1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Dropper.Inor Virus - Have I removed it yet?

Discussion in 'Windows XP' started by NewTechGuy, Jan 6, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. NewTechGuy

    NewTechGuy Thread Starter

    Joined:
    Feb 11, 2004
    Messages:
    406
    AVG found the Dropper.Inor virus but would not remove it so I downloaded Ewido, installed it, rebooted in safe mode, then ran a scan and it found a bunch of infected files. I had the program fix them and then saved a report of the scan (which I will include here).

    Then I ran HijackThis (hopefully I have the updated one) and the log from HJT is next...

    ---------------------------------------------------------------------------------
    Here's the HJT Logfile:

    Logfile of HijackThis v1.99.0
    Scan saved at 12:39:32 PM, on 1/6/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\Ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Program Files\Kirby Alarm\kirbyalarm.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.secularbull.com/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.trafficswarm.com/cgi-bin/swarm.cgi?435068&d05794a8f529c012f9d08f99eab7076e"); (C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [\\COMPUTER1\EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P31 "\\COMPUTER1\EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    O4 - Startup: Winter Fun Wallpaper Changer.lnk = ?
    O4 - Global Startup: Kirby Alarm.lnk = C:\Program Files\Kirby Alarm\kirbyalarm.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Picture Converter\Advanced JPEG Compressor\ajcieex.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133206514164
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido anti-malware\ewidoctrl.exe


    -------------------------------------------------------------------

    Here is the Ewido report that I saved AFTER I scanned and fixed infected files using it:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 10:17:24 AM, 1/6/2006
    + Report-Checksum: B754DE13

    + Scan result:

    [212] C:\WINDOWS\system32\docent0.dll -> Logger.Goldun.gj : Cleaned with backup
    :mozilla.12:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.13:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.14:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.16:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.17:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.18:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.19:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.20:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.84:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.85:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.100:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.101:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.102:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.138:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    :mozilla.139:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    :mozilla.140:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    :mozilla.141:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    :mozilla.142:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    :mozilla.143:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    :mozilla.144:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
    :mozilla.145:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
    :mozilla.146:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
    :mozilla.149:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    :mozilla.157:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    :mozilla.186:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    :mozilla.187:C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt -> Spyware.Cookie.Onestat : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt -> Spyware.Cookie.Weborama : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\ntdetect.hta -> Dropper.Inor.cj : Cleaned with backup
    :mozilla.14:C:\Program Files\mozilla.org\Mozilla\defaults\profile\Netscape 2\drbirv09.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    :mozilla.15:C:\Program Files\mozilla.org\Mozilla\defaults\profile\Netscape 2\drbirv09.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\WINDOWS\system32\docent0.dll -> Logger.Goldun.gj : Cleaned with backup


    ::Report End

    Have I been successful in ridding my computer of any viruses? Should I go to Panda and run a scan as well?

    Thanks in advance for any suggestions...
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    I'd run a scan with Panda just to be sure. Post its results here. :)
     
  3. NewTechGuy

    NewTechGuy Thread Starter

    Joined:
    Feb 11, 2004
    Messages:
    406
    Well I scanned using Panda and I guess I should have deleted ALL Cookies prior to scanning. So you'll see a lot of issues involving cookies. But I've since deleted them and emptied out my Temporary Internet Files as well. Other than that, I'll check back to see if you have any other suggestions. Thanks for your assistance.

    Here's the report:
    -----------------------------------------------------------------------------------------


    Incident Status Location

    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt

    Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/Inet-Traffic Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt[.realmedia.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Kelvin Kolman\Application Data\Mozilla\Profiles\default\rfaavem5.slt\cookies.txt[]
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/Inet-Traffic Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][2].txt
    Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
    Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Kelvin Kolman\Cookies\kelvin [email protected][1].txt
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Everything seems to look fine then.
     
  5. NewTechGuy

    NewTechGuy Thread Starter

    Joined:
    Feb 11, 2004
    Messages:
    406
    Thanks for you assistance.....

    KnewTechGuy
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You're welcome :)

    You can mark your thread "Solved" from the Thread Tools drop down menu.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/431729

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice