Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

bad trojen im my ram (help!)


  • Please log in to reply
12 replies to this topic

#1 kwainewman

kwainewman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 21 February 2009 - 01:01 AM

hi there.. i have a really bad problem...i cant run any exe. files or any off my apps..normmally when i get a problem i just format and re-install windows and everything is fine...i have 2 internall hard drives...one 80 gig which is my master.. which windows is installed.(win xp pro and service pack 2)...and my slave which is a 320 gig and has all my Apps and files on it..every time i try to run an exe. after an installition i get the error it has encountered a problem and needs to close...now after reading heaps of topics in your forum i discovered an app called Super-anti-spyware which installed..ok..and it found that i have a trojen in my ram called reader_s.exe.. Now correct me if im rong that beeing in my ram will explain why formatting and re-installing windows won't remove it...ok now when i try using super anti- spyware or any other programme to remove it at soon as the App detects it my pc just shuts down thus preventing me to use the app. to remove it from my RAM...Im lost as to wot to do and cant really think of any way to solve this...any help will be awsem as you can imagine and i will always be in debt to you guyz...i hope this was good enough info for you if not just ask me...

Regard....

kwai newman

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:24 PM

Posted 21 February 2009 - 03:38 AM

Any process runs in ram, however that ram is volatile, when you remove power the information there is lost.

There's a type of malware called a file infector, any executable you saved as data before a format can reinfect you after.

Some people reinfect their computers by saving and reinstalling the malware in a keygen or crack.

And now we have the problem of router infections where dns servers are set to redirect you to maliscous web pages after a format.

Post your SAS log please
Chewy

No. Try not. Do... or do not. There is no try.

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:24 PM

Posted 21 February 2009 - 05:11 AM

C:\WINDOWS\System32\reader_s.exe


Google gave me very little on this file but looking at some logs here, it would seem to be associated with newer virut

http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

Saving and reinstalling infected files?
Chewy

No. Try not. Do... or do not. There is no try.

#4 kwainewman

kwainewman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 21 February 2009 - 11:41 AM

C:\WINDOWS\System32\reader_s.exe


Google gave me very little on this file but looking at some logs here, it would seem to be associated with newer virut

http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

Saving and reinstalling infected files?



hi thank you very much for your quick reply im sorry for sounding like a noob how do i Post my SAS ...i hope this is the info you need..




DDS (Ver_09-02-01.01) - NTFSx86
Run by kwai at 17:36:20.42 on Sat 02/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1666 [GMT 11:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe C:\WINDOWS\TEMP\VRT2.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\magnify.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe C:\WINDOWS\TEMP\VRT12.tmp
C:\Documents and Settings\kwai\reader_s.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe C:\WINDOWS\TEMP\VRT19.tmp
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\kwai\My Documents\dds.com

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\temp\init.exe
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [services] c:\windows\services.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [reader_s] c:\documents and settings\kwai\reader_s.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
SUnknown CcEvtSvc;CcEvtSvc; [x]

=============== Created Last 30 ================

2009-02-21 17:30 2,560 a------- c:\windows\system32\1E.tmp
2009-02-21 17:30 88,065 a------- c:\windows\system32\1C.tmp
2009-02-21 17:29 208 a------- c:\windows\system32\1A.tmp
2009-02-21 17:02 2,560 a------- c:\windows\system32\17.tmp
2009-02-21 17:02 55,809 a------- c:\windows\services.exe
2009-02-21 17:02 88,065 a------- c:\windows\system32\15.tmp
2009-02-21 17:02 208 a------- c:\windows\system32\13.tmp
2009-02-21 16:33 2,560 a------- c:\windows\system32\D.tmp
2009-02-21 16:33 55,809 a------- c:\windows\services.ex_
2009-02-21 16:33 88,065 a------- c:\windows\system32\A.tmp
2009-02-21 16:33 208 a------- c:\windows\system32\4.tmp
2009-02-21 15:19 2,560 a------- c:\windows\system32\C.tmp
2009-02-21 15:19 88,065 a------- c:\windows\system32\9.tmp
2009-02-21 14:51 2,560 a------- c:\windows\system32\7.tmp
2009-02-21 14:51 88,065 a------- c:\windows\system32\5.tmp
2009-02-21 14:51 208 a------- c:\windows\system32\3.tmp
2009-02-21 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-21 14:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-21 14:16 <DIR> --d----- c:\docume~1\kwai\applic~1\SUPERAntiSpyware.com
2009-02-21 14:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-21 13:23 616 a------- c:\windows\system32\8.tmp
2009-02-21 13:23 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-02-21 13:22 47,104 a------- c:\windows\system32\reader_s.exe
2009-02-21 13:22 47,104 a------- c:\documents and settings\kwai\reader_s.exe
2009-02-21 13:22 88,065 a------- c:\windows\system32\CcEvtSvc.exe
2009-02-21 13:21 208 a------- c:\windows\system32\2.tmp
2009-02-21 13:16 3,219 a------- c:\windows\Ascd_tmp.ini
2009-02-21 13:16 5,824 a------- c:\windows\system32\drivers\ASUSHWIO.SYS
2009-02-21 13:14 139,264 a----r-- c:\windows\system32\Prounstl.exe
2009-02-21 13:14 126,976 a----r-- c:\windows\system32\e1000msg.dll
2009-02-21 13:14 121,856 a----r-- c:\windows\system32\drivers\e1000325.sys
2009-02-21 13:14 24,064 a----r-- c:\windows\system32\IntelNic.dll
2009-02-21 13:14 2,725 a----r-- c:\windows\system32\e1000325.din
2009-02-21 13:07 206,862 a------- c:\windows\system32\nvapps.xml
2009-02-21 13:07 453,152 a------- c:\windows\system32\nvudisp.exe
2009-02-21 13:07 18,725 a------- c:\windows\system32\nvdisp.nvu
2009-02-21 13:07 <DIR> --d----- c:\windows\nview
2009-02-21 13:04 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-21 13:04 <DIR> --d----- C:\NVIDIA
2009-02-21 12:43 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-21 12:40 <DIR> --ds---- c:\windows\system32\Microsoft
2009-02-21 12:35 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-21 12:34 2,897,920 -------- c:\windows\system32\xpsp2res.dll
2009-02-21 12:33 19,528 a------- c:\windows\002237_.tmp
2009-02-21 12:33 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-02-21 12:33 32,768 a------- c:\windows\system32\spupdsvc.exe
2009-02-21 12:31 <DIR> --d----- c:\windows\EHome
2009-02-21 12:17 <DIR> --dsh--- c:\windows\Installer
2009-02-21 12:17 <DIR> --d----- c:\documents and settings\kwai
2009-02-21 12:16 8,192 a------- c:\windows\REGLOCS.OLD
2009-02-21 12:14 6,144 ac------ c:\windows\system32\dllcache\kbdax2.dll
2009-02-21 12:13 2,577 a------- c:\windows\system32\CONFIG.NT
2009-02-21 12:13 0 a------- c:\windows\control.ini
2009-02-21 12:13 25,065 a------- c:\windows\system32\wmpscheme.xml
2009-02-21 12:13 23,392 a------- c:\windows\system32\nscompat.tlb
2009-02-21 12:13 16,832 a------- c:\windows\system32\amcompat.tlb
2009-02-21 12:13 299,552 a------- c:\windows\WMSysPrx.prx
2009-02-21 12:13 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-02-21 12:11 <DIR> --d----- c:\program files\common files\MSSoap
2009-02-21 12:11 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-02-21 12:11 <DIR> --d----- c:\program files\Online Services
2009-02-21 12:10 <DIR> --d----- c:\program files\Messenger
2009-02-21 12:10 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-02-21 12:10 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-02-21 13:23 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-21 12:39 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-21 12:11 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 17:36:30.79 ===============







UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/21/2009 12:15:35 PM
System Uptime: 2/21/2009 4:32:00 PM (1 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P4C800-E
Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 3006/200mhz
Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 3006/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 34 GiB total, 29.864 GiB free.
D: is FIXED (NTFS) - 146 GiB total, 15.017 GiB free.
E: is CDROM (CDFS)
F: is CDROM (CDFS)
G: is FIXED (NTFS) - 152 GiB total, 3.452 GiB free.
J: is FIXED (NTFS) - 40 GiB total, 39.984 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24DD&SUBSYS_80A61043&REV_02\3&267A616A&0&EF
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24DD&SUBSYS_80A61043&REV_02\3&267A616A&0&EF
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_80F31043&REV_02\3&267A616A&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_80F31043&REV_02\3&267A616A&0&FD
Service:

==== System Restore Points ===================

RP1: 2/21/2009 12:17:57 PM - System Checkpoint
RP2: 2/21/2009 12:33:31 PM - Installed Windows XP Service Pack 2.
RP3: 2/21/2009 2:16:00 PM - Installed SUPERAntiSpyware Free Edition

==== Installed Programs ======================

HijackThis 1.99.1
Intel® PRO Network Adapters and Drivers
NVIDIA Drivers
SUPERAntiSpyware Free Edition
WebFldrs XP
Windows XP Service Pack 2

==== Event Viewer Messages From Past Week ========

2/21/2009 1:32:08 PM, error: Service Control Manager [7034] - The CcEvtSvc service terminated unexpectedly. It has done this 1 time(s).
2/21/2009 2:55:14 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.

==== End Of File ===========================

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:24 PM

Posted 21 February 2009 - 11:47 AM

Please disconnect that computer from any other computers and the internet

Use a clean computer and read the link I posted
Chewy

No. Try not. Do... or do not. There is no try.

#6 kwainewman

kwainewman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 21 February 2009 - 12:30 PM

Please disconnect that computer from any other computers and the internet

Use a clean computer and read the link I posted



ok will do.. 1 last question.. i use a wireless broad connection.. can my ireless modem be the problem..also should i not use any off my apps that i have on my other harddrive after i re-install winos...this is the only pc i have

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:24 PM

Posted 21 February 2009 - 12:36 PM

http://www.bleepingcomputer.com/forums/ind...t&p=1128770

should answer those questions
Chewy

No. Try not. Do... or do not. There is no try.

#8 kwainewman

kwainewman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 21 February 2009 - 12:49 PM

http://www.bleepingcomputer.com/forums/ind...t&p=1128770

should answer those questions



look i just want to say that you have saved my life and my pc..your awsem.. i know now wot to do to fux this problem..(im hoping)..ill get back to you after i clean my pc...you went out of your way to help me for no reason.. why do you do this you must be an angel or sumfin...lol

#9 kwainewman

kwainewman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 21 February 2009 - 02:26 PM

thanx again im back from a format :thumbsup: and fomatted my other harddrive even tho i lost huge amounts of stuff but i dont care at least my pc is clean now and i can rebuild... thanx again for all your help

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:24 PM

Posted 21 February 2009 - 05:21 PM

It seems this infection is coming from P2P a lot

:thumbsup:

why do you do this you must be an angel or sumfin...lol


It relieves the boredom and threads like this are gratifying

Safe Hex

I am glad to pass on the knowledge that I get from this great community

Edited by DaChew, 21 February 2009 - 05:23 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#11 kwainewman

kwainewman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 23 February 2009 - 12:17 PM

It seems this infection is coming from P2P a lot

:thumbsup:

why do you do this you must be an angel or sumfin...lol


It relieves the boredom and threads like this are gratifying

Safe Hex

I am glad to pass on the knowledge that I get from this great community



i see..and i hop that my thread helps other people that mught get this infection.. cause it was a bad one...i dont use p2p like torrents any more.. i pay money for access to usenext now...its much safer.... i got most of my apps back fron in there...i dont use file sharing apps. like kazaa.. ect any more either... my pc is mainly for games... i dont use the net all that much...do you reccomend that i buy an anti-virus app. and if so which do you think is the best one...i have neva bothered with them but looks like i should now after wots just happened... do you think i should...(cause i think there waste of time imo..

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:24 PM

Posted 23 February 2009 - 05:15 PM

The KIS with HIPS is one of the only protections blocking the newest variants

@80$ a year I would hope so

http://usa.kaspersky.com/store/

Edited by DaChew, 23 February 2009 - 05:18 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#13 kwainewman

kwainewman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 23 February 2009 - 09:38 PM

The KIS with HIPS is one of the only protections blocking the newest variants

@80$ a year I would hope so

http://usa.kaspersky.com/store/



i appreciate your help here chew..yeah quite expensive...im trying out the trial version now...im not keeping stuff on my harddrive that i want to lose any more just gunna keep em on dvd-r's...but looks like it does wot it sez...my 320 gig harddrive is gunna seem quite lonely now... i have 1 qustion for you...my version of windows doesent recognize my 320 gig harddrive untill i install windoes on my 8- gig and installed sp2...will updating my bios fix this or will i just have to get a newer version of xp...many thanx on this if you can answer it..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users