I visited my friends place yesterday to copy some movies onto my Portable HDD. I found that he had McAfee Antivirus installed & so went ahead & plugged in my Portable HDD. Suddenly I realised that I did not check whether his Antivirus definitions were up to date & also found out that they were outdated.
I thus installed Avast's Free Antivirus for Home Users. Within minutes it detected a suspicious file ph.exe in the Operating Systems memory & suggested to do a Boot Scan for the OS. Surprisingly the Boot Scan did not trace any sort of infection. It still felt there was something suspicious as the PC would not allow me to update my Avast's Virus definitions.
I then returned home & plugged the Portable HDD to my Laptop. It immediately showed me options to "Run program", "Open Files", etc. Though I skipped this screen, I accidentally double clicked the HDD Drive Letter which triggered the Trojan (which I realized later). I did not know what Trojan or Virus I had been infected with, but definitely I knew that there was a suspicious file PH.EXE which was behind this entire problem. I searched through the net & ran the FixAprop.exe from Symantec's site which was supposed to fix the PH.EXE infection. I also found out that I could not enable the option of "Show hidden Files and Folders" in Windows Explorer. I thus started accessing the C Drive of my Laptop through the administrative share of C$ through my Home PC. Through my Home PC I could find out that every time I deleted ph.exe from my Laptop, the file would get recreated within seconds. After lots of research & tweaking I found out the following -
I hope this post would be of some help to infected users. Do write to me on any Data Security or Data Protection questions that might arise in your mind.
Remember - Prevention is better than cure
Happy Computing!!!
I FIND THIS POST TO BE QUITE POPULAR. PLEASE CLICK ON THE ADS ON MY BLOG IF YOU BENEFIT OUT OF THIS POST.
I thus installed Avast's Free Antivirus for Home Users. Within minutes it detected a suspicious file ph.exe in the Operating Systems memory & suggested to do a Boot Scan for the OS. Surprisingly the Boot Scan did not trace any sort of infection. It still felt there was something suspicious as the PC would not allow me to update my Avast's Virus definitions.
I then returned home & plugged the Portable HDD to my Laptop. It immediately showed me options to "Run program", "Open Files", etc. Though I skipped this screen, I accidentally double clicked the HDD Drive Letter which triggered the Trojan (which I realized later). I did not know what Trojan or Virus I had been infected with, but definitely I knew that there was a suspicious file PH.EXE which was behind this entire problem. I searched through the net & ran the FixAprop.exe from Symantec's site which was supposed to fix the PH.EXE infection. I also found out that I could not enable the option of "Show hidden Files and Folders" in Windows Explorer. I thus started accessing the C Drive of my Laptop through the administrative share of C$ through my Home PC. Through my Home PC I could find out that every time I deleted ph.exe from my Laptop, the file would get recreated within seconds. After lots of research & tweaking I found out the following -
- The entire Trojan kit consisted of 3 files - autorun.inf, ph.exe & herss.exe.
- The infection spreads through USB drives. As soon as somebody inserts a USB drive to an infected PC the Trojan copies ph.exe & autorun.inf (pointing to ph.exe) onto the root directory USB drive.
- The infection spreads from the USB drive to another PC when the user plugs in the USB drive & selects "Run program from disk" or double clicks the USB drive letter thus triggering the ph.exe through autorun.inf.
- If you feel your USB drive is infected with this Trojan don't panic. Plug it peacefully onto another PC, go to Windows Explorer, right click (not double click) on the USB drive letter & click "Explore". Now enable "Show Hidden Files and Folders" & delete the files ph.exe & autorun.inf from the root directory of the USB drive.
- If you feel that your PC has been infected, execute msconfig from Start -> Run, go to Startup tab & look for a startup entry pointing to "C:\Documents and Settings\
\Local Settings\Temp\herss.exe". Once the entry is found, uncheck it, save changes & reboot the PC. The Trojan is now unloaded from your OS memory. - Now remove the final traces of the Trojan by manually deleting ph.exe, autorun.inf & herss.exe from the mentioned directories.
- If you are unable to enable "Show Hidden Files and Folders", enable it by following one of the methods listed at Technize website. I used Method 3 & it worked fine for me.
- Check that your Antivirus software is up to date.
I hope this post would be of some help to infected users. Do write to me on any Data Security or Data Protection questions that might arise in your mind.
Remember - Prevention is better than cure
Happy Computing!!!
I FIND THIS POST TO BE QUITE POPULAR. PLEASE CLICK ON THE ADS ON MY BLOG IF YOU BENEFIT OUT OF THIS POST.
29 comments:
really nice post: nice detail information. keep it up:prashant nalawade
Thanks Prashant :)
I tried the way you mentioned. But after reboot, I still couldn't find the file in 'Temp' fold to manually delete. The tool to see hidden files is not working either. Any suggestion? Thank you.
@San - If you find "Show Hidden Files and Folders" disabled, used one of the methods listed at http://www.technize.com/2007/05/13/show-hidden-files-and-folders-not-working/ . I personally used Method 3 & it worked fine for me.
If you still don't find a solution to your problem, you have possibly been infected by a variant of this Trojan.
Do let me know if you need any further assistance.
Thank you. But, even after I managed to enable the hidden files, I couldn't find herss.exe in 'temp' folder. I downloaded 'Magania.bzmw' from http://www.virusexperts.org/removal-tips-tools-and-videos/removal-tool-for-magania-bzmw-wormwin32taterf-btrojan-win32-inhoo-trojan/ and ran it. Now, I can't find herss.exe in startup anymore. Does it mean 'OK'?
My computer was infected in the same way as in your post through an infected USB drive. I have an updated Avast running but it cannot protect the attack. Later, I got the message from Avast that the computer is infected with ph.exe and I couldn't double click 'C' drive as usual.
@San - "Magania" seems to be a good utility. I had also found it, but much later before I had already found a cure.
To be sure that your problem has been fixed, check whether "ph.exe" & "autorun.inf" exist in your C drive. If its not there, your PC is then clean :-)
This Trojan is so district,it also disables your antivirus update ability!
well, am i so bad in computer? i cannot find 'Temp' folder to locate that 3 files and delete them manually. by the time i spend to look for it, herss.exe becomes active again :(
i have also tried magania like San said, but as i was afraid, that thing was either infected or a virus by itself
what should i do?
@talha - To locate your TEMP folder, login to your Windows account go to Start -> Run & type "%temp%" & then press enter. Also please read my post in detail. I have explained everything step by step.
Please let me know if you have any other query.
baudhayan
first of thanx a lot. here is what i do:
1) uncheck herss.exe from startup
2) reboot
3) correct 'show hidden files' by method 2
4) run %Temp%
5) non of the 3 files exist in Temp folder. i search them as well, they are not there. but herss.exe becomes active again after some time :(
avast and the free version of pevx founds the ph.exe file but i cant find the herss at system configuration start up as you mensioned (i cant toggle the show hidden folders also) what can i do?
The Trojan/Virus essentially disables the systems ability to show the hidden files, even though you may be able to toggle "Show Hidden Files and Folders". Please use method 4 mentioned in Technize & check for the presence of the files I have mentioned. If you are unable to delete the files in normal mode, boot up the system in Safe Mode & do the needful.
hi again thx for your responce and quick answer! i used methods 4 and then method 3. i disabled the herss.exe from the system configuration->startup and then deleted the ph.exe and autorun with the "smart virus remover" from method 4" then i selecte to show the hidden folders its went ok but i cant seem to find the herss exe file. any suggestions? is the threat passed know? sorry for all the trouble but i dont know that much about computers! thx for the help in advance!
Hi Dimitris,
I guess your system is almost clean. Just cross check to see if you find herss.exe in your temp folder or ph.exe & autorun.inf from all your hard drives. In future always ensure that none of your drives other than the CD or DVD's should have an autorun.inf file.
Happy Computing!!!
hi baud,
i havent tried your method to get rid of this herss.exe or cdoosoft related viruses commonly known as onlinegames trojan. but i have tried the following to successfully delete them from the pc.
OS: Windows xp
1. Install Spy Doctor (free version)
2. Scan ur pc using spy doctor
3. I thought this step was the hardest part but it was easy! yea the key for the spydoctor software. spy doctor picked up all the traces of viruses and u need the key to fix them. look around for the key..trust me ..u ll find it;-) or buy the spyware doctor.
4. After you delete all teh viruses using the software, go to the registry and search for herss.exe. delete all keys where you find this.
5.Also search for cdoosoft. delete the key.
Hopully this helps.
hi baud,
i havent tried your method to get rid of this herss.exe or cdoosoft related viruses commonly known as onlinegames trojan. but i have tried the following to successfully delete them from the pc.
OS: Windows xp
1. Install Spy Doctor (free version)
2. Scan ur pc using spy doctor
3. I thought this step was the hardest part but it was easy! yea the key for the spydoctor software. spy doctor picked up all the traces of viruses and u need the key to fix them. look around for the key..trust me ..u ll find it;-) or buy the spyware doctor.
4. After you delete all teh viruses using the software, go to the registry and search for herss.exe. delete all keys where you find this.
5.Also search for cdoosoft. delete the key.
Hopully this helps.
you are great ,
i want to know one thing,
in my pc it detected herss.exe ,
and i download stopzilla (a virus removal tool) , can it remove that virus,
also suggest me a good antivirus
i have , avg, kaspeersky,bit defender ,....
and where i can download free antivirus program ,
pls reply me
@vysakh - Haven't yet tried stopzilla, but you can give it a try & check out whether it works or not. Be sure that it is a genuine software before you install it. It shouldn't happen that to remove a Trojan you end up installing another Trojan. Do checkout some reviews on the Net before installing.
With regards to Anti-Virus software, I am using the FREE registered version of Avast from about 1 year or so & haven't had any problems on my PC yet. Try out Avast - its light, its good & efficient.
Thanks a lot! Clear, easy to follow, and helpful!
i couldn't find the files in my temp folder but when i searched it, it was in windows folder name HERSS.EXE-2D76CCAD.pf. should i delete it?
i couldn't find herss.exe, pf.exe and autorun.inf. but herss.exe is still in my start up. how to remove it? also i found HERSS.EXE-2D76CCAD.pf in my windows folder. should i delete it?
@Zero - Please delete any entry you find for HERS.EXE. Also uncheck the entry for HERS.EXE from Start->Run->msconfig
hello guys...i am also having the same problem..i am sick of it...i even formated my harddrive completley ...installed a fresh version of windows..n this virus came back..along wid the three files mentioned..there is one more file..8xcrbho6.exe ,associated with this...does nebody have ne idea abt this..help will be highly appreciated
@nik - Please read the post carefully. It's self explainatory.
Hey baud, i ran the smart virus remover and removed autorun.inf and another file and i now believe my system is ok.
Is there a way so that when i Run msconfig, herss, which i've unticked, will no longer appear there?
thanks
I believe that i've managed to remove this virus thanks to your help.
However, is there anyway so that when i run msconfig again, the herss will no longer be there (i ahve unchecked it but the box remains)
thanks
Hello, hmm my computer got infected with herss.exe a few days ago and avg resident shield detected it and i sent it to the virus vault. However, the problem is still there and cvasds1.dll and cvasds0.dll are detected today. I followed your instructions, however, even when I can't find herss.exe, ph.exe and autorun.inf in my C drive, herss.exe is still found in my startup. Is that normal? Sorry bud, I'm a noob in computers =/
i have been facing the same problem .. i had done this trick.
start -> Run -> cmd ->
after entering into command prompt
C:/>dir/a
it displays hidden files autorun.inf and ph.exe as read only.
now
c:/> attrib -s -h -r autorun.inf
C:/> del autorun.inf
same thing for ph.exe
do the same thing for all the drives
it has worked for me.
regards
satya.nrn3@gmail.com
there are many "random alpahnumeric".exe files in the c drive, which u need to remove.
if you open auto.inf you can see it points to one of these files.
to clean up thoroughly, remove all those suspicious exe/bat/dll files in your c drive and temp folder.
Post a Comment