware.MiniBug (dll)
File: c:\program files\aws\weatherbug\minibugtransporter.dll

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
File: c:\windows\_default.pif:summaryinformation

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 2972 bytes
File: c:\windows\system32\oemlogo.bmp:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4884 bytes
File: c:\windows\system32\emachines\images\scrcap_help.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 5644 bytes
File: c:\windows\system32\emachines\images\scrcap_xptour.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 7172 bytes
File: c:\windows\system32\emachines\images\scrcap_xptrain.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4092 bytes
File: c:\windows\web\wallpaper\emachines.bmp:q30lsldxjoudresxaaaqpcawxc

 

Your AVG is still completely closed the way i said eh, also the resident part etc, and no other scanners running either?
OK TFD, open scancontrol, check ALL the scanoptions there are, every square on both tabs, and the slider on highest. Save configuration.
If you now press the Full System Scan and close all programs and browsers you don't need at the moment and step away to do something nice while TDS should be scanning your whole system. But do make sure in the AVG console you really unmarked every check mark there is, it's systray icon all grayed out.
Hope you get more convincing scan results now, and of course hope you're really clean! That doesn't mean the program isn't working or that you twould be doing something wrong, it just does it's job!

 

ok I did that...and must have been posting the results you asked for when you posted your last post...

 

You see that minibug thing on top, you see it is a positive identification and it's a known thing you can right click and delete the thing;

the NTFS datastreams smaller then 188-256 bytes you can generally safely ignore, but those are larger.

Did you in the configuration of TDS top left TDS > Configuration > tab Servers
fill in your outbox and email address? if that works fine you can right click on those lines with the NTFS Ads streams and choose submit by which they are send to automatically to submit@diamondcs.com.au
If that fails or if you closed that bottom GUI already, you can also zip them and attach them to an email to that same address. If you can't zip them do it just like that and hopefully they don't get damaged in the mailbox. Write in the email this link, that's easier maybe for Gavin to react and see backgrounds.

I'm surprised this was the only stuff found by TDS, but that's ok.

After deleting and submitting those files
(at the moment i'm not sure about the images yet, might be there's nothing wrong with them, -- looks like they belong to original programs, is that right? so don't delete them yet!-- just some copyrights message maybe.)
you might like to do another scan with your AVG and look carefully if it alarms again and then i would like to know exactly the filename and exactly where it is located on your system with full pathname.

If you have to reboot, please disable system restore, do the reboot, after enable system reboot again and create manually a new restore point.
this because if not your nasties would come back via the system restore.

Looking forward to your next AVG scan results!


BTW: since that minibug is Adware, maybe TDS does not delete it. That's no problem, if you have Ad-aware and/or Spybot S&D (if you don't have them look in thread [thread]15913[/thread] where are download links for both those programs and they both are able to do it for you -- after install need to update their databases, but in thjose you can do it with a buttonclick on the update buttons (both programs are free)
So after getting rid of that minibug i wonder what your AVG scan will look like!

 

ok I deleted the one you said to delete...and left the others alone for now. Yes I went to see what one of the ones was...and it was the Emachince "E" logo. So yeah I would say they belong to original programs.

ok...I am going to reboot before I get so that I can do the turning off restore and creating a new restore point...this won't hurt anything right...(Sorry just a bit nervous about doing things I don't normally do to my pc.)

 

We learn by the day here, we all do, really.
Deleting the system restore points makes you not having the nasty stuff in them anymore if there is. But it's always handy to have a point to be able to return to just in case you need or are going to do new things like using unknown scanners etc, so that's why i really like you to make that restore point before using the other scanners.

Hope your AVG scan will show up clean with that, fingers crossed.

 

Ok I have done this thanks... I am scanning with AVG right now. But it never picks it up on the regular scan. When it picks it up is when the pc goes idle then it pops up this pop up saying it is there. Here on this page there is a screen shot of what I get. Its the very same thing. https://www.wilderssecurity.com/showthread.php?t=33568 maybe that will help some too.

Thanks for all your help so far. I will now let my pc go idle and see if I get that pop up.

 

I have a feeling it's gone now.
From looking at the screenshot, looks like it was in a restore point.

I hope it is gone

 

well I did the AVG scan and it did not come up with anything I am gonna let the pc go idle and see what happens I will let you all know when and if anything happens...thank you so so much all of you for your patience and help.

 

Thanks again...so far so good...it seems to have fixed the problem. I will let you know for sure in a couple days...thanks again...*HUGS*

 

You're welcome! If it was in a system restore point just like in the screenshot of the other user then it should be gone with that deleting of older restore points. Hope you didn't forget to enable system restore again and create a new restore point manually.

Hope you'll hear soon about those huge datastreams if you submitted them.
And an extra scan with SpybotS&D and Ad-aware (update those also each time before the scan) to look for more possible nasty spyware and adware stuff.

You said when the system goes idle, so when the screensaver normally would start. If you rightclick in an empty space on you desktop to look at it's proterties and where you can change desktop settings, screensavers, etc you can look in the screensavers if you see anything new / unknown, a file you don't recognise, etc although i don't really expect anything there anymore.