hey. need help about drooper.inor virus/trojan

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ifuseeme

Thread Starter
Joined
Sep 7, 2004
Messages
4
hey, its me can i get some help about the removal of drooper.inor. the AVG cant seem to remove it.

here are the log files.

Logfile of HijackThis v1.98.2
Scan saved at 10:36:23 AM, on 9/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\oblate\Application Data\eaeh.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hotbar\bin\4.5.1.0\HbSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=143438
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: MSN smart tags - {9DD4258A-7138-49C4-8D34-587879A5C7A4} - C:\PROGRA~1\MSN\SMARTTAG\MSNBHO.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe /Upgrade
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [dmime] C:\WINDOWS\System32\dmime.exe
O4 - HKCU\..\Run: [Tubc] C:\Documents and Settings\oblate\Application Data\eaeh.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7b0746400242:49343c741893f279f2708a875f52f374
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSEWC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4AF2C6A-3AAA-4D30-BCFE-CB7B5EABC26C}: NameServer = 202.78.97.41,202.78.97.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3024366-BFAC-4D0A-AC15-CC60860BF000}: Domain = skyinet.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3024366-BFAC-4D0A-AC15-CC60860BF000}: NameServer = 202.78.97.2,202.78.97.3

thx alot. :confused:
 
Joined
Feb 23, 2003
Messages
16,274
First thing i want you to do is disable system restore http://dotcomsecurity.org/forums/index.php?showtopic=56

Rescan once again with hijack, insert a check next to each of the following then close all browser windows and click "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=143438

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll

O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll

O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe /Upgrade

O4 - HKCU\..\Run: [dmime] C:\WINDOWS\System32\dmime.exe

O4 - HKCU\..\Run: [Tubc] C:\Documents and Settings\oblate\Application Data\eaeh.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.clickspring.net


O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.xxxtoolbar.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7b0746400242:49343c741893f279f2708a875f52f374

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSEWC.cab


Now reboot into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55


Set the system top show hidden files and folders http://dotcomsecurity.org/forums/index.php?showtopic=57


Then open windows explorer, find then delete:
C:\Program Files\SideFind
C:\Program Files\Hotbar
C:\Documents and Settings\oblate\Application Data\eaeh.exe

Reboot back normally now:
Download Adaware SE http://www.lavasoftusa.com/support/download/
The first step is updating your Ad-Aware SE. You can do this by going to the bottom right corner and clicking on the link that says "Check for Updates Now".
Press "Continue" on the bottom right on your screen
Next another pop-up will pop-up saying what type of update it is and what to do, press "Okay" and a download screen will come up downloading the update. Press "Finish" after the update is downloaded. Now select "Finish" then on the bvottom right of your Adaware screen click "Start".
A new screen will pop-up and will say "Select a scan mode". You want to click "Use Custom Scanning Mode". Before you press "Start" on the bottom right click "Customize" right next to "Use Custom Scanning Mode".

Select the following:

In the General tab select:
Keep it all the same

In the Scanning tab select:
Under Drivers Folders and Files-select Scan within archives
Under Memory and Registry select all that is underneath it!
Make sure your harddrive is selected when you press "Select Drives and Folders to scan"

In the Advanced tab select:
Make sure you have everything under the "Logfile Detail Level" selected.
(This makes it easier for people from Lavasoft forums see what options you have selected)

In the Startup, Defaults, and Interface tab select nothing.


In the Tweak tab select:
You may not be able to select certain things in the tweak tab, but do not be alarmed.
Under scanning engine select:
"Unload recognized processes during scanning"
"Scan registry for all users instead of current users only"
Under Cleaning Engine select:
"Always try to unload modules before deletion"
"During removal unload Explorer and IE if necessary"
"Let Windows remove files in use at next boot"
"Delete Quarantined objects after restoring"
Under log files:
"Include Basic Ad-Aware settings in log file"
"Include additional Ad-Aware settings in log file"
"Include reference summary in log file"
"Include used command line parameters in log file"
All of the other links are just fine.

Press "Proceed" to save the settings


Press "Next" on the bottom right hand corner.
Ad-Aware SE will scan your computer for possible spyware threats or anything that you have on your computer that maybe spyware.
Then click ”Next “ to remove any objects found
________________________________________________________________________


Then re-enable restore.

Open internet explorer/ tools/ options/ security/ reset to defaults..

Rescan online here http://housecall.trendmicro.com/ and post back with a fresh hijack following that please.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top