1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I have the herss.exe virus

Discussion in 'Virus & Other Malware Removal' started by Toyman, Jan 10, 2011.

Thread Status:
Not open for further replies.
  1. Toyman

    Toyman Thread Starter

    Joined:
    Mar 24, 2001
    Messages:
    225
    I have just spent the last day and a half getting to the bottom of thios herss virus. Here is what I have

    determined.


    1. It ONLY activates when I click on a drive other than my C Drive. It did it on my E Drive which is an extension of

    my C Drive it also Activated on my D Driove which is a drive in my computer case AND it activated on an EXTERNAL

    drive..... what do I mean activated? I observed in my startup folder in msconfig that ONLY ..... and this is from

    about 10 different installs of windows..... AFTER I clicked on my E Drive or my D Drive or my G Drive that herss.exe

    shows up in the startup folder...... never when I click on my C Drive though.

    Here's something interesting though..... when I right click on my D or E or G drives and click EXPLORE..... not sure

    why.... but when I click on exlore drive it doesn't activate the herss.exe virus.

    If I forget and click on a drive INSTEAD of exploring it and getting to my folders I have the virus AGAIN.

    here's something else I noticed....notice in the screen shot it says "Run The Program using the program provided on

    the device...... never used to see that.... SOMEHOW there MUST be a hidden .dll or program on my E or D or G drive

    that is hiding this VIRUS and not sure why but it only activates upon clicking on the drive.....

    how can I discover WHERE this program is..... the folders don't SAY there is anything hidden..... is it

    I have FORMATTED my C drive my E Drive and my D Drive..... and STILL this thing is on there.....

    is there a place in the registry that stores programs like this to acitvate at a certain time or a certain activity

    that causes it to activate and I can delete it from there?

    I have tried anti virus software....NO LUCK.....

    SOMEHOW there is a program SOMWHERE that I need to delete .... how and where is the question...

    for now I can work around this problem but one wrong click and I have herss.exe eatting up all my resources.... it

    runs the CPU at 100% and causes most tasks to run slower and my keyboard to run slow....

    If I am right in guessing.....if I can discover where they hid this program and delete it from there I will be good

    to go...

    I have win XP, SP2, have had the same copy of XP for like 7 years and never had this problem before.

    please help..... and thanks in advance....

    [​IMG]

    Is that "Run The Program" the culprit? and if so where is it so I can remove it..... I also wonder how it got in there and STAYS there even after I format..... hmmmmm
     
  2. Toyman

    Toyman Thread Starter

    Joined:
    Mar 24, 2001
    Messages:
    225
    Not sure if it will show up here or not. It may be lying dormant waiting for me to click on a drive to activate or install it.


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:16:55 PM, on 1/10/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/My%20Home%20page.mht
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

    --
    End of file - 3345 bytes
     
  3. Toyman

    Toyman Thread Starter

    Joined:
    Mar 24, 2001
    Messages:
    225
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/973821

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice