Trojan Horse Dropper.Small.10.AN

AVG has found a virus on my PC named Trojan Horse Dropper.Small.10.AN. I then started back up in Safemode, ran a system check and put the virus in the Virus Vault. I then Deleted the file thinking it would get rid of this virus, but the virus keeps reappering everytime I start my PC up again. What is this virus and how can I get rid of it permently? thanks for the help

disable system restore, reboot ,scan and clean the trojan, then when clean , enable system restore. Disabling or enabling Windows Me System Restore trojan hunter has a 30 day trial, as does trojan remover. both list removal of that. and a scan at: http://housecall.antivirus.com wouldn't hurt. since it uses activex.

www, thanks for the reply. How do I clean the trojan so it is gone Permanently? I thought that was what i was doing by puting the virus in the AVG Virus Vault and then deleting the file. Why can't AVG clena out the trojan if thats the program that found it? thanks again

some antivirus programs don't find all of the files, including those that are in the restore folder. that are part of the trojan. I had to use tds-3 to find all of the files in a dialer trojan, and then I had to use regedit to delete the entry from the registry. to completely remove it. I've also used trojan hunter and remover successfully in the removal of trojans.

I saw your log post that was deleted 3/20/05 Lets try to get you cleaned up. Put a check mark next to these, press "fix checked" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [zpfujj] c:\windows\system\zpfujj.exe O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EbatesMoeMoneyMaker0.exe" O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.exe O8 - Extra context menu item: Ebates - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing) O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing) O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing) O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing) O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing) O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing) O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing) O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing) O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (HKCU) Reboot to safe mode. search for files and folders and right click and delete these files. zpfujj.exe FARMMEXT.exe wupdt.exe C:\Program Files\Ebates_MoeMoneyMaker<---This entire folder Post another log after you reboot back to normal mode. Good luck

Don't know where you went, but their are special log reading forums. ASAP stands for the Alliance of Security Analysis Professionals.

Ok, Abnormal. I finally got a chance to go through the steps you mentioned above in HijackThis and deleteing the other programs/files. Here is the latest log after doing everything you said to: Logfile of HijackThis v1.99.1 Scan saved at 9:53:00 PM, on 3/26/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe C:\WINDOWS\TASKMON.exe C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.exe C:\WINDOWS\PCTVOICE.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.exe C:\WINDOWS\SYSTEM\HIDSERV.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\WINDOWS\SYSTEM\PELMICED.exe C:\WINDOWS\SYSTEM\LEXBCES.exe C:\PROGRAM FILES\MOTIVE\MOTMON.exe C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\RPCSS.exe C:\COMPAQ\CPQINET\CPQINET.exe C:\PROGRAM FILES\VERIZON ONLINE\VERIZON ONLINE SUPPORT CENTER\SMARTBRIDGE\MOTIVESB.exe C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.exe C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\PROGRAM FILES\HIJACKTHIS.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.exe O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\VERIZO~2\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EbatesMoeMoneyMaker0.exe" O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab Also a few other questiones for you. The same results keep coming up in both Spybot and Adaware even after i fix them in safe mode. How do I get rid of these problems in both programs permenantly. Also in AVG I have the virus mention in this post in the Virus Vault. What am I suppose to do with this? The first time AVG found it I deleted it out of the Vault and the next time I ran AVG it was back. How do I get rid of this one permenatly also. Thanks for all the help, I really appreciate you taking the time to help me learn and get my computer cleaned out finally.