Dropper.inor HELP

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rob2910

Thread Starter
Joined
Aug 13, 2003
Messages
365
Two nights ago I was online when AVG resident shield said it had encountered a virus. I immediately ran AVG and it detected 4 infected files and advised that the virus was dropper.inor. When it came to fixing the problem it was able to place one infected file in the virus vault, but it said it was unable to fix the others. On checking the test result information it appears to be the same file, E3ZLEE~1.HTA , which is in four locations (folders) within Temporary Internet Files. However, when I try to search for the infected files I can’t find them. My PC is set to show hidden files and folders.

On re-running AVG it says that no virus files can be found even though two days ago it clearly said that three were still active and it could not fix them. What has happened?

Also there appear to have been some changes to folders within local settings and a desktop.ini icon has appeared on my desktop which was not there prior to AVG finding the virus in the first place. When I first got the virus it also opened two IE widows which I could not close down at all, as though it was trying to contact a specific website. The only way I got rid of these in the end was to reboot my PC and they have not re-occurred. The folder which appears to have disappeared is the one that the infected folders and files were contained according to AVG, namely CONTENT.IE5 and beneath that the three folders bearing random digits and letters as their name which are supposed to contain the still active virus files, E3ZLEE~1.HTA

I have three user profiles set up on my PC and the other two do not appear to have suffered any changes and they both have Local Settings\Temporary Internet Files\CONTENT.IE5 files paths. For my user profile there is nothing beneath Temporary Internet Files.

I have also conducted an online virus scan at Trend and again this shows clear.

Two questions. Am I clear and if not how do I sort this out?

How do I reinstate the CONTENT.IE5 folder within my Temporary Internet Settings?
 
Joined
Oct 9, 2001
Messages
9,396
Do this:
go to http://www.lurkhere.com/~nicefiles/ , and download 'Hijack This!'.......
Unzip it to its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If you have anything disabled by MSConfig or any other startup manager, please re-enable it before scanning to post.

;)
 

rob2910

Thread Starter
Joined
Aug 13, 2003
Messages
365
Logfile of HijackThis v1.97.7
Scan saved at 16:04:04, on 31/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Internet download\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hondavfrclub.org/forum/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/216054cb037e6ad5d906/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Oct 9, 2001
Messages
9,396
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
Class) - http://207.188.7.150/216054cb037e6a...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...llInstaller.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

Look slike AVG is doning its job(y)

Empty all temp files.....turn off system restore,reboot and turn on again,set a new restore point.
;)
 
Joined
Oct 9, 2001
Messages
9,396
You Content IE5 folder should have hidden attributes and be in your Temp Internet files folder.....i would Just delete the .ini file,no idea why it should pop up there.
;)
 

rob2910

Thread Starter
Joined
Aug 13, 2003
Messages
365
Originally posted by $teve:
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
Class) - http://207.188.7.150/216054cb037e6a...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...llInstaller.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

Look slike AVG is doning its job(y)

Empty all temp files.....turn off system restore,reboot and turn on again,set a new restore point.
;)
Thanks for this one thing though

http://207.188.7.150/216054cb037e6a...ip/RdxIE601.cab This is half an entry from my HJT scan should it be included for deletion or ignored?
 

rob2910

Thread Starter
Joined
Aug 13, 2003
Messages
365
Originally posted by $teve:
You Content IE5 folder should have hidden attributes and be in your Temp Internet files folder.....i would Just delete the .ini file,no idea why it should pop up there.
;)
I know it should but it isn't in the Temp Internet Files folder for my profile whilst it is for the two other user on this PC:confused: It disappeared when I got this dropper thing spotted by AVG. But what's even more confusing to me is that when I run a virus check either AVG or an online one like Trend or rav they actually check the conents of my 'Content IE5 fold' indeed yesterday RAV actually found an infected file in it that no other scan ever has. But when I came to look for the folder it's just not there. All hidden files and folder are marked to show BTW.

I don't know if I am explaining myself very well but thats how confused I am as to where this folder actually is or why it remains hidden when it should be visible :confused: if it has move how do I find it an get it back where it should be? I have a sneaking suspicion that the desktop.ini file which has appeared on my desktop is originally from the Content IE5 folder

Confused of Cheshire
 
Joined
Oct 9, 2001
Messages
9,396
You can select to view hidden files from the folder options menu, but there are still some that stay hidden.
1) Edit HKCU\Software\Microsoft\Windows\Current Version\Explorer\Advanced.
2) Set 'ShowSuperHidden' value to 1 to show the super hidden files or 0 to hide them.

Worth a try.
;)
 

rob2910

Thread Starter
Joined
Aug 13, 2003
Messages
365
Steve

I have read the article and it is interesting but if you look at the pic below you'll see that there is no little cross (+) indicating a sub folder to my Temp Internet Files.

However the two other user profiles on this PC do have the little cross (+) indicating a sub folder



I will try the other suggestion to locate as well
 

Attachments

rob2910

Thread Starter
Joined
Aug 13, 2003
Messages
365
Originally posted by $teve:
You can select to view hidden files from the folder options menu, but there are still some that stay hidden.
1) Edit HKCU\Software\Microsoft\Windows\Current Version\Explorer\Advanced.
2) Set 'ShowSuperHidden' value to 1 to show the super hidden files or 0 to hide them.

Worth a try.
;)
Sorry which value exactly do I change to 1?:confused:

 

Attachments

Joined
Oct 9, 2001
Messages
9,396
Double click the "ShowSuperHidden" and see what the value is set to...should be Hex zero.....change to one.
;:
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top