Suspicious .exe files in Task Manager

Do you have a Lexmark printer? Did you enable printer sharing?

lexpps.exe - For Lexmark printers. From Lexmark: "This enables bi-directional printing over a peer to peer network. If the printer is connected directly to your PC, the file is not used, (or should not be used) at all". It is known that firewalls can however alert you to "lexpps.exe" requesting server privileges

 

Was there ever a Lexmark printer install on this PC or in the network if the PC has been used on a network.

 

If you are concerned that you may have malware problems, run the steps below.


- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

No problem! Just make sure your follow the steps properly for HJT to avoid any further delays.

 

Did you install NTUser? Here is a short blurb about it:

The NTUser application is designed to be run on a daily basis and collect Windows NT user account information. The application stores this information in a Microsoft® Access® database in daily tables.

What I am questioning is the below three services (and processes)

O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe


The NTsrv.exe process is also known to be added by a variant of the SERVU-O TROJAN!

I'm also worried about the below.
C:\WINDOWS\system\driver\csrss.exe
csrss.exe is normally only found running from c:\windows\system32

I would like answers to the NTuser question before suggesting any fixes. There is a good chance that the ntuser stuff and csrss.exe are related.


Also have you looked in Add/Remove programs for anything related to Lexmark. And since you say you do not have a Lexmark printer, uninstall it if found.

 

You cannot use Task Manager to do this since it cannot distinguish where the process is running from. You needed to end the one that I was questioning and not the one that would be running from the system32 folder. This can be don with HijackThis's built in Process Manager becaue it shows the full path to the process.

Check for uninstall for this NTUser stuff too. If there are none we will have to use manual procedures.

According to your HJT log the Lexmark process are not in a Lexmark folder. That is why search showed nothing. The files are:

C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE

You may be able to delete them after booting in safe mode. One of them is an NT Service and may not be so easily deleted without first stopping and disabling the service.

 

Yes delete the LEXBCES.EXE and LEXPPS.EXE files after booting to safe mode.

DO NOT touch those DAT files! They are for your registry.
The files we are questioning are given in the O23 lines in your HJT log. The files are:
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe

While in safe mode see if you can rename these two files:
ntuser.exe rename to ntuser.xxx
ntsrv.exe rename to ntsrv.xxx

I'm guessing you will not be able to do this rename as we may have to stop and the disable the NT services that are running.

 

Your HijackThis log showed the following earlier:
C:\WINDOWS\System32\smss.exe <--- valid Windows process
C:\WINDOWS\system32\winlogon.exe <--- valid Windows process
C:\WINDOWS\system32\services.exe <--- valid Windows process
C:\WINDOWS\system32\lsass.exe <--- valid Windows process
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe <-- what we were questioning
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe <-- what we were questioning
C:\WINDOWS\system\driver\csrss.exe <--- not where it normally runs from so this is questionable. It should be in the system32 folder. Check to see if you have one in system32.
C:\WINDOWS\system\driver\services.exe <--- not where it normally runs from -- should be in system32 and you did have one in system32.

Is your PC running OK now with those NT files renamed? Post a HJT log.

 

Perhaps you had something related to LexMark afterall and did not know it?

Try renaming:
C:\WINDOWS\system\driver\csrss.exe to csrss.xxx
C:\WINDOWS\system\driver\services.exe to services.xxx

 

Yes that is easy! We do need to fix the 023 lines in your HJT log too:

O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)

But I want to wait to be sure you do not need these for something you do not know about.

Is everything working OK! What about your print spooler problem?

 

Let's just give it a couple days! Running thru most of your normal daily processes with your PC for a reasonable amount of time should be a good indication of whether you need them or not. Right now they are harmless since we disabled them.

Also go to the C:\WINDOWS\SYSTEM\DRIVER folder (using Windows Explorer) and right click on the files we renamed and select Properties then select the Version tab (if it has one) and then work you way thru the list of Item names and see if we can find out the company that made the programs. The files as we renamed them are:
ntuser.xxx
ntsrv.xxx
csrss.xxx
services.xxx

 

Were the ZoneAlarm alerts incoming or outgoing? Incoming is probably not too unusal especially considering the fact that you had some problems here before and some bad sites may be looking for you. Some of these could also be form your ISP. Check out exactly where ZoneAlarm said they were from.

Well the services.xxx file was definitely not from Microsoft!
And that csrss.xxx file (even though it says Microsoft) is not from them either. The real csrss.exe file is in system32 and is only about 4k in size.

Are things still running OK?

 

So are things still running OK?

 

Great!

Can you put the ntuser.xxx file into a ZIP file and upload it here. I would like to look at it to see if I can find anymore out about it.

 

Well I took a quick look at that file. I could not get any additional info on it. I even ran it thru more than a dozen virus scanners and they found not problems in it. I still have to wonder what this was doing on your PC and where it came from. But since you are not having any problems using your PC, it would still appear that it was not needed.

 

No but it is probably related to the rest of the items we renamed.

This one is really strange! It really seems like it was part of some application that you would have installed and would be using. But why they would put a services.exe and a csrss.exe file there is strange. Are you sure the csrss.exe (now csrss.xxx) file was 682 kb in size?

 

The csrss.exx file would be too larger to post here (even if zipped). It does not really matter too much right now. Have you tried running all of the applications on your PC to make sure they all work?

 

Have you re-run any of the cleaning steps. It may be a good idea to do that. And then post a new HJT log here so we can see what you have picked up.

 

Did you configure the below three items?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woot.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woot.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

c:\windows\system32\oivutrd.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ttrngt] c:\windows\system32\oivutrd.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\Bolger.dll
c:\windows\system32\oivutrd.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Have you run the VX2 Cleaner plugin for Ad-Aware? If not, please do so (it is in the READ ME FIRST).

Please reboot your PC and post a new HJT log immediately after reboot. Do not kill any bad processes you notice and do not reboot after posting your log. Wait for a reply.

 

By the way, you had the order wrong. That is not how I requested you to fix it.

You first kill the process!
Then you fix the line in HJT!
Then you boot to safe mode to delete the file!

This file may be renaming on each reboot so be sure to follow steps exactly as written.

 

The only item showing in your log is:

O4 - HKLM\..\Run: [imxoch] c:\windows\system32\eulzvbd.exe

Did you already terminate any strange or similarly names processes? Is this HJT log from immediately after a reboot?

First just have HJT fix the above O4 line.
Then reboot to safe mode and delete: c:\windows\system32\eulzvbd.exe
Tell me if you have any problems finding that file. Also sort the Windows Explorer view by selecting a detailed view and then click on the Date column. Look for an other randomly named files that appear to be new. Tell me if you find any and what they are named.

Reboot normal mode. Get a new HJT log. If the problem line is back (proabably with a different name), then run the steps below:

Download the following: Generic Detection Tool - NT/2000/XP


Extract all the files from the Generic Detection Tool into its own folder. And look for and run the find.bat file in that folder. Post the log it creates back here as an attachment. Make sure you wait long enough for it to complete. It will popup a notepad window with the log when finished.