Trojan Horse Dropper.small.28.au New?

Status
Not open for further replies.
Trojan horse dropper.small.28.au

I have it as well, and it is an imbedded file that I can't get rid of. AVG found it, no word of it on their site, so does anyone know how to get rid of it?

susanv
 
Hi.
Try running AVG. in Safe Mode, (just in case you do not know how Safe Mode ) You may find it will clean your infection.

If not, download pocket killbox (google for it)

Copy and paste the full file path as shown in your AVG logs into the 'file path' box in killbox, select 'Delete on reboot' and hit the 'Kill file' button.
Restart your PC and run a registry cleaner is a good freebie.
CCleaner - (again just google for it)- Spyware FREE

If you still have problems, post back
 
small 28 au reported as a trojan but may not be?

Jona, thanks for input. Looks likely and I*ll go into that soon.

Meanwhile, following previous instructions, have run into a little confusion...

I Understand the sorting and classifying of Malware is time consuming and very costly.

Example: One firm*s scan reports: TrojanHorse Dropper.small.28.au

Search www.3.ca Virus Database elements, [ small 28 ] [Enter no periods in small.28.au,= prevents search]

Returns three results.
One return stands out because of the recent date fitting the discovery. May 16/06
Win32/ Bagle.EA 16 Mar 2006 W32/Bagle-DO, Win32.Bagle.EA, WORM_BAGLE.DQ (Trend), Win32/Bagle.EA!Worm, W32/Bagle.FO@mm (F-Secure), W32.Beagle.DX@mm (Symantec), Email-Worm.Win32.Bagle.fs (Kaspersky)


Now this seems to be a Win32-bagle-EA type, and I presume holds [small.28] somewhere in it*s files. So this now seems like something other than a Trojan Horse(Dropper) or it could still be a Trojan. Although the definition here seems to be [Worm].

This raises many questions before learning the steps to disarm and remove this malware. TG
 
Hello susanv and Jona and welcome to Techspot.

susanv.

Go HERE and follow the instructions.

Post a fresh HJT log as an attachment into this thread, only after doing the above.

Regards Howard :wave: :wave:

P.s I have split your posts and put them into there own thread.
 
Hi TG.

As you can see you posted at the same time I split the thread.

I suggest you follow the above instructions as well, as I suggested in your other thread.

Regards Howard :)
 
Thanks, Howard.. This looks OK now

Howard,

There is a space or two and an asterisk [to locate], but I think (no name) belongs to Adobe PDF.

This is how it boots. I remove Kodak, Pcassa, and choose defender stuff after booting up.

Guess I should mention that nothing behaves badly, It*s just that I*m supposed to have [Dropper dot 28 dot small dot au ] and maybe more in connection like: [Worm_agobot dot TN] ?

D:\preload\data9_03.inp\imekr.lex - [corrupt]
D:\preload\data9_01.inp\mmsys.cpi

c8rss.exe ? Isass.exe ? and this line is supposed to be bad;AVG-

c:\hp\bin\corelwp\src\intro.exe [RE: dropper dot small .. ..] [App11538.exe]

If nothing clicks.. don*t worry, at least you saw it ... maybe later.
 
Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.shaw.ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O14 - IERESET.INF: START_PAGE_URL=http://start.shaw.ca

Fix all 016-DPF entries.

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

ALCXMNTR.EXE

Reboot into normal mode and turn system restore back on.


Regards Howard :)
 
Experiment to get rid of Dropper small 28 worked!

Thinking about how trojans get on board by buffer overflow...

They probably write to disk beyond bounderies and thus can not be found.... one only has to mess up the links in their group chain to cripple them.

First, one runs good old disk clean-up. Gets rid of a lot of temp and abandoned files. Condenses and re-packs files. Gains efficiency.

Second, one runs de-frag and because Trojans may be out of bounds, they are un-protected in a sense and will get wiped or have relationships disrupted.

End result. = the pesky Dropper 28 small au is now missing and AVG gives me an all green on the 25th afetr red reports for a week.

My theory may be part dream, but the missing Trojan is real enough. TG
 
Status
Not open for further replies.
Back