Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Icrss.exe And Other Unknown Processes


  • This topic is locked This topic is locked
16 replies to this topic

#1 marbles333

marbles333

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 08 January 2007 - 01:36 PM

Hello. My (tempoary) computer has been generally slow recently, which sometimes results in it telling me that I don't have permission to shut it down, and I've got some funny processes running. I did both Spybot and Ad-Aware which removed various other things except these processes. The most notable were icrss.exe, winmgt.exe, efes.exe (which now creates an illegal operation at startup- so ceases instantly) and pcdost.exe - I've certainly never seen them before.

I'm in the process of the other downloads and programs stated on the topic - but this computer is only 128MB RAM so I had to post before it crashed again.

I'm new to Hijackthis so apologies if I've done something wrong.

Logfile of HijackThis v1.99.1
Scan saved at 18:31:01, on 09/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system\icrss.exe
D:\WINNT\system32\dllcache\ppcdost.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MS System Call Function] h.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\efes.exe
O4 - HKLM\..\RunServices: [MS System Call Function] h.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MS System Call Function] z.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC72DB5-92E0-41EB-A986-E2A037E6340F}: NameServer = 80.225.250.178 80.225.250.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: icrss manager 32bit (icrss) - Unknown owner - D:\WINNT\system\icrss.exe
O23 - Service: Microsoft Agent - Unknown owner - D:\WINNT\system32\dllcache\ppcdost.exe

Edited by marbles333, 08 January 2007 - 01:47 PM.


BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:02 AM

Posted 08 January 2007 - 01:46 PM

Hi marbles333

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 marbles333

marbles333
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 08 January 2007 - 01:50 PM

Its only a temporary computer - my other computer is in for repairs. I don't use any form of internet banking or anything - just webmail, IM and forums which I'm not too bothered about. I've only used this computer since Thursday, so not much has gone far.

Yes do what you need - it doesn't bother me what I have to do on this machine. Once I've got mine back this computer is then used for offline activities - this is the first time it's been connected to the internet.

Edited by marbles333, 08 January 2007 - 01:53 PM.


#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:02 AM

Posted 08 January 2007 - 01:52 PM

Hi

Ok, we'll start:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Microsoft MVP Consumer Security
Posted Image

Posted Image

#5 marbles333

marbles333
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 08 January 2007 - 01:55 PM

Thank you very much. I'll let you know how I get on shortly - if not I will tomorrow (GMT) from my computer in college.

#6 marbles333

marbles333
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 08 January 2007 - 02:54 PM

icrss.exe has gone from my processes.

Here is the SD report:

SDFix: Version 1.57
****************

Tue 09/01/2007 - 19:09:49.32

Microsoft Windows 2000 [Version 5.00.2195]

Running From: D:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

icrss
Microsoft Agent

File Path:

"D:\WINNT\system\icrss.exe"
"D:\WINNT\system32\dllcache\ppcdost.exe"

icrss Deleted...
Microsoft Agent Deleted...


Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

D:\WINNT\system\icrss.exe
D:\WINNT\system32\i

Backing Up and Removing any Files Found...

Alternate Stream Check:

D:\WINNT\system32
No streams found.
Final Check:

Remaining Services:
------------------


Remaining Files:
---------------

Backups Folder: - D:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

D:\DFSAV32.DLL
D:\Program Files\dsetup.dll
D:\WINNT\discover.exe
D:\WINNT\system32\dllcache\ppcdost.exe
D:\pagefile.sys
D:\RECYCLER\S-1-5-21-2000478354-839522115-1343024091-500\Dd27\Music-Directory\thebox\~WRL0687.tmp

FINISHED!



And here is the HIJACKTHIS report:

Logfile of HijackThis v1.99.1
Scan saved at 19:50:12, on 09/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\notepad.exe
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINNT\system32\internat.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MS System Call Function] h.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\efes.exe
O4 - HKLM\..\RunServices: [MS System Call Function] h.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MS System Call Function] z.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


Any better? Can you please recommend me a (free) firewall, as this computer runs Windows 2000 which doesn't have Windows Firewall (don't blame me for not having adequate protection - I've only used this computer since Thursday - its the first time its been on the net in its entire 7-year life!) I've be very grateful. I currently have AVG Free, Ad Aware and Spybot on this computer whereas I have a full security suite on my proper computer.

#7 marbles333

marbles333
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 08 January 2007 - 02:59 PM

Bugger AVG keeps detecting other EXE files (which it flags as backdoor progs) - I click "Heal" but I don't know what it does with them. It's not my preferred AV program.

#8 marbles333

marbles333
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 08 January 2007 - 04:41 PM

I think everything's gone now - there's no unverified processes anymore. AVG did detect a few things, so I healed them and deleted any other suspicious files (they were all either H.exe, <space>.exe or Z.exe; one on my Win98 drive aswell!).

I don't intend using this computer much longer anyhow, so many thanks! If anything else crops up I'll let you know, and will change all my passwords on a secure computer tomorrow. Keep up the good work! :thumbsup:

#9 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:02 AM

Posted 09 January 2007 - 02:21 AM

Hi

Anyway, please send a fresh HijackThis log :thumbsup: There are at least bad registry entries left and maybe also one bad exe (sdfix didn't seem to remove it).
Microsoft MVP Consumer Security
Posted Image

Posted Image

#10 marbles333

marbles333
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 09 January 2007 - 01:34 PM

Can you please specify how many of these are not legitimate?

I manually deleted efes.exe.
h.EXE and z.EXE kept popping up by the AVG Anti Virus alert - I clicked heal but I don't know what it does with them. BTW is MSCONFIG included in Microsoft Windows 2000?

Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 18:32:47, on 10/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINNT\system32\internat.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MS System Call Function] h.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\efes.exe

O4 - HKLM\..\Run: [cctray] "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [MS System Call Function] h.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MS System Call Function] z.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC72DB5-92E0-41EB-A986-E2A037E6340F}: NameServer = 80.225.250.178 80.225.250.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

#11 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:02 AM

Posted 09 January 2007 - 01:40 PM

Hi

The ones you marked with bold are not :thumbsup:

So do this:

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [MS System Call Function] h.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\efes.exe
O4 - HKLM\..\RunServices: [MS System Call Function] h.exe
O4 - HKCU\..\Run: [MS System Call Function] z.exe


Close all windows including browser and press fix checked.

Please do a search:
"Run "Start">"Search">"All Files and Folders"> enter h.exe in "All or part of file name". Select "More advanced options". Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders". Click "Search". Right click the file and select delete.

Empty Recycle Bin.

NOTE: That file may not exist at all! If it doesn't, just skip the step above.

Repeat step for z.exe and ppcdost.exe

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Send:

- a fresh HijackThis log
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#12 marbles333

marbles333
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 09 January 2007 - 04:09 PM

The Kaspersky scan has been going for 1h 30mins now and only 57%. If it hasn't finished by 11pm I'm going to have to stop it (out of my control). If it hasn't completed, will it remove any infected files its found before then?

#13 marbles333

marbles333
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 09 January 2007 - 06:06 PM

Does Kaspersky actually remove the threats? Report from Kaspersky:

Total number of scanned objects 89718
Number of viruses found 3
Number of infected objects 7 / 0
Number of suspicious objects 0
Duration of the scan process 03:31:35

Infected Object Name Virus Name Last Action
D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Cookies\index.dat Object is locked skipped

D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Local Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\Administrator.NEW-5CE8FA08CCB\ntuser.dat.LOG Object is locked skipped

D:\Documents and Settings\All Users.WINNT\Application Data\avg7\Log\emc.log Object is locked skipped

D:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

D:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

D:\Documents and Settings\Default User.WINNT\Cookies\index.dat Object is locked skipped

D:\Documents and Settings\Default User.WINNT\Local Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\01ERGHUV\84785_redworld[1].exe Infected: Trojan-PSW.Win32.Nilage.bcd skipped

D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\2T2FE34V\84785_nttpm[1].exe Object is locked skipped

D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\4N2VWL2L\84785_redworld[1].exe Infected: Trojan-PSW.Win32.Nilage.bcd skipped

D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\C5ANYH8J\84785_redworld[1].exe Infected: Trojan-PSW.Win32.Nilage.bcd skipped

D:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

D:\SDFix\backups\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

D:\SDFix\backups\backups.zip/backups/icrss.exe Infected: Backdoor.Win32.SdBot.xd skipped

D:\SDFix\backups\backups.zip ZIP: infected - 2 skipped

D:\WINNT\CSC\00000001 Object is locked skipped

D:\WINNT\Debug\ipsecpa.log Object is locked skipped

D:\WINNT\Debug\oakley.log Object is locked skipped

D:\WINNT\Debug\PASSWD.LOG Object is locked skipped

D:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped

D:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped

D:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped

D:\WINNT\Internet Logs\NEW-5CE8FA08CCB.ldb Object is locked skipped

D:\WINNT\Internet Logs\tvDebug.log Object is locked skipped

D:\WINNT\SchedLgU.Txt Object is locked skipped

D:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

D:\WINNT\system32\config\default Object is locked skipped

D:\WINNT\system32\config\default.LOG Object is locked skipped

D:\WINNT\system32\config\SAM Object is locked skipped

D:\WINNT\system32\config\SAM.LOG Object is locked skipped

D:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

D:\WINNT\system32\config\SECURITY Object is locked skipped

D:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

D:\WINNT\system32\config\software Object is locked skipped

D:\WINNT\system32\config\software.LOG Object is locked skipped

D:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

D:\WINNT\system32\config\system Object is locked skipped

D:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

D:\WINNT\system32\dllcache\ppcdost.exe Infected: Trojan-PSW.Win32.Nilage.bcd skipped

D:\WINNT\Temp\ZLT01d3f.TMP Object is locked skipped

D:\WINNT\Temp\ZLT01d4c.TMP Object is locked skipped

Scan process completed.


Here's HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 23:06:05, on 10/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINNT\system32\internat.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [cctray] "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC72DB5-92E0-41EB-A986-E2A037E6340F}: NameServer = 80.225.250.178 80.225.250.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector
Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

#14 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:02 AM

Posted 10 January 2007 - 02:21 AM

Hi

Kaspersky doesn't remove anything but is an excellent scanner. That's why I use it :thumbsup:

Empty IE temporary internet files

Empty this folder:

D:\SDFix\backups

Delete this:

D:\WINNT\system32\dllcache\ppcdost.exe

If you can't find it, make your hidden & system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Empty Recycle Bin.

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#15 marbles333

marbles333
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 10 January 2007 - 11:41 AM

Hi

Kaspersky doesn't remove anything but is an excellent scanner. That's why I use it :thumbsup:

Empty IE temporary internet files

Empty this folder:

D:\SDFix\backups

Delete this:

D:\WINNT\system32\dllcache\ppcdost.exe

If you can't find it, make your hidden & system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Yes Kasperesky is an excellent scanner if you have three hours on your hands - I'm afraid I'm unable to leave it again for that amount of time today, simply because energy prices aren't cheap! I don't know whether it takes less time normally, but this computer is only running with 128MB RAM.

Deleted the SD Fix backups - however PPCDost.exe doens't exist (even when hidden files are visible). Its not appearing on HijackThis any longer however.

CA Firewall no longer exists - I've got ZoneAlarm but CA still appears on HijackThis, even though it's been deleted.

Logfile of HijackThis v1.99.1
Scan saved at 16:40:12, on 11/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINNT\system32\internat.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [cctray] "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC72DB5-92E0-41EB-A986-E2A037E6340F}: NameServer = 80.225.250.178 80.225.250.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users