PDA

View Full Version : Some suspect files..?



forrest44
30-08-2010, 07:52 PM
After formatting the hard drive and re-installing Win XP Pro for my old HP computer using the recovery disk, I noticed a folder C:\ICRTOILD, which contains a few files:
CLEANPOP (shortcut)
CLEANPOP.REG
DOSMOD.EXE
ICRTOILD.EXE
SHCICR.TXT
SHICRLD (shortcut)
SHILD.CMD
WINRUN.EXE

I've scanned the EXE files with some online virus scanners and everything appears OK. Does anyone know what these files are for?

Agent_24
30-08-2010, 08:06 PM
If it came from the HP recovery disk then it's most probably some weird HP utility program.

What does the TXT and REG files contain? That might give some clues as to what it does.

zqwerty
30-08-2010, 08:49 PM
When I get something like this I winrar or winzip the folder and delete the original, leaving the winrar/zipped file in the correct place so it is easy to remember where it is placed.

After a month of two if all seems ok and the computer hasn't complained about missing files then I either delete the winrar/zipped file or store it in My Docs for a while then finally after a while delete for good.

forrest44
30-08-2010, 08:57 PM
When I get something like this I winrar or winzip the folder and delete the original, leaving the winrar/zipped file in the correct place so it is easy to remember where it is placed.

After a month of two if all seems ok and the computer hasn't complained about missing files then I either delete the winrar/zipped file or store it in My Docs for a while then finally after a while delete for good.

Just done that. Good advice I think :)

Agent_24
30-08-2010, 09:27 PM
Upload your ZIP file to Rapidshare or something and I'll have a look if you want

Speedy Gonzales
30-08-2010, 09:32 PM
Install an AV program then scan them

Agent_24
30-08-2010, 09:53 PM
I highly doubt that it's a virus, since it would appear to have come from an HP restore disk.

It's probably a utility for doing some certain tasks related to restoring Windows from the recovery disk.

The TXT file in the folder probably contains information that would shed some light on it.

wainuitech
30-08-2010, 10:04 PM
The winrun can be very suspect. It could be a file named that way by HP, but its is also a very well known name of spyware/ trojans As described here (http://www.threatexpert.com/files/winrun.exe.html) - do a google search of winrun.exe and just about all the answers say infection.

forrest44
30-08-2010, 10:43 PM
Upload your ZIP file to Rapidshare or something and I'll have a look if you want

http://rapidshare.com/files/416001061/ICRTOILD.zip

wainuitech
30-08-2010, 10:57 PM
Well they dont contain any viruses so thats a good thing :D

The files are not exactly to helpful in saying what they really do, apart from the obvious.


{ADDLINES AT END}
;
; Copy icrtoild.exe in startup directory
;
"c:\i386\regedit /S c:\icrtoild\cleanpop.reg"
"c:\icrtoild\SHILD.cmd"
@echo off

REM ------------------------------------------------------------
REM Copies Microsoft Shortcut in the startup directory (localized)
REM ------------------------------------------------------------
c:\icrtoild\Winrun /COPY C:\icrtoild\cleanpop.lnk idCmnStartup\cleanpop.lnk
c:\icrtoild\Winrun /COPY C:\icrtoild\shicrild.lnk idCmnStartup\shicrild.lnk
c:\i386\regedit /S c:\icrtoild\cleanpop.reg
rem c:\icrtoild\reg UPDATE HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\tips\Show=dword:00000000

Speedy Gonzales
30-08-2010, 11:06 PM
I would check and see if any of them are in startup.

forrest44
30-08-2010, 11:12 PM
I would check and see if any of them are in startup.

The cleanpop.reg was present in the startup folder (i've removed it)

Thanks for your help people, have zipped the folder and comp. still appears to be running fine :)

Agent_24
31-08-2010, 08:59 PM
Looking at "ICRTOILD.EXE" in Resource Hacker some of the dialog boxes suggest it's a program which does the actual system restoration. (and maybe other things)

The "WinRun.exe" appears to be a program which you would use to launch programs etc from a command-line script\batch file etc.

If you run it you get a nice window showing all the things it can run and how to do so.