I had a trojan about 10 days ago and after much research and problems redid my hard drive Sunday night. Today my AVG picked up c:\windows\bundles\sale1101.exe and c:\windows\bundles\shopinst.exe and deleted them. I am showing in my restore\temp folder Trojan horse Dropper.Small.7.Ar and Trojan horse Downloader.Small.12.BJ. How do I get rid of it in Restore? I do use it from time to time and how in the heck did I get this when everything was fresh and I didn't open or download anything?

Lisa

To get rid of it in 'restore' you need to disable System Restore (you'll lose you restore points), run your AVG scanner again & then re-enable system restore. Have you got a firewall installed? Unprotected PCs can be attacked in a matter of minutes of going on-line.

"I know that I'm mad - I've always been mad..."

Be sure to restart the computer after you turn system restore off!

Go to start> settings> control panel> system> performance> file system> troubleshooting> check the box beside disable system restore> apply> ok. Let it restart.

Wait 5 minutes>go back and re-enable. Let it restart

Then go the start> run> type "msconfig" without the quotes>ok >launch system restore>create restore point> name it anything> next> home.

Theat should purge syatem restore and create a new restore point.

you dont need to download anything to get a trojan virus it can automatically do it

31337

First I would like to Thank all of you for helping so quickly, means alot. I disabled restore, ran AVG in safe mode, clean, put restore back on ran Avg clean. Now another question. I am using AVG 7.0 and McAfee firewall. Before I redid my hard drive I was using this plus spybot,spyblaster. Being new to this anything that was checked as a threat I cleaned up, the problem is I cleaned up things that my computer needed. I found out my Kodak camera quit working because of this. How do you know what to keep and get rid of before I put this back on? I also get alot of backweb,coolweb and alexis. Thanks

Lisa

Quote"Being new to this anything that was checked as a threat I cleaned up" I guess you mean checked in AVG or spybot which would be ok to remove. If you unchecked them in msconfig then re-check them

There is a big update for AVG if you don't have it you should get it. You should also have spywareblaster updated and running. I run adaware se because it picks up a few things some others miss.Also update spybot.

Alexis should be fixed by spybot and definitly fixed with Adaware SE but will need SpywareBlaster to prevent it from getting right back on the pc if online.

Coolweb may call for an expert who may ask for a Hijack This log. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.

Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor.

Do not fix anthing yet. Let someone review your log, I will be glad to review it.

Another option is to analyze your on HT log Here

Backweb should not be a big threat and is needed by kodac as you can see Answers That Work

I have updates for everything even my AVG. My spybot I got rid of everything but wild tangent, not sure if I need it. Spyblaster has everything enabled and adaware has everything quarantened. Cwshredder shows no coolweb. Now when I put my Kodak camera back on the computer, I will leave backweb. That was a good site you gave me also. See the biggest problem is knowing what to block in all these programs? Not knowing what you need to run your own programs. Any tips?
Thank You

Lisa

Now I have more problems. My resources are always running low. I'm freezing up. I have a shortcut on my desktop microsoft xml 4.0 parser sdk that I don't know where it came from. Spy bot is showing DSO Exploit which says microsoft IE security hole. Should I leave it alone? My McAfee firewall has some exe that I don't think should be there.Bundles exe,loader stcloader.exe, run a DLL as an app Rundll32.exe. And a few others. Where am I going wrong?

Lisa

Hello,
Why don't you try this program called:
Trojan Remover 6.33
very good program, easy to use !!!

jabuck, here is the log, hope I did it right.

Logfile of HijackThis v1.99.0
Scan saved at 11:24:04 AM, on 12/15/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media98.fastclick.net/w/safepop.cgi?mid=51855&sid=8418&id=103863&len=0&c=31&nfcp=1&fp=2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahjong/mahjong-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.3.35/squelchies/squelchies-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.0.4.31/aces/aces-ob-assets.cab
O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.3.35/cctank/cctank-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.31/wordjong/wordjong-ob-assets.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Lisa

Lisa, Run a HT scan and check to fix these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media98.fastclick.net/w/safepop.cgi?mid=51855&sid=8418&id=103863&len=0&c=31&nfcp=1&fp=2

You should close SSDPSRV by going to control panel>add/remove programs>windows setup and let it load>scroll down to communications and double click it>scroll deown to universal plug and play and uncheck it>ok.

Did you find the stc.exe file? I don't see any reference to it.

Okay I did all that. Last night I blocked bundles in the firewall and some of the things aren't showing anymore, there is motive support tuner mad exe, run a dll as an app rundll32.exe and stcupdt exe with full access. Not sure if I should block these. On the spybot should I check DSO and wild tangent to get rid of them? I did a search for STC exe. and found nothing. I am very grateful to you for helping me like this.

Lisa

Yes you can remove those items in Spybot. The stcupdt.exe (stloader) is second search, a spyware, that is not showing up in you HT log that I can see.

Then go offline>go to control panel>internet options:
clear history> yes
delete cookies> ok
delete files> ok.Reboot into safe mode and run spy bot and adaware se (three time each) and delete what they find.

Then while still in safe mode go to control panel> folder options> view> tick the circle beside show hidden files and folders> apply> ok. Then navigate to this folder and delete if found:
C:\Program Files\STC

Delete these files if found:
C:\stcupdt.exe (may be a folder)
C:\WINDOWS\SYSTEM\winupdt.exe

C:\WINDOWS\SYSTEM\idleui.dll
C:\WINDOWS\SYSTEM\2ndsrch.dll
C:\WINDOWS\SYSTEM\stcloader.exe

Reboot and purge system restore again and make a new set point.

Well, I did all you said, I have a couple questions left. I ran spyblaster 3 times and wild tangent and DSO came up. I still didn't know if I was suppose to fix them? So I did. Hope I don't mess up any music players by doing that. DSO came back all times.
Adaware I did 3 times but I didn't know if I was suppose to fix the 16 negligible items?
Didn't know how to exactly navigate for those folders so I went to files and folders and searched and then doubled checked by going to c drive windows etc. found stcupdt exe deleted it but didn't find any of the other files or folders. Didn't know what purge system then new restore point so I rebooted went to system restore and created restore point. McAfee firewall had a weird error last night and sometimes freezes up, should I get a different wirewall? Hope I did everything right. If you could let me know about some of these questions, hopefully I can quit bothering you. Thanks again.

Lisa