Icrss.exe And Other Unknown Processes

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Icrss.exe And Other Unknown Processes, Malware?

Options

marbles333 View Member Profile	Jan 8 2007, 01:36 PM Post #1
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	Hello. My (tempoary) computer has been generally slow recently, which sometimes results in it telling me that I don't have permission to shut it down, and I've got some funny processes running. I did both Spybot and Ad-Aware which removed various other things except these processes. The most notable were icrss.exe, winmgt.exe, efes.exe (which now creates an illegal operation at startup- so ceases instantly) and pcdost.exe - I've certainly never seen them before. I'm in the process of the other downloads and programs stated on the topic - but this computer is only 128MB RAM so I had to post before it crashed again. I'm new to Hijackthis so apologies if I've done something wrong. Logfile of HijackThis v1.99.1 Scan saved at 18:31:01, on 09/01/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe D:\WINNT\system32\svchost.exe D:\WINNT\system\icrss.exe D:\WINNT\system32\dllcache\ppcdost.exe D:\WINNT\system32\MSTask.exe D:\WINNT\System32\WBEM\WinMgmt.exe D:\WINNT\system32\svchost.exe D:\WINNT\Explorer.EXE D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [MS System Call Function] h.exe O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\efes.exe O4 - HKLM\..\RunServices: [MS System Call Function] h.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [MS System Call Function] z.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC72DB5-92E0-41EB-A986-E2A037E6340F}: NameServer = 80.225.250.178 80.225.250.186 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: icrss manager 32bit (icrss) - Unknown owner - D:\WINNT\system\icrss.exe O23 - Service: Microsoft Agent - Unknown owner - D:\WINNT\system32\dllcache\ppcdost.exe This post has been edited by marbles333: Jan 8 2007, 01:47 PM

Shaba View Member Profile	Jan 8 2007, 01:46 PM Post #2
Koutsi Group: Malware Response Instructor Posts: 6,255 Joined: 8-July 06 From: Finland Member No.: 75,186	Hi marbles333 One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and Download and Execute files I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards. Should you have any questions, please feel free to ask. Please let us know what you have decided to do in your next post -------------------- Microsoft MVP Consumer Security

marbles333 View Member Profile	Jan 8 2007, 01:50 PM Post #3
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	Its only a temporary computer - my other computer is in for repairs. I don't use any form of internet banking or anything - just webmail, IM and forums which I'm not too bothered about. I've only used this computer since Thursday, so not much has gone far. Yes do what you need - it doesn't bother me what I have to do on this machine. Once I've got mine back this computer is then used for offline activities - this is the first time it's been connected to the internet. This post has been edited by marbles333: Jan 8 2007, 01:53 PM

Shaba View Member Profile	Jan 8 2007, 01:52 PM Post #4
Koutsi Group: Malware Response Instructor Posts: 6,255 Joined: 8-July 06 From: Finland Member No.: 75,186	Hi Ok, we'll start: Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log -------------------- Microsoft MVP Consumer Security

marbles333 View Member Profile	Jan 8 2007, 01:55 PM Post #5
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	Thank you very much. I'll let you know how I get on shortly - if not I will tomorrow (GMT) from my computer in college.

marbles333 View Member Profile	Jan 8 2007, 02:54 PM Post #6
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	icrss.exe has gone from my processes. Here is the SD report: SDFix: Version 1.57 **************** Tue 09/01/2007 - 19:09:49.32 Microsoft Windows 2000 [Version 5.00.2195] Running From: D:\SDFix Stage One - Safe Mode Checking Services... Service Name: icrss Microsoft Agent File Path: "D:\WINNT\system\icrss.exe" "D:\WINNT\system32\dllcache\ppcdost.exe" icrss Deleted... Microsoft Agent Deleted... Starting Registry Repairs... Restoring Default Hosts File... Stage One Complete Rebooting... Stage Two - Normal Mode Checking For Malware: -------------------- D:\WINNT\system\icrss.exe D:\WINNT\system32\i Backing Up and Removing any Files Found... Alternate Stream Check: D:\WINNT\system32 No streams found. Final Check: Remaining Services: ------------------ Remaining Files: --------------- Backups Folder: - D:\SDFix\backups\backups.zip Checking for files with Hidden Attributes: D:\DFSAV32.DLL D:\Program Files\dsetup.dll D:\WINNT\discover.exe D:\WINNT\system32\dllcache\ppcdost.exe D:\pagefile.sys D:\RECYCLER\S-1-5-21-2000478354-839522115-1343024091-500\Dd27\Music-Directory\thebox\~WRL0687.tmp FINISHED! And here is the HIJACKTHIS report: Logfile of HijackThis v1.99.1 Scan saved at 19:50:12, on 09/01/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\MSTask.exe D:\WINNT\System32\WBEM\WinMgmt.exe D:\WINNT\system32\svchost.exe D:\WINNT\Explorer.EXE D:\WINNT\system32\notepad.exe D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\WINNT\system32\internat.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [MS System Call Function] h.exe O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\efes.exe O4 - HKLM\..\RunServices: [MS System Call Function] h.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [MS System Call Function] z.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe Any better? Can you please recommend me a (free) firewall, as this computer runs Windows 2000 which doesn't have Windows Firewall (don't blame me for not having adequate protection - I've only used this computer since Thursday - its the first time its been on the net in its entire 7-year life!) I've be very grateful. I currently have AVG Free, Ad Aware and Spybot on this computer whereas I have a full security suite on my proper computer.

marbles333 View Member Profile	Jan 8 2007, 02:59 PM Post #7
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	Bugger AVG keeps detecting other EXE files (which it flags as backdoor progs) - I click "Heal" but I don't know what it does with them. It's not my preferred AV program.

marbles333 View Member Profile	Jan 8 2007, 04:41 PM Post #8
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	I think everything's gone now - there's no unverified processes anymore. AVG did detect a few things, so I healed them and deleted any other suspicious files (they were all either H.exe, <space>.exe or Z.exe; one on my Win98 drive aswell!). I don't intend using this computer much longer anyhow, so many thanks! If anything else crops up I'll let you know, and will change all my passwords on a secure computer tomorrow. Keep up the good work!

Shaba View Member Profile	Jan 9 2007, 02:21 AM Post #9
Koutsi Group: Malware Response Instructor Posts: 6,255 Joined: 8-July 06 From: Finland Member No.: 75,186	Hi Anyway, please send a fresh HijackThis log There are at least bad registry entries left and maybe also one bad exe (sdfix didn't seem to remove it). -------------------- Microsoft MVP Consumer Security

marbles333 View Member Profile	Jan 9 2007, 01:34 PM Post #10
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	Can you please specify how many of these are not legitimate? I manually deleted efes.exe. h.EXE and z.EXE kept popping up by the AVG Anti Virus alert - I clicked heal but I don't know what it does with them. BTW is MSCONFIG included in Microsoft Windows 2000? Here is the HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 18:32:47, on 10/01/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\ZoneLabs\vsmon.exe D:\WINNT\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\MSTask.exe D:\WINNT\System32\WBEM\WinMgmt.exe D:\WINNT\system32\svchost.exe D:\WINNT\Explorer.EXE D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\WINNT\system32\internat.exe D:\Program Files\Mozilla Firefox\firefox.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [MS System Call Function] h.exe O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\efes.exe O4 - HKLM\..\Run: [cctray] "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunServices: [MS System Call Function] h.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [MS System Call Function] z.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC72DB5-92E0-41EB-A986-E2A037E6340F}: NameServer = 80.225.250.178 80.225.250.186 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

Shaba View Member Profile	Jan 9 2007, 01:40 PM Post #11
Koutsi Group: Malware Response Instructor Posts: 6,255 Joined: 8-July 06 From: Finland Member No.: 75,186	Hi The ones you marked with bold are not So do this: Open HijackThis, click do a system scan only and checkmark these: O4 - HKLM\..\Run: [MS System Call Function] h.exe O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\efes.exe O4 - HKLM\..\RunServices: [MS System Call Function] h.exe O4 - HKCU\..\Run: [MS System Call Function] z.exe Close all windows including browser and press fix checked. Please do a search: "Run "Start">"Search">"All Files and Folders"> enter h.exe in "All or part of file name". Select "More advanced options". Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders". Click "Search". Right click the file and select delete. Empty Recycle Bin. NOTE: That file may not exist at all! If it doesn't, just skip the step above. Repeat step for z.exe and ppcdost.exe Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then start to download the latest definition files. Once the scanner is installed and the definitions downloaded, click Next. Now click on Scan Settings In the scan settings make sure that the following are selected: o Scan using the following Anti-Virus database: + *Extended* (If available otherwise Standard) o Scan Options: + *Scan Archives* + *Scan Mail Bases* Click OK Now under select a target to scan select My Computer The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button Save the file to your desktop. Copy and paste that information in your next post. Send: - a fresh HijackThis log - kaspersky report -------------------- Microsoft MVP Consumer Security

marbles333 View Member Profile	Jan 9 2007, 04:09 PM Post #12
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	The Kaspersky scan has been going for 1h 30mins now and only 57%. If it hasn't finished by 11pm I'm going to have to stop it (out of my control). If it hasn't completed, will it remove any infected files its found before then?

marbles333 View Member Profile	Jan 9 2007, 06:06 PM Post #13
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	Does Kaspersky actually remove the threats? Report from Kaspersky: Total number of scanned objects 89718 Number of viruses found 3 Number of infected objects 7 / 0 Number of suspicious objects 0 Duration of the scan process 03:31:35 Infected Object Name Virus Name Last Action D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Cookies\index.dat Object is locked skipped D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Local Settings\History\History.IE5\index.dat Object is locked skipped D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\NTUSER.DAT Object is locked skipped D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\ntuser.dat.LOG Object is locked skipped D:\Documents and Settings\All Users.WINNT\Application Data\avg7\Log\emc.log Object is locked skipped D:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped D:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped D:\Documents and Settings\Default User.WINNT\Cookies\index.dat Object is locked skipped D:\Documents and Settings\Default User.WINNT\Local Settings\History\History.IE5\index.dat Object is locked skipped D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\01ERGHUV\84785_redworld[1].exe Infected: Trojan-PSW.Win32.Nilage.bcd skipped D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\2T2FE34V\84785_nttpm[1].exe Object is locked skipped D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\4N2VWL2L\84785_redworld[1].exe Infected: Trojan-PSW.Win32.Nilage.bcd skipped D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\C5ANYH8J\84785_redworld[1].exe Infected: Trojan-PSW.Win32.Nilage.bcd skipped D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped D:\SDFix\backups\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped D:\SDFix\backups\backups.zip/backups/icrss.exe Infected: Backdoor.Win32.SdBot.xd skipped D:\SDFix\backups\backups.zip ZIP: infected - 2 skipped D:\WINNT\CSC\00000001 Object is locked skipped D:\WINNT\Debug\ipsecpa.log Object is locked skipped D:\WINNT\Debug\oakley.log Object is locked skipped D:\WINNT\Debug\PASSWD.LOG Object is locked skipped D:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped D:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped D:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped D:\WINNT\Internet Logs\NEW-5CE8FA08CCB.ldb Object is locked skipped D:\WINNT\Internet Logs\tvDebug.log Object is locked skipped D:\WINNT\SchedLgU.Txt Object is locked skipped D:\WINNT\system32\config\AppEvent.Evt Object is locked skipped D:\WINNT\system32\config\default Object is locked skipped D:\WINNT\system32\config\default.LOG Object is locked skipped D:\WINNT\system32\config\SAM Object is locked skipped D:\WINNT\system32\config\SAM.LOG Object is locked skipped D:\WINNT\system32\config\SecEvent.Evt Object is locked skipped D:\WINNT\system32\config\SECURITY Object is locked skipped D:\WINNT\system32\config\SECURITY.LOG Object is locked skipped D:\WINNT\system32\config\software Object is locked skipped D:\WINNT\system32\config\software.LOG Object is locked skipped D:\WINNT\system32\config\SysEvent.Evt Object is locked skipped D:\WINNT\system32\config\system Object is locked skipped D:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped D:\WINNT\system32\dllcache\ppcdost.exe Infected: Trojan-PSW.Win32.Nilage.bcd skipped D:\WINNT\Temp\ZLT01d3f.TMP Object is locked skipped D:\WINNT\Temp\ZLT01d4c.TMP Object is locked skipped Scan process completed. Here's HijackThis Logfile of HijackThis v1.99.1 Scan saved at 23:06:05, on 10/01/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\ZoneLabs\vsmon.exe D:\WINNT\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\MSTask.exe D:\WINNT\System32\WBEM\WinMgmt.exe D:\WINNT\system32\svchost.exe D:\WINNT\Explorer.EXE D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\WINNT\system32\internat.exe D:\Program Files\Internet Explorer\IEXPLORE.EXE C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [cctray] "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [internat.exe] internat.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC72DB5-92E0-41EB-A986-E2A037E6340F}: NameServer = 80.225.250.178 80.225.250.186 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

Shaba View Member Profile	Jan 10 2007, 02:21 AM Post #14
Koutsi Group: Malware Response Instructor Posts: 6,255 Joined: 8-July 06 From: Finland Member No.: 75,186	Hi Kaspersky doesn't remove anything but is an excellent scanner. That's why I use it Empty IE temporary internet files Empty this folder: D:\SDFix\backups Delete this: D:\WINNT\system32\dllcache\ppcdost.exe If you can't find it, make your hidden & system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html Empty Recycle Bin. Re-scan with kaspersky Send: - a fresh HijackThis log - kaspersky report -------------------- Microsoft MVP Consumer Security

marbles333 View Member Profile	Jan 10 2007, 11:41 AM Post #15
Member Group: Members Posts: 16 Joined: 8-January 07 Member No.: 105,250	QUOTE(Shaba @ Jan 10 2007, 02:21 AM) Hi Kaspersky doesn't remove anything but is an excellent scanner. That's why I use it Empty IE temporary internet files Empty this folder: D:\SDFix\backups Delete this: D:\WINNT\system32\dllcache\ppcdost.exe If you can't find it, make your hidden & system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html Yes Kasperesky is an excellent scanner if you have three hours on your hands - I'm afraid I'm unable to leave it again for that amount of time today, simply because energy prices aren't cheap! I don't know whether it takes less time normally, but this computer is only running with 128MB RAM. Deleted the SD Fix backups - however PPCDost.exe doens't exist (even when hidden files are visible). Its not appearing on HijackThis any longer however. CA Firewall no longer exists - I've got ZoneAlarm but CA still appears on HijackThis, even though it's been deleted. Logfile of HijackThis v1.99.1 Scan saved at 16:40:12, on 11/01/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\ZoneLabs\vsmon.exe D:\WINNT\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\MSTask.exe D:\WINNT\System32\WBEM\WinMgmt.exe D:\WINNT\system32\svchost.exe D:\WINNT\Explorer.EXE D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\WINNT\system32\internat.exe D:\Program Files\Mozilla Firefox\firefox.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [cctray] "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [internat.exe] internat.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC72DB5-92E0-41EB-A986-E2A037E6340F}: NameServer = 80.225.250.178 80.225.250.186 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides