Trojan Horse  New?

By susanv
May 22, 2006
  1. Trojan horse

    I have it as well, and it is an imbedded file that I can't get rid of. AVG found it, no word of it on their site, so does anyone know how to get rid of it?

  2. Jona

    Jona TS Rookie

    Try running AVG. in Safe Mode, (just in case you do not know how Safe Mode ) You may find it will clean your infection.

    If not, download pocket killbox (google for it)

    Copy and paste the full file path as shown in your AVG logs into the 'file path' box in killbox, select 'Delete on reboot' and hit the 'Kill file' button.
    Restart your PC and run a registry cleaner is a good freebie.
    CCleaner - (again just google for it)- Spyware FREE

    If you still have problems, post back
  3. TonyGuitar

    TonyGuitar TS Rookie Posts: 90

    small 28 au reported as a trojan but may not be?

    Jona, thanks for input. Looks likely and I*ll go into that soon.

    Meanwhile, following previous instructions, have run into a little confusion...

    I Understand the sorting and classifying of Malware is time consuming and very costly.

    Example: One firm*s scan reports: TrojanHorse

    Search Virus Database elements, [ small 28 ] [Enter no periods in,= prevents search]

    Returns three results.
    One return stands out because of the recent date fitting the discovery. May 16/06
    Win32/ Bagle.EA 16 Mar 2006 W32/Bagle-DO, Win32.Bagle.EA, WORM_BAGLE.DQ (Trend), Win32/Bagle.EA!Worm, W32/Bagle.FO@mm (F-Secure), W32.Beagle.DX@mm (Symantec), Email-Worm.Win32.Bagle.fs (Kaspersky)

    Now this seems to be a Win32-bagle-EA type, and I presume holds [small.28] somewhere in it*s files. So this now seems like something other than a Trojan Horse(Dropper) or it could still be a Trojan. Although the definition here seems to be [Worm].

    This raises many questions before learning the steps to disarm and remove this malware. TG
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello susanv and Jona and welcome to Techspot.


    Go HERE and follow the instructions.

    Post a fresh HJT log as an attachment into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    P.s I have split your posts and put them into there own thread.
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hi TG.

    As you can see you posted at the same time I split the thread.

    I suggest you follow the above instructions as well, as I suggested in your other thread.

    Regards Howard :)
  6. TonyGuitar

    TonyGuitar TS Rookie Posts: 90

    Thanks, Howard.. This looks OK now


    There is a space or two and an asterisk [to locate], but I think (no name) belongs to Adobe PDF.

    This is how it boots. I remove Kodak, Pcassa, and choose defender stuff after booting up.

    Guess I should mention that nothing behaves badly, It*s just that I*m supposed to have [Dropper dot 28 dot small dot au ] and maybe more in connection like: [Worm_agobot dot TN] ?

    D:\preload\data9_03.inp\imekr.lex - [corrupt]

    c8rss.exe ? Isass.exe ? and this line is supposed to be bad;AVG-

    c:\hp\bin\corelwp\src\intro.exe [RE: dropper dot small .. ..] [App11538.exe]

    If nothing clicks.. don*t worry, at least you saw it ... maybe later.
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE.

    Turn off system restore.(XP/ME only) See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE


    Fix all 016-DPF entries.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).


    Reboot into normal mode and turn system restore back on.

    Regards Howard :)
  8. TonyGuitar

    TonyGuitar TS Rookie Posts: 90

    Experiment to get rid of Dropper small 28 worked!

    Thinking about how trojans get on board by buffer overflow...

    They probably write to disk beyond bounderies and thus can not be found.... one only has to mess up the links in their group chain to cripple them.

    First, one runs good old disk clean-up. Gets rid of a lot of temp and abandoned files. Condenses and re-packs files. Gains efficiency.

    Second, one runs de-frag and because Trojans may be out of bounds, they are un-protected in a sense and will get wiped or have relationships disrupted.

    End result. = the pesky Dropper 28 small au is now missing and AVG gives me an all green on the 25th afetr red reports for a week.

    My theory may be part dream, but the missing Trojan is real enough. TG
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...