Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wmiprvse, 7z and reader_s, no safe mode


  • Please log in to reply
1 reply to this topic

#1 rootkicik

rootkicik

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 22 March 2009 - 03:53 PM

Hi!

I have problems with my PC.

- Services.exe performs illegal operaions
- reader_s didn't use to appear on the processes list before the problem began. The same with actcontroller.
- PC is much slower now.
- There is some strange Internet transfer. Even if I don't use any internet programs, I read that my computer transfered many megabytes.
- Safe mode doesn't work.
- Sometimes there also are some applications with random names, like 7z.exe. But they're not all the time there. I think wmiprvse can be one of them.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:34:15, on 2009-03-22
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\ivo\Expressivo\expressivo.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Documents and Settings\Ahmed\reader_s.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Huawei technologies\Mobile Connect\Mobile Connect.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\UnHackMe\UnHackMe.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\windres.exe,C:\WINDOWS\system32\regwiz.exe,C:\WINDOWS\system32\c++.exe,C:\WINDOWS\system32\undname.exe,C:\WINDOWS\system32\deviceemulator.exe,C:\WINDOWS\system32\undname.exe,C:\WINDOWS\system32\ndetect.exe,C:\WINDOWS\system32\windres.exe,C:\WINDOWS\system32\pdbcopy.exe,C:\WINDOWS\system32\undname.exe,C:\WINDOWS\system32\gcc.exe,C:\WINDOWS\system32\windres.exe,C:\WINDOWS\system32\twex.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\ndetect.exe,C:\WINDOWS\system32\c++.exe,C:\WINDOWS\system32\codeblocks.exe,
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe.del.exe" /tray
O4 - HKCU\..\Run: [Expressivo] "C:\Program Files\ivo\Expressivo\expressivo.exe" -t
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Ahmed\reader_s.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4BACF9E-7CA2-4663-973C-5696FA71C066}: NameServer = 213.158.199.1 213.158.199.5

--
End of file - 5000 bytes



Don't crack your heads at "tlen". I know what it is and it's OK.


Thanks In Advance
Rootkicik

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 PM

Posted 24 March 2009 - 05:49 PM

Hello Rootkicik,

I'm afraid I have bad news for you :thumbup2:

I see you're dealing with Virut on your system. In that case, it's probablyly a lost cause - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.
I guess that's what's happening to you. Either reinfecting by use of infected data you backed up, or an infected external medium.
Make sure during reinstall you delete all partitions present on the hard drive, and use the (slower) deep format prior to creating new partitions !!

Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

If reinstalling is absolutely no option for you,
then we may attempt another solution, although the outcome will be dubious at best.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users