1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hey. need help about drooper.inor virus/trojan

Discussion in 'Virus & Other Malware Removal' started by ifuseeme, Sep 7, 2004.

Thread Status:
Not open for further replies.
  1. ifuseeme

    ifuseeme Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    4
    hey, its me can i get some help about the removal of drooper.inor. the AVG cant seem to remove it.

    here are the log files.

    Logfile of HijackThis v1.98.2
    Scan saved at 10:36:23 AM, on 9/8/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
    C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\oblate\Application Data\eaeh.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hotbar\bin\4.5.1.0\HbSrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=143438
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
    O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
    O2 - BHO: MSN smart tags - {9DD4258A-7138-49C4-8D34-587879A5C7A4} - C:\PROGRA~1\MSN\SMARTTAG\MSNBHO.DLL
    O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe /Upgrade
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [dmime] C:\WINDOWS\System32\dmime.exe
    O4 - HKCU\..\Run: [Tubc] C:\Documents and Settings\oblate\Application Data\eaeh.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
    O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7b0746400242:49343c741893f279f2708a875f52f374
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSEWC.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C4AF2C6A-3AAA-4D30-BCFE-CB7B5EABC26C}: NameServer = 202.78.97.41,202.78.97.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3024366-BFAC-4D0A-AC15-CC60860BF000}: Domain = skyinet.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3024366-BFAC-4D0A-AC15-CC60860BF000}: NameServer = 202.78.97.2,202.78.97.3

    thx alot. :confused:
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    First thing i want you to do is disable system restore http://dotcomsecurity.org/forums/index.php?showtopic=56

    Rescan once again with hijack, insert a check next to each of the following then close all browser windows and click "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=29126

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=29126

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=29126

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=143438

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

    O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll

    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll

    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe /Upgrade

    O4 - HKCU\..\Run: [dmime] C:\WINDOWS\System32\dmime.exe

    O4 - HKCU\..\Run: [Tubc] C:\Documents and Settings\oblate\Application Data\eaeh.exe

    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O15 - Trusted Zone: *.05p.com

    O15 - Trusted Zone: *.blazefind.com

    O15 - Trusted Zone: *.clickspring.net


    O15 - Trusted Zone: *.mt-download.com

    O15 - Trusted Zone: *.my-internet.info

    O15 - Trusted Zone: *.scoobidoo.com

    O15 - Trusted Zone: *.searchbarcash.com

    O15 - Trusted Zone: *.searchmiracle.com

    O15 - Trusted Zone: *.slotch.com

    O15 - Trusted Zone: *.xxxtoolbar.com

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7b0746400242:49343c741893f279f2708a875f52f374

    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSEWC.cab


    Now reboot into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55


    Set the system top show hidden files and folders http://dotcomsecurity.org/forums/index.php?showtopic=57


    Then open windows explorer, find then delete:
    C:\Program Files\SideFind
    C:\Program Files\Hotbar
    C:\Documents and Settings\oblate\Application Data\eaeh.exe

    Reboot back normally now:
    Download Adaware SE http://www.lavasoftusa.com/support/download/
    The first step is updating your Ad-Aware SE. You can do this by going to the bottom right corner and clicking on the link that says "Check for Updates Now".
    Press "Continue" on the bottom right on your screen
    Next another pop-up will pop-up saying what type of update it is and what to do, press "Okay" and a download screen will come up downloading the update. Press "Finish" after the update is downloaded. Now select "Finish" then on the bvottom right of your Adaware screen click "Start".
    A new screen will pop-up and will say "Select a scan mode". You want to click "Use Custom Scanning Mode". Before you press "Start" on the bottom right click "Customize" right next to "Use Custom Scanning Mode".

    Select the following:

    In the General tab select:
    Keep it all the same

    In the Scanning tab select:
    Under Drivers Folders and Files-select Scan within archives
    Under Memory and Registry select all that is underneath it!
    Make sure your harddrive is selected when you press "Select Drives and Folders to scan"

    In the Advanced tab select:
    Make sure you have everything under the "Logfile Detail Level" selected.
    (This makes it easier for people from Lavasoft forums see what options you have selected)

    In the Startup, Defaults, and Interface tab select nothing.


    In the Tweak tab select:
    You may not be able to select certain things in the tweak tab, but do not be alarmed.
    Under scanning engine select:
    "Unload recognized processes during scanning"
    "Scan registry for all users instead of current users only"
    Under Cleaning Engine select:
    "Always try to unload modules before deletion"
    "During removal unload Explorer and IE if necessary"
    "Let Windows remove files in use at next boot"
    "Delete Quarantined objects after restoring"
    Under log files:
    "Include Basic Ad-Aware settings in log file"
    "Include additional Ad-Aware settings in log file"
    "Include reference summary in log file"
    "Include used command line parameters in log file"
    All of the other links are just fine.

    Press "Proceed" to save the settings


    Press "Next" on the bottom right hand corner.
    Ad-Aware SE will scan your computer for possible spyware threats or anything that you have on your computer that maybe spyware.
    Then click ”Next “ to remove any objects found
    ________________________________________________________________________


    Then re-enable restore.

    Open internet explorer/ tools/ options/ security/ reset to defaults..

    Rescan online here http://housecall.trendmicro.com/ and post back with a fresh hijack following that please.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271471

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice