Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

reader_s.exe File


  • This topic is locked This topic is locked
4 replies to this topic

#1 rawsaxy

rawsaxy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 02 July 2009 - 11:35 PM

I followed all your advice, wiped out the hard-drive using "Boot & Nuke HD Eraser" using 3 passes of DoD type, reformated the hard drive, and re-installed Windows XP, and it's all coming back.

When I run "msconfig" I see that in the "Startup" folder is one of the trojans from before "reader_s.exe", "services.exe". And in "Windows task Manager": A6.tmp, wowexec.exe, reader_s, ntvdm.exe, services.exe (3 of them), svchost.exe (12 of them). I have not installed any .exe files, and was just re-installing jpg from the DVD back-up I did of my pictures. That's all. Does this mean that I will not be able to re-install any of the files I backed up on several DVD discs? Is this Hard Drive a lost case?
=================================================

DDS (Ver_09-06-26.01) - NTFSx86
Run by Home at 0:33:43.40 on Fri 07/03/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.479.226 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ntvdm.exe
svchost.exe C:\WINDOWS\TEMP\VRTA2.tmp
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\A6.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Home\Desktop\dds.scr

============== Pseudo HJT Report ===============

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
uRun: [BMUpdate] c:\windows\system32\BMUpdate.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [services] c:\windows\services.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [reader_s] c:\documents and settings\home\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

============= SERVICES / DRIVERS ===============

R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-7-3 18944]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2009-7-2 23200]

=============== Created Last 30 ================

2009-07-03 00:08 <DIR> --ds---- c:\documents and settings\home\UserData
2009-07-03 00:07 <DIR> --d----- c:\windows\pss
2009-07-03 00:05 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-07-03 00:05 0 a------- c:\windows\system32\A7.tmp
2009-07-03 00:05 73,216 a------- c:\windows\services.exe
2009-07-03 00:05 67,584 a------- c:\windows\system32\A6.tmp
2009-07-03 00:05 48,128 a------- c:\windows\system32\reader_s.exe
2009-07-03 00:05 20,480 a------- c:\documents and settings\home\reader_s.exe
2009-07-03 00:05 120 a------- c:\windows\system32\A3.tmp
2009-07-02 23:57 <DIR> --d----- c:\windows\system32\Adobe
2009-07-02 23:53 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-07-02 23:53 569,344 a------- c:\windows\system32\imagr5.dll
2009-07-02 23:53 544,768 a------- c:\windows\system32\imagx5.dll
2009-07-02 23:53 38,912 a------- c:\windows\system32\picn20.dll
2009-07-02 23:53 283,920 a------- c:\windows\system32\ImagXpr5.dll
2009-07-02 23:53 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-07-02 23:48 9,662 a------- c:\windows\EPISME00.SWB
2009-07-02 23:47 <DIR> --d----- C:\EPSONREG
2009-07-02 23:47 <DIR> --d----- c:\program files\EPSON Print CD
2009-07-02 23:46 66 a------- c:\windows\ESPR200.ini
2009-07-02 23:46 <DIR> --d----- c:\program files\EPSON
2009-07-02 23:46 91,648 a------- c:\windows\system32\E_SAGSET.DLL
2009-07-02 23:46 76,045 a------- c:\windows\system32\EBPMON24.DLL
2009-07-02 23:46 69,632 a------- c:\windows\system32\EAL.EXE
2009-07-02 23:46 64,000 a------- c:\windows\system32\ECBTEG.DLL
2009-07-02 23:46 44,544 a------- c:\windows\system32\EAL32.DLL
2009-07-02 23:46 34,304 a------- c:\windows\system32\EBPCHP.DLL
2009-07-02 23:46 182 a------- c:\windows\system32\EBPPORT4.DAT
2009-07-02 23:45 24,960 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-07-02 23:45 24,960 a------- c:\windows\system32\drivers\usbprint.sys
2009-07-02 23:34 87,040 ac------ c:\windows\system32\dllcache\wiafbdrv.dll
2009-07-02 23:34 14,208 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-07-02 23:34 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-07-02 23:34 14,208 a------- c:\windows\system32\drivers\usbscan.sys
2009-07-02 23:26 2,422 a------- c:\windows\system32\wpa.bak
2009-07-02 23:03 176,128 a------- c:\windows\system32\BMUpdate.exe
2009-07-02 23:03 38 a------- c:\windows\BMUpdate.ini
2009-07-02 23:03 32,768 a------- c:\windows\system32\WiaMicro.dll
2009-07-02 23:03 23,200 a------- c:\windows\system32\drivers\ppsio2.sys
2009-07-02 23:03 <DIR> --d----- c:\windows\APPLOG
2009-07-02 23:02 <DIR> --d----- c:\program files\Visioneer OneTouch
2009-07-02 23:02 <DIR> --d----- c:\program files\ScanSoft
2009-07-02 23:02 <DIR> --d----- c:\program files\common files\ScanSoft Shared
2009-07-02 22:49 169 a------- c:\windows\RtlRack.ini
2009-07-02 22:40 <DIR> --d----- c:\windows\system32\FxsTmp
2009-07-02 22:13 <DIR> --ds---- c:\windows\system32\Microsoft
2009-07-02 22:04 552 a------- c:\windows\system32\d3d8caps.dat
2009-07-02 22:03 46,976 a------- c:\windows\system32\drivers\R8139n51.sys
2009-07-02 22:03 <DIR> --d----- c:\windows\OPTIONS
2009-07-02 21:54 <DIR> --d----- c:\program files\SiS VGA Utilities V3.61a
2009-07-02 21:53 102,538 a------- c:\windows\system32\VGAunistlog.ini
2009-07-02 21:53 106,496 a------- c:\windows\SiSUSBrg.exe
2009-07-02 21:53 32,768 a------- c:\windows\SIS_LIB.DLL
2009-07-02 21:53 3,583 a------- c:\windows\SiSport.sys
2009-07-02 21:53 139,264 a----r-- c:\windows\system32\IDEproperty.dll
2009-07-02 21:53 49,024 a----r-- c:\windows\system32\drivers\sisidex.sys
2009-07-02 21:53 9,472 a----r-- c:\windows\system32\drivers\sisperf.sys
2009-07-02 21:53 4,096 a----r-- c:\windows\system32\drivers\siside.sys
2009-07-02 21:53 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-07-02 21:53 306,688 a------- c:\windows\IsUninst.exe
2009-07-02 21:53 <DIR> --d----- c:\documents and settings\home\WINDOWS
2009-07-02 21:52 <DIR> --d----- c:\program files\Realtek Sound Manager
2009-07-02 21:52 <DIR> --d----- c:\program files\AvRack
2009-07-02 21:51 3,262 a------- c:\windows\Ascd_tmp.ini
2009-07-02 21:51 5,824 a------- c:\windows\system32\drivers\ASUSHWIO.SYS
2009-07-02 21:41 <DIR> --d----- C:\WUTemp
2009-07-02 21:41 182,880 ac------ c:\windows\system32\dllcache\iuengine.dll
2009-07-02 21:41 182,880 a------- c:\windows\system32\iuengine.dll
2009-07-02 21:26 <DIR> --dsh--- c:\windows\Installer
2009-07-02 21:26 <DIR> --d----- c:\documents and settings\Home
2009-07-02 19:36 8,192 a------- c:\windows\REGLOCS.OLD
2009-07-02 19:34 205,824 ac------ c:\windows\system32\dllcache\EXCH_seo.dll
2009-07-02 19:33 872,557 ac------ c:\windows\system32\dllcache\fp4awel.dll
2009-07-02 19:33 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-02 19:32 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-07-02 19:31 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-02 19:30 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-02 19:30 <DIR> --d----- c:\program files\Online Services
2009-07-02 19:30 <DIR> --d----- c:\program files\Messenger
2009-07-02 19:30 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-02 19:30 <DIR> --d----- c:\program files\Windows NT
2009-07-02 15:05 <DIR> --d----- c:\program files\common files\ODBC
2009-07-02 15:05 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-02 15:05 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-07-03 00:06 197,120 a------- c:\windows\system32\drivers\ndis.sys
2009-07-02 19:33 70,691 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-02 19:31 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-06-04 07:37 348,160 a------- c:\windows\system32\msvcr71.dll
2009-06-04 07:37 499,712 a------- c:\windows\system32\msvcp71.dll
2001-10-30 07:11 61,440 a------- c:\windows\inf\i386\onetUSD.dll
2001-09-10 09:00 139,264 a------- c:\windows\inf\i386\Rtscan.dll
2001-08-17 18:43 32,768 a------- c:\windows\inf\i386\Wiamicro.dll
2001-06-29 08:10 163,840 a------- c:\windows\inf\i386\viceo.dll

============= FINISH: 0:33:50.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:34 PM

Posted 03 July 2009 - 03:04 AM

Hello rawsaxy,

http://www.bleepingcomputer.com/forums/top...ml#entry1323126

It isn't just .exe files that are affected......to be perfectly blunt, those DVDs you have are likely very infected and useless to you. You should not try to use them or you will keep reinfecting your fresh installs. If you had followed the advice given to you, and read the information he so kindly provided, you would know that it's best not to try and save anything on a system with Virut. :thumbup2:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 rawsaxy

rawsaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 03 July 2009 - 12:31 PM

The files I backed up on DVD discs where my personal pictures, songs, work documents (Word, Excel, etc.). How was I supposed to save these crucial documents of mine?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:34 PM

Posted 03 July 2009 - 05:39 PM

Hello,

That's just the point.....you cannot. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:34 PM

Posted 06 July 2009 - 07:03 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users