Dropper.Inor Virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

stephen101

Thread Starter
Joined
Dec 5, 2003
Messages
8
Hi

My computer has recently had a clean reboot but I have picked up the Dropper Inor virus. Any help to remove it will be much appreciated.

AVG found it but could not remove it, now AVG no longer detects it, but we know its in there. Ad-aware cant find it either.
My Internet explorer start page has been hijacked to http://other.thenewsearch.com/search.html

I am running Windows 98se and have downloaded and run HijackThis.

Logfile of HijackThis v1.98.2
Scan saved at 23:17:43, on 04/09/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\COLORIF\PROGRAM\HGCCTL95.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AOL 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS19802.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Colorific Control Panel] C:\PROGRA~1\CREATIVE\COLORIF\PROGRAM\HGCCTL95.EXE
O4 - HKLM\..\Run: [3Deep Control Panel] C:\PROGRA~1\CREATIVE\3DEEP\PROGRAM\3DeepCTL.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [BCDetect] C:\WINDOWS\SYSTEM\bcdetect.exe defer
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250/othersearch.chm::/othersearch.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab

Thanks for your great site. :confused:
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi,

Get this downloaded,

http://www.lurkhere.com/~nicefiles/CWShredLast.exe


put it in a folder such as CWS right on the desktop, run it, use the "FIX" button, not scan only, let it remove all it finds. Reboot.

Run Hijackthis> when it finishes scanning>

fix these: Don't miss any.


R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html


O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe

O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250/othersearch.chm::/othersearch.exe


Press CTRL+DEL+DEL and see if winupd.exe is running in tasks...if so, End Task it by highlighting winupd.exe and press End Task---just once, wait a minute, you may see another box come up, press End Task for that too....wait a minute, and check that winupd.exe has indeed shut down.

Open Windows Explorer> at the top of the page, View>Folder Options> View again, make sure that you have "Show all Files" checked, and that "hide file extensions for known file types, is Not checked> and click OK.

Look in C:\Windows\System folder for winupd.exe, and try to delete it. It might not want to go> but perhaps you can change the attributes for it by right clicking and selecting Properties> then remove checkmark for
"Read-only" >>>and try to delete it again.


You may have to run CWShredder again. Post a new HJT log when done.

If you run into problems and it comes back, run the fixes from Safe Mode.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, As well as above, please try this removal tool:


http://vil.nai.com/vil/stinger/

make sure the Preferences for "What action to take" has mark in "Repair" and try to clean...

Let me know what it says. This removal tool will scan all files> takes a while. Removes many current infections.
 

stephen101

Thread Starter
Joined
Dec 5, 2003
Messages
8
Hi Byteman

Many thanks, I have done the tasks in your first post and all seems well.
I will follow up the rest and post a report. Thanks again.


Scan saved at 07:55:56, on 06/09/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\COLORIF\PROGRAM\HGCCTL95.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AOL 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\CWS\CWSHREDLAST.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\AOL 7.0\WAOL.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS19802.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Colorific Control Panel] C:\PROGRA~1\CREATIVE\COLORIF\PROGRAM\HGCCTL95.EXE
O4 - HKLM\..\Run: [3Deep Control Panel] C:\PROGRA~1\CREATIVE\3DEEP\PROGRAM\3DeepCTL.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [BCDetect] C:\WINDOWS\SYSTEM\bcdetect.exe defer
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab

Stephen101
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Clean as far as I can see! Did you run CWShredder again to check if it detects anything?

Now, to stay this way, as well as Windows Updates you may need some other protection.

Do you have Spywareblaster?

Available here> it runs well with SpyBot and AdAware, it updates and helps protect against unwanted ActiveX bad guys, but does not affect surfing.

http://www.javacoolsoftware.com/spywareblaster.html

There is the Frequently Asked Questions section in case you want to read about it. Many people here advise all posters to get it> I use it, too. There are two downloads in case you see a message about missing MSCOMCTL.dll or MSVBVM60.DLL if you install that will give you the missing files needed to run Spywareblaster.
 

stephen101

Thread Starter
Joined
Dec 5, 2003
Messages
8
Many thank for your invaluable advise, I do beleave my system is clean :D

I am reading the information in your links (read and learn) and now feel much more confident about dealing with our unwelcome 'e-visitors'.

Regards Stephen101
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top