Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde, reader_s, anti-virus popups


  • This topic is locked This topic is locked
2 replies to this topic

#1 jrandall

jrandall

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 02 July 2009 - 09:32 PM

Compaq sr1811nx
Windows XP SP2

I used Spybot and it said Virtumonde and tons of other stuff. I HAD about 15 instances of services.exe running in my task manager. Same with cmd.exe but I got rid of them somehow. Also this thing called reader_s.exe. My background was switched with a anti-virus message "Your system is infected" etc. I also keep seeing ieexplorer.exe but I do not use IE, at all. I know its a common way for bugs to disguise themselves.

Everything started happening when I downloaded the archive located at [hxxp://www.slingfile.com/file/87119-Yt07xPLWOO.html] I'm sure the guy packed a few worms inside of the archive. Totally my mistake in trusting the internet, I sure have learned the lesson to just never download anything outside of a trusted website.

I have no idea why this won't go away. I tried Spybot and got rid of everything but it just came back 10x worse it seems. I was going to just reformat since I need it anyways, but I can't get my system to recognize any of my cd drives. I think that has something to do with my bios that I had to switch because the old bios I had left my computer running at 100% cpu usage for no apparent reason. Can you reformat without a cd drive?

I have a recovery partition that I could use to probably fix my cd drive problem, but I can't access it. How can I access (It's drive I:) and tell it to recovery windows? If you know this, I don't need help at all with the worms ;) There used to be an option right next to system restore, but I suspect this worm is playing tricks.

I use Hijackthis to get rid of the services.exe which is obviously bad, but it just comes back. I'm really stuck. If I'm connected to the internet for more than 5 minutes, it will just cease to work until I disable/enable my network connection again.




DDS (Ver_09-06-26.01) - NTFSx86
Run by John at 19:12:55.90 on Thu 07/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.536 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
C:\Program Files\Innovative Solutions\Advanced Task Manager\atm.exe
svchost.exe C:\WINDOWS\TEMP\VRT18.tmp
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [reader_s] c:\documents and settings\john\reader_s.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Notification Packages = scecli inapet.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\laa4a0br.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npCID.dll
FF - HiddenExtension: XUL Cache: {D78FC16C-E477-4B21-97CF-783E01080047} - c:\documents and settings\john\local settings\application data\{D78FC16C-E477-4B21-97CF-783E01080047}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-27 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\john\locals~1\temp\{1735a~1\atiicdxx.sys --> c:\docume~1\john\locals~1\temp\{1735a~1\atiicdxx.sys [?]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-10-31 367744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2009-4-11 367616]
S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2009-4-11 18944]
S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [2009-4-11 33792]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-07-02 19:10 67,584 a------- c:\windows\system32\1C.tmp
2009-07-02 19:10 49,664 a------- c:\windows\system32\1B.tmp
2009-07-02 19:10 48,128 a------- c:\windows\system32\reader_s.exe
2009-07-02 19:10 120 a------- c:\windows\system32\19.tmp
2009-07-02 19:04 67,584 a------- c:\windows\system32\13.tmp
2009-07-02 19:04 49,664 a------- c:\windows\system32\12.tmp
2009-07-02 19:04 48,128 a------- c:\windows\system32\reader_s.exe.quarantined_by_task_manager
2009-07-02 19:04 20,480 a------- c:\documents and settings\john\reader_s.exe
2009-07-02 19:04 120 a------- c:\windows\system32\10.tmp
2009-07-02 18:08 0 a------- c:\windows\system32\AVR09.exe
2009-07-02 17:33 67,584 a------- c:\windows\system32\F.tmp
2009-07-02 17:33 0 a------- c:\windows\system32\E.tmp
2009-07-02 17:33 0 a------- c:\windows\system32\D.tmp
2009-07-02 17:33 120 a------- c:\windows\system32\B.tmp
2009-07-02 17:33 910 a------- c:\windows\system32\critical_warning.html
2009-07-02 17:33 64,512 a------- c:\windows\system32\winupdate.exe.quarantined_by_task_manager
2009-07-02 13:52 67,584 a------- c:\windows\system32\5B.tmp
2009-07-02 13:52 120 a------- c:\windows\system32\58.tmp
2009-07-02 13:42 <DIR> --d-h--- c:\windows\PIF
2009-07-02 13:35 67,584 a------- c:\windows\system32\55.tmp
2009-07-02 13:35 120 a------- c:\windows\system32\52.tmp
2009-07-02 13:33 67,584 a------- c:\windows\system32\4F.tmp
2009-07-02 13:33 120 a------- c:\windows\system32\4C.tmp
2009-07-02 13:16 <DIR> --d----- c:\program files\Innovative Solutions
2009-07-02 08:38 120 a------- c:\windows\system32\9.tmp
2009-07-02 04:23 244 a---h--- C:\sqmnoopt19.sqm
2009-07-02 04:23 232 a---h--- C:\sqmdata19.sqm
2009-07-02 04:21 244 a---h--- C:\sqmnoopt18.sqm
2009-07-02 04:21 232 a---h--- C:\sqmdata18.sqm
2009-07-02 04:20 244 a---h--- C:\sqmnoopt17.sqm
2009-07-02 04:20 232 a---h--- C:\sqmdata17.sqm
2009-07-02 04:20 244 a---h--- C:\sqmnoopt16.sqm
2009-07-02 04:20 232 a---h--- C:\sqmdata16.sqm
2009-07-02 04:14 244 a---h--- C:\sqmnoopt15.sqm
2009-07-02 04:14 232 a---h--- C:\sqmdata15.sqm
2009-07-02 04:13 244 a---h--- C:\sqmnoopt14.sqm
2009-07-02 04:13 232 a---h--- C:\sqmdata14.sqm
2009-07-02 04:13 244 a---h--- C:\sqmnoopt13.sqm
2009-07-02 04:13 232 a---h--- C:\sqmdata13.sqm
2009-07-02 04:07 244 a---h--- C:\sqmnoopt12.sqm
2009-07-02 04:07 232 a---h--- C:\sqmdata12.sqm
2009-07-02 04:06 244 a---h--- C:\sqmnoopt11.sqm
2009-07-02 04:06 232 a---h--- C:\sqmdata11.sqm
2009-07-02 04:06 244 a---h--- C:\sqmnoopt10.sqm
2009-07-02 04:06 232 a---h--- C:\sqmdata10.sqm
2009-07-02 04:00 244 a---h--- C:\sqmnoopt09.sqm
2009-07-02 04:00 232 a---h--- C:\sqmdata09.sqm
2009-07-02 03:59 244 a---h--- C:\sqmnoopt08.sqm
2009-07-02 03:59 232 a---h--- C:\sqmdata08.sqm
2009-07-02 03:59 244 a---h--- C:\sqmnoopt07.sqm
2009-07-02 03:59 232 a---h--- C:\sqmdata07.sqm
2009-07-02 03:54 244 a---h--- C:\sqmnoopt06.sqm
2009-07-02 03:54 232 a---h--- C:\sqmdata06.sqm
2009-07-02 02:40 244 a---h--- C:\sqmnoopt05.sqm
2009-07-02 02:40 232 a---h--- C:\sqmdata05.sqm
2009-07-02 02:23 67,584 a------- c:\windows\system32\C.tmp
2009-07-02 02:23 120 a------- c:\windows\system32\6.tmp
2009-07-02 02:19 67,584 a------- c:\windows\system32\A.tmp
2009-07-02 02:19 120 a------- c:\windows\system32\5.tmp
2009-07-02 02:17 67,584 a------- c:\windows\system32\8.tmp
2009-07-02 02:17 120 a------- c:\windows\system32\4.tmp
2009-07-01 21:56 <DIR> --d----- c:\windows\pss
2009-07-01 21:43 120 a------- c:\windows\system32\3.tmp
2009-07-01 20:46 244 a---h--- C:\sqmnoopt04.sqm
2009-07-01 20:46 232 a---h--- C:\sqmdata04.sqm
2009-07-01 20:45 244 a---h--- C:\sqmnoopt03.sqm
2009-07-01 20:45 232 a---h--- C:\sqmdata03.sqm
2009-07-01 20:42 0 a------- c:\windows\system32\7.tmp
2009-07-01 20:42 120 a------- c:\windows\system32\2.tmp
2009-07-01 19:34 360,832 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-28 20:02 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-27 06:14 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-27 06:13 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 06:04 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-20 14:53 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-20 14:53 1,409 a------- c:\windows\QTFont.for
2009-06-04 15:53 664 a------- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2009-07-02 17:33 360,832 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-07-01 20:44 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-05-10 18:24 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-05-01 00:31 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- c:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- c:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- c:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- c:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- c:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- c:\windows\system32\nvshell.dll
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 457,248 a------- c:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-27 00:42 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-04-23 20:18 55,654 a------- c:\windows\Sysvxd.exe
2009-04-17 00:19 156,672 a------- c:\windows\Eruwezuyocadisa.dat
2009-03-17 04:24 87,608 a------- c:\docume~1\john\applic~1\inst.exe
2009-03-17 04:24 47,360 a------- c:\docume~1\john\applic~1\pcouffin.sys
2008-10-22 16:44 12 a------- c:\documents and settings\john\USERDATA.DAT

============= FINISH: 19:14:00.06 ===============

Edited by Orange Blossom, 11 February 2013 - 05:30 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:05 AM

Posted 03 July 2009 - 05:17 AM

Hi jrandall,

This file is very bad news :thumbup2:

c:\windows\system32\reader_s.exe

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:05 AM

Posted 08 July 2009 - 05:10 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users