Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 29 Posts

·
Registered
Joined
·
365 Posts
Discussion Starter · #1 ·
Two nights ago I was online when AVG resident shield said it had encountered a virus. I immediately ran AVG and it detected 4 infected files and advised that the virus was dropper.inor. When it came to fixing the problem it was able to place one infected file in the virus vault, but it said it was unable to fix the others. On checking the test result information it appears to be the same file, E3ZLEE~1.HTA , which is in four locations (folders) within Temporary Internet Files. However, when I try to search for the infected files I can’t find them. My PC is set to show hidden files and folders.

On re-running AVG it says that no virus files can be found even though two days ago it clearly said that three were still active and it could not fix them. What has happened?

Also there appear to have been some changes to folders within local settings and a desktop.ini icon has appeared on my desktop which was not there prior to AVG finding the virus in the first place. When I first got the virus it also opened two IE widows which I could not close down at all, as though it was trying to contact a specific website. The only way I got rid of these in the end was to reboot my PC and they have not re-occurred. The folder which appears to have disappeared is the one that the infected folders and files were contained according to AVG, namely CONTENT.IE5 and beneath that the three folders bearing random digits and letters as their name which are supposed to contain the still active virus files, E3ZLEE~1.HTA

I have three user profiles set up on my PC and the other two do not appear to have suffered any changes and they both have Local Settings\Temporary Internet Files\CONTENT.IE5 files paths. For my user profile there is nothing beneath Temporary Internet Files.

I have also conducted an online virus scan at Trend and again this shows clear.

Two questions. Am I clear and if not how do I sort this out?

How do I reinstate the CONTENT.IE5 folder within my Temporary Internet Settings?
 

·
Registered
Joined
·
9,396 Posts
Do this:
go to http://www.lurkhere.com/~nicefiles/ , and download 'Hijack This!'.......
Unzip it to its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If you have anything disabled by MSConfig or any other startup manager, please re-enable it before scanning to post.

;)
 

·
Registered
Joined
·
365 Posts
Discussion Starter · #5 ·
Logfile of HijackThis v1.97.7
Scan saved at 16:04:04, on 31/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Internet download\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hondavfrclub.org/forum/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/216054cb037e6ad5d906/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

·
Registered
Joined
·
9,396 Posts
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
Class) - http://207.188.7.150/216054cb037e6a...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...llInstaller.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

Look slike AVG is doning its job:up:

Empty all temp files.....turn off system restore,reboot and turn on again,set a new restore point.
;)
 

·
Registered
Joined
·
9,396 Posts
You Content IE5 folder should have hidden attributes and be in your Temp Internet files folder.....i would Just delete the .ini file,no idea why it should pop up there.
;)
 

·
Registered
Joined
·
365 Posts
Discussion Starter · #9 ·
Originally posted by $teve:
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
Class) - http://207.188.7.150/216054cb037e6a...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...llInstaller.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

Look slike AVG is doning its job:up:

Empty all temp files.....turn off system restore,reboot and turn on again,set a new restore point.
;)
Thanks for this one thing though

http://207.188.7.150/216054cb037e6a...ip/RdxIE601.cab This is half an entry from my HJT scan should it be included for deletion or ignored?
 

·
Registered
Joined
·
365 Posts
Discussion Starter · #10 ·
Originally posted by $teve:
You Content IE5 folder should have hidden attributes and be in your Temp Internet files folder.....i would Just delete the .ini file,no idea why it should pop up there.
;)
I know it should but it isn't in the Temp Internet Files folder for my profile whilst it is for the two other user on this PC:confused: It disappeared when I got this dropper thing spotted by AVG. But what's even more confusing to me is that when I run a virus check either AVG or an online one like Trend or rav they actually check the conents of my 'Content IE5 fold' indeed yesterday RAV actually found an infected file in it that no other scan ever has. But when I came to look for the folder it's just not there. All hidden files and folder are marked to show BTW.

I don't know if I am explaining myself very well but thats how confused I am as to where this folder actually is or why it remains hidden when it should be visible :confused: if it has move how do I find it an get it back where it should be? I have a sneaking suspicion that the desktop.ini file which has appeared on my desktop is originally from the Content IE5 folder

Confused of Cheshire
 

·
Registered
Joined
·
9,396 Posts
You can select to view hidden files from the folder options menu, but there are still some that stay hidden.
1) Edit HKCU\Software\Microsoft\Windows\Current Version\Explorer\Advanced.
2) Set 'ShowSuperHidden' value to 1 to show the super hidden files or 0 to hide them.

Worth a try.
;)
 

·
Registered
Joined
·
365 Posts
Discussion Starter · #13 ·
Steve

I have read the article and it is interesting but if you look at the pic below you'll see that there is no little cross (+) indicating a sub folder to my Temp Internet Files.

However the two other user profiles on this PC do have the little cross (+) indicating a sub folder



I will try the other suggestion to locate as well
 

Attachments

·
Registered
Joined
·
365 Posts
Discussion Starter · #14 ·
Originally posted by $teve:
You can select to view hidden files from the folder options menu, but there are still some that stay hidden.
1) Edit HKCU\Software\Microsoft\Windows\Current Version\Explorer\Advanced.
2) Set 'ShowSuperHidden' value to 1 to show the super hidden files or 0 to hide them.

Worth a try.
;)
Sorry which value exactly do I change to 1?:confused:

 

Attachments

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
easiest way to get rid of them is
do this under each account you have on the computer

close all IE & OE windows

open control panel/internet options/ general tab / press delete files /delete cookies/clear history

reboot

do the same for every user account

then run a AVg scan and see what it finds
 

·
Registered
Joined
·
365 Posts
Discussion Starter · #20 ·
Thanks Derek will do can I just ask one further question which is where has the CONTENT IE5 folder gone under my user profile?? When I run AV scan it says it is checking this folder and it contains infected file but when I try to find this file using explore it is not there and all hidden files and folders are marked to show :confused:
 
1 - 20 of 29 Posts
Status
Not open for further replies.
Top