Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Reader_S Infection and Virtual Memory Issues,


  • This topic is locked This topic is locked
2 replies to this topic

#1 skhan1986

skhan1986

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 26 April 2009 - 02:27 PM

The situation: Home from college and helping fix the family computer. Mom said she's run Ad-Aware and SpyBot to some minimum success. Something seems to be eating up the virtual memory as upon start up these messages come up:

BM12.tmp - Application Error
Virtual Memory Minimum Too Low


The instruction at "0x00000000" refernece memory at "0x00000000". The memory could not be "read".

Through a previous experience I was told she had deleted the responsible reader_s files from the WINDOWS folder however couldn't get rid of an 'ndis' file of sorts. The computer will typically run for about twenty minutes before it decides to go black. When opening Task Manager CPU usage and Memory are nearly maxed out. Per posting instruction, the DDS file is copied and pasted below. Thanks in advance.

-Shamyal






DS (Ver_09-03-16.01) - NTFSx86
Run by Fra Diavalo at 13:48:10.83 on Sun 04/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.91 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\c++.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Acuson\CypressViewer\Bin\Release\CypressLinkService.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
svchost.exe C:\WINDOWS\TEMP\VRT2.tmp
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\FRADIA~1\LOCALS~1\Temp\1589716316.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\AOL\1195965466\ee\aolsoftware.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Fra Diavalo\Desktop\dds.com
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\c++.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\yaubfh983ind.dll: {a5af42a3-94f3-42bd-f634-0604832c897d} - c:\windows\system32\yaubfh983ind.dll
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>] c:\windows\temp\nx27eizb4.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Diagnostic Manager] c:\docume~1\fradia~1\locals~1\temp\1589716316.exe
mRun: [15327] c:\windows\system32\52C.tmp.exe
mRun: [nVidia64 System Drivers] nvsys64.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Mbewereco] rundll32.exe "c:\windows\otawijehulal.dll",e
mRun: [services] c:\windows\services.exe
mRun: [Radio-TV adverts] c:\windows\temp\rtv_winupd.exe
mRun: [Radio-TV adverts] c:\windows\temp\rtv_winupd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
dRun: [Windows Resurections] c:\windows\temp\ra1n2c5.exe
dRun: [<NO NAME>] c:\windows\temp\ra1n2c5.exe
dRun: [Diagnostic Manager] c:\windows\temp\3514865956.exe
dRun: [svc] c:\program files\thunmail\testabd.exe
dRun: [reader_s] c:\documents and settings\fra diavalo\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\NETGEA~1.LNK -
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll
STS: c:\windows\system32\zfgh83jg3.dll: {d5bf49a0-94f3-42bd-f434-3604812c8955} - c:\windows\system32\zfgh83jg3.dll
STS: c:\windows\system32\yaubfh983ind.dll: {a5af42a3-94f3-42bd-f634-0604832c897d} - c:\windows\system32\yaubfh983ind.dll
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll
LSA: Notification Packages = scecli wmdmsl.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fradia~1\applic~1\mozilla\firefox\profiles\kzsy5d8s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: XUL Cache: {0CDA0A02-B149-4AC6-BD87-ACD3B80571F3} - c:\documents and settings\fra diavalo\local settings\application data\{0CDA0A02-B149-4AC6-BD87-ACD3B80571F3}
FF - HiddenExtension: XUL Cache: {A0DDDDF7-9C37-4990-8502-460614AD7456} - c:\windows\system32\config\systemprofile\local settings\application data\{A0DDDDF7-9C37-4990-8502-460614AD7456}

============= SERVICES / DRIVERS ===============

R0 protect;protect;c:\windows\system32\drivers\protect.sys --> c:\windows\system32\drivers\protect.sys [?]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S1 bei41b8;bei41b8;c:\windows\system32\drivers\bei41b8.sys --> c:\windows\system32\drivers\bei41b8.sys [?]
S1 cgj1ee2;cgj1ee2;c:\windows\system32\drivers\cgj1ee2.sys --> c:\windows\system32\drivers\cgj1ee2.sys [?]
S1 dgja2ea;dgja2ea;c:\windows\system32\drivers\dgja2ea.sys --> c:\windows\system32\drivers\dgja2ea.sys [?]
S1 ethwgrew;ethwgrew;c:\windows\system32\drivers\ethwgrew.sys --> c:\windows\system32\drivers\ethwgrew.sys [?]
S1 mqtd648;mqtd648;c:\windows\system32\drivers\mqtd648.sys --> c:\windows\system32\drivers\mqtd648.sys [?]
S1 nbf0b2d;nbf0b2d;c:\windows\system32\drivers\nbf0b2d.sys --> c:\windows\system32\drivers\nbf0b2d.sys [?]
S1 ora28ed;ora28ed;c:\windows\system32\drivers\ora28ed.sys --> c:\windows\system32\drivers\ora28ed.sys [?]
S3 at1394;at1394;c:\windows\system32\at1394.sys [2004-8-4 2304]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-04-26 13:37 61,440 a------- c:\windows\system32\B.tmp
2009-04-26 13:37 36,352 a------- c:\windows\system32\reader_s.exe
2009-04-26 13:37 152,064 a------- c:\windows\system32\8.tmp
2009-04-26 13:37 124 a------- c:\windows\system32\7.tmp
2009-04-26 13:20 0 a------- c:\windows\system32\9.tmp
2009-04-26 13:20 0 a------- c:\windows\system32\6.tmp
2009-04-26 13:19 124 a------- c:\windows\system32\2.tmp
2009-04-26 12:16 <DIR> --d----- c:\program files\Trend Micro
2009-04-26 12:12 0 a------- c:\windows\system32\160.tmp
2009-04-26 12:12 61,440 a------- c:\windows\system32\15F.tmp
2009-04-26 12:11 153,088 a------- c:\windows\system32\15D.tmp
2009-04-26 12:10 124 a------- c:\windows\system32\15C.tmp
2009-04-20 03:11 61,440 a------- c:\windows\system32\5.tmp
2009-04-20 03:10 128 a------- c:\windows\system32\4.tmp
2009-04-19 19:19 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-19 19:19 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-19 19:19 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-19 19:19 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-19 19:06 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-19 18:50 38 a------- C:\12.tmp
2009-04-19 18:50 0 a------- C:\11.tmp
2009-04-19 18:49 0 a------- C:\F.tmp
2009-04-19 18:49 0 a------- C:\10.tmp
2009-04-19 18:49 0 a------- C:\E.tmp
2009-04-19 18:49 0 a------- C:\D.tmp
2009-04-19 18:49 0 a------- C:\C.tmp
2009-04-19 18:49 0 a------- C:\B.tmp
2009-04-19 18:49 0 a------- C:\A.tmp
2009-04-19 18:49 38 a------- C:\9.tmp
2009-04-19 18:49 52,736 a------- C:\8.tmp
2009-04-19 18:49 23,040 a------- C:\7.tmp
2009-04-19 18:34 80 a------- c:\windows\system32\C.tmp
2009-04-19 18:22 80 a------- c:\windows\system32\3.tmp
2009-04-19 16:21 <DIR> --d----- c:\program files\LanqiEngine
2009-04-19 16:21 735,232 a------- c:\windows\system32\AdvOcr.dll
2009-04-19 16:21 94,208 a------- c:\windows\system32\TRSOCR.dll
2009-04-19 16:21 1,308 a------- c:\windows\system32\TRSOCR.ini
2009-04-19 16:21 1,308 a------- c:\windows\system32\TRSOCR.dat
2009-04-19 16:00 80 a------- c:\windows\system32\14D.tmp
2009-04-18 13:29 0 a------- c:\windows\system32\14C.tmp
2009-04-18 13:29 84 a------- c:\windows\system32\14B.tmp
2009-04-16 22:37 68,096 a------- c:\windows\services.exe
2009-04-16 22:37 66,048 a------- c:\windows\system32\c++.exe
2009-04-16 22:36 71,680 a------- c:\windows\system32\14A.tmp
2009-04-16 22:36 168 a------- c:\windows\system32\149.tmp
2009-04-15 18:31 38 a------- C:\155.tmp
2009-04-15 18:31 0 a------- C:\154.tmp
2009-04-15 18:31 0 a------- C:\153.tmp
2009-04-15 18:31 0 a------- C:\152.tmp
2009-04-15 18:31 0 a------- C:\151.tmp
2009-04-15 18:31 0 a------- C:\150.tmp
2009-04-15 18:31 0 a------- C:\14F.tmp
2009-04-15 18:31 0 a------- C:\14E.tmp
2009-04-15 18:31 0 a------- C:\14D.tmp
2009-04-15 18:31 38 a------- C:\14C.tmp
2009-04-15 18:31 63,488 a------- C:\14B.tmp
2009-04-15 18:31 15,000 a------- c:\windows\system32\yaubfh983ind.dll
2009-04-15 18:11 296 a------- c:\windows\system32\MRT.INI
2009-04-15 07:12 15,000 a------- c:\windows\system32\zfgh83jg3.dll
2009-04-14 07:50 0 a------- c:\windows\Xgesuqu.bin
2009-04-14 07:50 408 a------- c:\windows\Shazi.dat
2009-04-14 07:17 3 a------- c:\windows\system32\bversion.dll
2009-04-14 07:15 565,248 a------- c:\windows\system32\IPHACTION.dll
2009-04-13 23:08 80 a------- c:\windows\system32\138.tmp
2009-04-13 22:59 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-13 22:48 0 a------- c:\windows\system32\IpSvchostF.dll
2009-04-13 22:42 61,440 a------- c:\windows\system32\tcpd.exe
2009-04-13 22:42 20,480 a------- c:\windows\system32\AUTMGR.EXE
2009-04-13 22:42 984,576 a------- c:\windows\system32\kernel32_check.dll
2009-04-13 22:42 172,032 a------- c:\windows\system32\tcpcon.dll
2009-04-13 22:42 10,240 a------- c:\windows\system32\Packer.dll
2009-04-13 22:42 9 a------- c:\windows\system32\riphy.dll
2009-04-13 22:42 9 a------- c:\windows\system32\iphy.dll
2009-04-13 22:42 3 a------- c:\windows\system32\fhpatch.dll
2009-04-13 20:47 <DIR> --d----- c:\docume~1\fradia~1\applic~1\Malwarebytes
2009-04-13 20:47 17,144 a------- c:\windows\system32\drivers\mbam.sys
2009-04-13 20:47 38,472 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 20:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-13 20:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-08 22:11 21,704 a------- c:\windows\system32\rr.exe
2009-04-08 15:21 142,464 a------- c:\windows\system32\drivers\aec.sys
2009-04-06 18:04 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-06 15:59 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-06 15:56 0 a------- c:\windows\system32\52D.tmp
2009-04-06 15:56 19,968 a------- c:\windows\system32\52C.tmp
2009-04-06 15:56 <DIR> --d----- c:\windows\system32\3361
2009-04-06 15:55 <DIR> --d----- c:\windows\dhcp
2009-04-06 15:55 <DIR> --dshr-- c:\program files\ThunMail
2009-04-06 15:55 21,704 a------- c:\windows\system32\vv.exe
2009-04-06 15:55 64,512 a------- c:\windows\system32\529.tmp
2009-04-06 15:55 128 a------- c:\windows\system32\526.tmp
2009-04-03 18:33 90,624 a--shr-- c:\windows\system32\nvsys64.ex_

==================== Find3M ====================

2009-04-26 13:37 2,180,352 ----h--- c:\windows\system32\ntoskrnl.exe
2009-04-06 15:56 66,048 ac------ c:\windows\system32\regwiz.exe
2009-04-06 15:55 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-20 03:30 659,456 a------- c:\windows\system32\wininet.dll
2009-02-20 03:30 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-03 15:08 55,808 a------- c:\windows\system32\secur32.dll
2007-04-23 14:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 335,872 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 233,472 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 130,108 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 49,152 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 40,960 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 38,912 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 13:50:21.41 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:05 PM

Posted 27 April 2009 - 04:15 PM

Hello.

Unfortunately you have the file infector Virut infection. The only way to proceed is to Format the whole computer and start over.

Posted ImageVirut File Infector Warning

Your system is infected with a polymorphic file infector called Virut and also has IRC bot functionality. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to reinstall and format the operating system on this machine. As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, pictures etc..) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

More information on Virut can be found over here and here

With Regards,
SifuMike
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:05 PM

Posted 04 May 2009 - 07:12 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users