1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Dropper.Inor Virus

Discussion in 'Virus & Other Malware Removal' started by stephen101, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. stephen101

    stephen101 Thread Starter

    Joined:
    Dec 5, 2003
    Messages:
    8
    Hi

    My computer has recently had a clean reboot but I have picked up the Dropper Inor virus. Any help to remove it will be much appreciated.

    AVG found it but could not remove it, now AVG no longer detects it, but we know its in there. Ad-aware cant find it either.
    My Internet explorer start page has been hijacked to http://other.thenewsearch.com/search.html

    I am running Windows 98se and have downloaded and run HijackThis.

    Logfile of HijackThis v1.98.2
    Scan saved at 23:17:43, on 04/09/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\COLORIF\PROGRAM\HGCCTL95.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\AOL 7.0\AOLTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS19802.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
    O4 - HKLM\..\Run: [Colorific Control Panel] C:\PROGRA~1\CREATIVE\COLORIF\PROGRAM\HGCCTL95.EXE
    O4 - HKLM\..\Run: [3Deep Control Panel] C:\PROGRA~1\CREATIVE\3DEEP\PROGRAM\3DeepCTL.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
    O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [BCDetect] C:\WINDOWS\SYSTEM\bcdetect.exe defer
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250/othersearch.chm::/othersearch.exe
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab

    Thanks for your great site. :confused:
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,

    Get this downloaded,

    http://www.lurkhere.com/~nicefiles/CWShredLast.exe


    put it in a folder such as CWS right on the desktop, run it, use the "FIX" button, not scan only, let it remove all it finds. Reboot.

    Run Hijackthis> when it finishes scanning>

    fix these: Don't miss any.


    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html


    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe

    O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R

    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250/othersearch.chm::/othersearch.exe


    Press CTRL+DEL+DEL and see if winupd.exe is running in tasks...if so, End Task it by highlighting winupd.exe and press End Task---just once, wait a minute, you may see another box come up, press End Task for that too....wait a minute, and check that winupd.exe has indeed shut down.

    Open Windows Explorer> at the top of the page, View>Folder Options> View again, make sure that you have "Show all Files" checked, and that "hide file extensions for known file types, is Not checked> and click OK.

    Look in C:\Windows\System folder for winupd.exe, and try to delete it. It might not want to go> but perhaps you can change the attributes for it by right clicking and selecting Properties> then remove checkmark for
    "Read-only" >>>and try to delete it again.


    You may have to run CWShredder again. Post a new HJT log when done.

    If you run into problems and it comes back, run the fixes from Safe Mode.
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, As well as above, please try this removal tool:


    http://vil.nai.com/vil/stinger/

    make sure the Preferences for "What action to take" has mark in "Repair" and try to clean...

    Let me know what it says. This removal tool will scan all files> takes a while. Removes many current infections.
     
  4. stephen101

    stephen101 Thread Starter

    Joined:
    Dec 5, 2003
    Messages:
    8
    Hi Byteman

    Many thanks, I have done the tasks in your first post and all seems well.
    I will follow up the rest and post a report. Thanks again.


    Scan saved at 07:55:56, on 06/09/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\COLORIF\PROGRAM\HGCCTL95.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\AOL 7.0\AOLTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\CWS\CWSHREDLAST.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\AOL 7.0\WAOL.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS19802.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
    O4 - HKLM\..\Run: [Colorific Control Panel] C:\PROGRA~1\CREATIVE\COLORIF\PROGRAM\HGCCTL95.EXE
    O4 - HKLM\..\Run: [3Deep Control Panel] C:\PROGRA~1\CREATIVE\3DEEP\PROGRAM\3DeepCTL.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [BCDetect] C:\WINDOWS\SYSTEM\bcdetect.exe defer
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab

    Stephen101
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Clean as far as I can see! Did you run CWShredder again to check if it detects anything?

    Now, to stay this way, as well as Windows Updates you may need some other protection.

    Do you have Spywareblaster?

    Available here> it runs well with SpyBot and AdAware, it updates and helps protect against unwanted ActiveX bad guys, but does not affect surfing.

    http://www.javacoolsoftware.com/spywareblaster.html

    There is the Frequently Asked Questions section in case you want to read about it. Many people here advise all posters to get it> I use it, too. There are two downloads in case you see a message about missing MSCOMCTL.dll or MSVBVM60.DLL if you install that will give you the missing files needed to run Spywareblaster.
     
  6. stephen101

    stephen101 Thread Starter

    Joined:
    Dec 5, 2003
    Messages:
    8
    Many thank for your invaluable advise, I do beleave my system is clean :D

    I am reading the information in your links (read and learn) and now feel much more confident about dealing with our unwelcome 'e-visitors'.

    Regards Stephen101
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    You're very welcome!
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270560

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice