Problems with herss.exe for months

Question

bendher 0 Newbie Poster

14 Years Ago

Hello guys,

I have problems with herss.exe for months. This spyware has extended not only to my computer but also to all of my usb keys and external disk. So whenever I scan and delete all of the files, it appears again after restart. Avast finds same stuff every day.

Even if everything looks ok on my computer, whenever I go with my usb key to some other computer, it gives virus alert (autorun.inf).

It is really frustrating, because I formatted the disk and installed fresh windows, but the spyware remains .

I also cannot view hidden files, I think it is connected with herss.exe.

Whenever I try to open my local disk or any other disk in my computer, it asks me to choose the program for opening. I can only reach my disks with right click and explore option. I have attached image of this example.

I also have windows errors every few hours. Picture of one example is also attached.

I have scanned my computer with stopzilla and I'm also attaching the picture of what was found.

Thank you for your help!

I hope we will find a solution!

Here are reports:

Malwarebytes' Anti-Malware 1.43
Database version: 3509
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

7.1.2010 22:43:36
mbam-log-2010-01-07 (22-43-36).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|)
Objects scanned: 204970
Time elapsed: 1 hour(s), 13 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\downloads\ostali programi\Cyberlink PowerCinema 5.0.3902\crack\cyberlink.powercinema.5.0.3902-NoPE.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\downloads\ostali programi\TechSmith SnagIt 9.1.0.206\keygen.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\Program Files\Cyberlink\PowerCinema\cyberlink.powercinema.5.0.3902-NoPE.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{FB1C721E-1AD7-4422-BD15-D45EC036A5C0}\RP103\A0015502.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{FB1C721E-1AD7-4422-BD15-D45EC036A5C0}\RP103\A0015534.exe (Malware.Packer) -> Quarantined and deleted successfully.

Avast

01/03/2010 20:53
Scan of all local drives

File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP156\A0048560.exe is infected by Win32:Malware-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP156\A0048576.exe is infected by Win32:Malware-gen, Deleted
File C:\xmor.exe is infected by Win32:Malware-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP156\A0048562.exe is infected by Win32:Malware-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP156\A0048578.exe is infected by Win32:Malware-gen, Deleted
File D:\xmor.exe is infected by Win32:Malware-gen, Deleted
Number of searched folders: 6841
Number of tested files: 77962
Number of infected files: 6

----------------------------------------
01/07/2010 18:25
Scan of all local drives

File C:\anoataly.exe is infected by Win32:Trojan-gen, Deleted
File C:\Documents and Settings\Jure\Local Settings\Temp\cvasds1.dll is infected by Win32:Trojan-gen, Deleted
File C:\hiberfil.sys is infected by Win32:Rimecud-B [Wrm], Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Repair: Error 42060 {The file was not repaired.}
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP163\A0050847.exe is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP163\A0050861.exe is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP163\A0050877.exe is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP163\A0050888.exe is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP164\A0050959.exe is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP164\A0050986.exe is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP166\A0051114.exe is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP166\A0051134.exe is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP167\A0051147.exe is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP167\A0051160.exe is infected by Win32:Trojan-gen, Deleted
File D:\anoataly.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP163\A0050849.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP163\A0050863.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP163\A0050879.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP163\A0050890.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP163\A0050912.exe is infected by Win32:Rootkit-gen [Rtk], Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP164\A0050946.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP164\A0050961.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP164\A0050988.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP165\A0051026.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP166\A0051080.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP166\A0051116.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP166\A0051136.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP167\A0051149.exe is infected by Win32:Trojan-gen, Deleted
File D:\System Volume Information\_restore{7090D59B-C936-428B-A99B-AE248D072751}\RP167\A0051161.exe is infected by Win32:Trojan-gen, Deleted
Number of searched folders: 6898
Number of tested files: 78929
Number of infected files: 28

DDS (Ver_09-12-01.01) - NTFSx86
Run by Jure at 0:05:29,28 on pet 08.01.2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1280.607 [GMT 1:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Jure\Desktop\virus\orodja\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: H - No File
mURLSearchHooks: SrchHook Class: {d3f669eb-57ce-4f45-8fbd-e245cbb46366} - c:\program files\stopzilla!\toolbar\SZIESearchHook.dll
mURLSearchHooks: H - No File
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\toolbar\SZSG.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\toolbar\SZSG.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {A476A0E0-0F31-44A4-997F-9ED6A2D2D142} = 164.8.100.100,164.8.10.10
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jure\applic~1\mozilla\firefox\profiles\hgpf8lvz.default\
FF - component: c:\program files\stopzilla!\toolbar\extension\components\SiteGuardFF.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-8-31 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-8-31 5248]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2009-12-14 163600]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2003-8-7 6528]
R3 HomeQOS;HomeQOS Miniport;c:\windows\system32\drivers\homeqos.sys [2004-1-20 36096]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 Cdnsspcpc;Cdnsspcpc; [x]

=============== Created Last 30 ================

2010-01-07 22:26:24 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-07 20:20:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 20:20:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 20:20:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 12:55:31 439572484 ----a-w- C:\elektrokemija.mpg
2010-01-06 11:46:06 2939617280 ----a-w- C:\Video Composite_20100106_1246.mpg
2009-12-29 22:41:13 0 d-----w- c:\docume~1\jure\applic~1\STOPzilla!
2009-12-29 21:55:31 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2009-12-29 21:53:48 0 d-----w- c:\program files\STOPzilla!
2009-12-29 21:53:47 0 d-----w- c:\program files\common files\iS3
2009-12-29 21:53:46 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-12-29 21:48:55 0 d-----w- c:\program files\Trend Micro
2009-12-23 13:13:34 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-12-23 13:13:32 438928 ----a-r- c:\windows\system32\SZBase5.dll
2009-12-23 13:04:54 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-12-22 19:18:38 0 d-----w- c:\program files\MSXML 4.0
2009-12-22 19:17:55 0 d-----w- c:\program files\common files\Macrovision Shared
2009-12-21 18:57:23 51 --sh--r- C:\autorun.inf
2009-12-14 09:24:24 163600 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2009-12-10 15:11:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-12-10 15:11:32 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-12-10 15:09:24 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-12-10 15:09:08 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-12-10 15:08:48 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-12-10 15:06:52 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-12-10 15:06:30 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-12-10 15:05:54 94208 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-12-10 15:02:42 729088 ----a-r- c:\windows\system32\IS3Base5.dll

==================== Find3M ====================

2009-12-07 15:59:32 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2009-12-07 15:59:32 61328 ----a-r- c:\windows\system32\drivers\is3srv.sys
2009-10-15 08:02:35 23296 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-01 13:28:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060120090602\index.dat

============= FINISH: 0:05:54,65 ===============

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.20696 (vista_ldr.071008-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=803cac2e9f616948987662a3e10205ab
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-07 11:01:36
# local_time=2010-01-08 12:01:36 (+0100, Central Europe Standard Time)
# country="Slovenia"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=258 16777214 0 2 777623 777623 0 0
# compatibility_mode=512 16777215 100 0 783701 783701 0 0
# compatibility_mode=768 16777215 100 0 358749 358749 0 0
# compatibility_mode=8192 67108863 100 0 3729 3729 0 0
# scanned=77299
# found=4
# cleaned=0
# scan_time=1860
C:\autorun.inf Win32/PSW.OnLineGames.NNU trojan 00000000000000000000000000000000 I
C:\downloads\ostali programi\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
C:\Program Files\rmDC++0.403D[1]\rmDC.exe a variant of Win32/Packed.Morphine trojan 00000000000000000000000000000000 I
D:\autorun.inf Win32/PSW.OnLineGames.NNU trojan 00000000000000000000000000000000 I

windows-virus

Attach.txt (5.45 KB)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1.6.2009 15:27:09
System Uptime: 1.7.2010 23:23:43 (-4199 hours ago)

Motherboard: ASUSTeK Computer INC. |  | A7V8X-X
Processor: AMD Athlon(TM) XP 2600+ | SOCKET A | 1905/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 39 GiB total, 7,301 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 5,914 GiB free.
E: is CDROM ()
F: is CDROM ()
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP156: 28.12.2009 21:15:50 - System Checkpoint
RP157: 29.12.2009 22:53:27 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP158: 29.12.2009 23:36:59 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP159: 29.12.2009 23:40:59 - Installed STOPzilla!
RP160: 29.12.2009 23:45:23 - Removed STOPzilla!
RP161: 29.12.2009 23:45:40 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP162: 31.12.2009 0:08:37 - System Checkpoint
RP163: 1.1.2010 11:12:01 - System Checkpoint
RP164: 3.1.2010 22:05:23 - Configured Microsoft Office Professional Plus 2007
RP165: 4.1.2010 22:27:45 - System Checkpoint
RP166: 6.1.2010 11:43:28 - System Checkpoint
RP167: 7.1.2010 17:09:12 - System Checkpoint

==== Installed Programs ======================

Torrent
Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe Audition 3.0
Adobe Bridge 1.0
Adobe Captivate 4
Adobe Captivate Reviewer 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Help Viewer 2
Adobe Photoshop CS2
Adobe Premiere Pro 1.5
Adobe Reader 9.1
Adobe Setup
Adobe Stock Photos 1.0
Adobe Update Manager CS4
Apple Software Update
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI MCE Encoder
AutoUpdate
CCleaner (remove only)
ChrisTV PVR Professional 5.10
DAEMON Tools
Diskeeper Professional Premier Edition
DivX Codec
DivX Version Checker
DU Super Controler (remove only)
eMule
ESET Online Scanner v3
EVEREST Ultimate Edition v3.50
FileZilla Client 3.2.4.1
GOM Player
GTK+ Runtime 2.14.7 rev a (remove only)
HijackThis 2.0.2
iS3 STOPzilla Toolbar
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (Slovenian) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (Slovenian) 2007
Microsoft Office Groove MUI (Slovenian) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office InfoPath MUI (Slovenian) 2007
Microsoft Office Language Pack 2007 - Slovenian/slovencina
Microsoft Office O MUI (Slovenian) 2007
Microsoft Office OneNote MUI (Slovenian) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (Slovenian) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (Slovenian) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Professional Plus 2007
Microsoft Office Proof (Croatian) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proof (Slovenian) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (Slovenian) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (Slovenian) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (Slovenian) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (Slovenian) 2007
Microsoft Office X MUI (Slovenian) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 12
Microsoft Software Update for Web Folders  (Slovenian) 12
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.7)
MPEG2 Codec(libmpeg2/mad)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Ultra Edition
neroxml
Pidgin
PowerCinema
PowerDVD
QuickTime
Skype 4.1
Software Update for Web Folders
SoundMAX
Spybot - Search & Destroy
STOPzilla
Suite Shared Configuration CS4
TMPGEnc 4.0 XPress
VC80CRTRedist - 8.0.50727.762
VLC media player 0.9.9
Wimba Create v2.4.1 SE
Winamp
Windows Media Encoder 9 Series
WinRAR archiver
Xvid 1.2.1 final uninstall

==== Event Viewer Messages From Past Week ========

7.1.2010 22:54:38, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'.  It has stopped monitoring the volume.
5.1.2010 9:52:52, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  SBRE
4.1.2010 11:25:38, error: Service Control Manager [7022]  - The CyberLink Background Capture Service (CBCS) service hung on starting.
4.1.2010 11:25:38, error: Service Control Manager [7001]  - The CyberLink Task Scheduler (CTS) service depends on the CyberLink Background Capture Service (CBCS) service which failed to start because of the following error:  After starting, the service hung in a start-pending state.

==== End Of File ===========================

3 Contributors
4 Replies
400 Views
1 Month Discussion Span
Latest Post 14 Years Ago Latest Post by n_alhaddad

n_alhaddad 0 Newbie Poster

14 Years Ago

What you posted indicates that the registry infections and System Restore infections are deleted. But what reinfects your computer on startup is not removed. These are 8 steps that will help you remove the trojan from your pc or any usb drive (Steps are pasted from Recovering from HERSS.EXE / PH.EXE Trojan attack:

1. The entire Trojan kit consisted of 3 files - autorun.inf, ph.exe & herss.exe.
2. The infection spreads through USB drives. As soon as somebody inserts a USB drive to an infected PC the Trojan copies ph.exe & autorun.inf (pointing to ph.exe) onto the root directory USB drive.
3. The infection spreads from the USB drive to another PC when the user plugs in the USB drive & selects "Run program from disk" or double clicks the USB drive letter thus triggering the ph.exe through autorun.inf.
4. If you feel your USB drive is infected with this Trojan don't panic. Plug it peacefully onto another PC, go to Windows Explorer, right click (not double click) on the USB drive letter & click "Explore". Now enable "Show Hidden Files and Folders" & delete the files ph.exe & autorun.inf from the root directory of the USB drive.
5. If you feel that your PC has been infected, execute msconfig from Start -> Run, go to Startup tab & look for a startup entry pointing to "C:\Documents and Settings\\Local Settings\Temp\herss.exe". Once the entry is found, uncheck it, save changes & reboot the PC. The Trojan is now unloaded from your OS memory.
6. Now remove the final traces of the Trojan by manually deleting ph.exe, autorun.inf & herss.exe from the mentioned directories.
7. If you are unable to enable "Show Hidden Files and Folders", enable it by following one of the methods listed at Technize website. I used Method 3 & it worked fine for me.
8. Check that your Antivirus software is up to date.

Edited 14 Years Ago by n_alhaddad because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

bendher 0 Newbie Poster · Answer 1 · 2010-01-09T19:18:51+00:00

Thanks guys! It worked. Everything looks fine now

Tina_K 0 Newbie Poster · Answer 2 · 2010-02-27T07:33:02+00:00

Hello there!
I have the same problem as bendher, but I think with a small difference...
I have the herss.exe file, found it and deleted it in safemode. But I couldn't find the other 2 mentioned files (autorun.inf and ph.exe). Instead, I found a file named s1.exe that my Kaspersky has detected and I saw it in c:/windows/ using the safemode and deleted that too. So now I'm wondering if everything's fine or I need to find those 2 files...

n_alhaddad 0 Newbie Poster · Answer 3 · 2010-02-27T13:24:01+00:00

I think that removing the three files 'herss.exe', 's1.exe', and 'ph.exe' solves the problem as long as they do not appear again after restart.
According to Virus Removal Guru, 'S1.exe' was first identified on February 26 2010.
Virus Removal Guru also states that 's1.exe' is bundled with other files: 'cvasds0.dll', 'cvasds1.dll', and 'cvasds2.dll'. I think that deleting these files is OK, but to be safe, there's a removal tool for 's1.exe' trojan, at the link above, which will know what files to delete. If you choose to delete them manually, do it on your own risk.