Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virut infection! plus ??? Ie explore, cmd.exe; svchost.exe; services.exe; reader_s.exe keep on multiplying!u


  • This topic is locked This topic is locked
5 replies to this topic

#1 hans100

hans100

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 06 July 2009 - 03:59 PM

I am sure you are familiar with the problems I am having, which are progressively getting worse! Firstly - Windows firewall has been disabled and I cannot get it up All the other free firewalls I have tried to no avail. If I clean up my pc offline in Safe Mode - everything bar a few programs that for some reason or the other have had the .exe file removed work fine - BUT as soon as I go online the chaos starts and there is a constant data flow - Originally the file SVChost.exe used to duplicate itself - up to 30 or 40 times - then I noticed the Task manager only operated on the one tab - programs running. in the past two days I have attempted just about most of the popular free spyware removers and all have returned spectacular results - thereby allowing me to believe problem was sorted - 30 min online again and I see the reader_s .exe ;services.exe; cmd.exe; ieexplorer and svchost again multiplying ! firfox also seems to progressively run slower There are many tempory files preceeded by a numeral that are created as well.
After unsuccessfully attempting to have combofix and SDfix run and clean out all the crap I took guidence from the advice given here and downloaded the DDs.scr program to my desktop
Only problem is that when double clicked or right clicking and choosing TEST or CONFIGURE the dos screen comes back with the following:'"C:\WINDOWS\system32\Find.exe"' is not recognized as an internalcommand,operable program or batch file.
Thats it nothing more - tried downloading again - same result - When I tried the SDfix I could not get any action neither and when promted to check the correct path the pc could not understand .inf files -
This is very very depressing especially when I am poerless to stop the continuos dataflow up and down - what it is I dont know
Here is the HIJACJTHIS logfile - I really hope this info can assist you in giving me the correct procedure to eliminate this problem
I wait with anxious anticipation
Thank you
hans

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:41 PM, on 7/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\services.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [RegistryBot] "C:\Program Files\RegistryBot\RegistryBot.exe" -boot
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\HANS100\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\HANS100\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\HANS100\reader_s.exe (User 'Default user')
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nwprovau.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{6687B2E7-CEB0-494D-8BFD-7C8F0107878F}: NameServer = 196.41.124.11 196.41.124.10
O23 - Service: IS360service - Unknown owner - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

BC AdBot (Login to Remove)

 


#2 hans100

hans100
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 13 July 2009 - 12:43 AM

Hello
Is it possible my request was innocently overlooked or is there another reason - I will probably get a automated messge telling me not to bump my post BUT today is the 13th and I posted this request on the 6th! I rekon that after a week I should raise my hand and ask again for assistenced
Presently the pc is running ok - this since I installed the trial version of the rJetico ver 2 Firewall! .
In addition to this instead of deleteing the reader_s file in the system 32 and my tempory file I decided to change the fie type of this file to a .jpg. I did this to the .tmp file that would reload everytime I entered the net
One issue thsat I know is due to the virus is my task manager that only opens on the programs running page without any tabs available!

So I need diection here please as I dont want to shake up the system now that the virus seems to have become dormant!
pointt is I want to clear all the problems as my pc still runsslow after about 1 hour and there are stll 6 or 7 svchosts running.

So I will return tonight and if no contact then I guess I'm not welcome and will decide on my action at that time
So thanks and Hopefully I have had a contact by tonight!
Hans

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:02 AM

Posted 13 July 2009 - 05:48 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

I admit this is kind of an automated reply, but we would not be able to keep up with the amount of people posting their problem here otherwise. We do our best to keep up, but we currently have a waiting line of about a week. We take the oldest logs first and try to help as many people as possible as quickly as possible.
It is easily understandable, if after a week of waiting you have decided to resolve your problems otherwise. In order to assist the people still in need of help efficiently, we are asking for you to confirm that you are still with us. :thumbup2:
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 hans100

hans100
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 16 July 2009 - 07:28 PM

Yeah Guys Im still with ya !
The above post of mine entails what I expected to be asked i.e what Ive done and the status - Briefly still get to about 2hrs and everything has slowed down due to about 8 svc hosts running. The DDS program was downloaded but it wont start - same problem at the outset Reason given is :'"C:\WINDOWS\system32\Find.exe"' is not recognized as an internal or external co
mmand,
operable program or batch file.

So thats that
My Taskmaster only opens on the 2nd page of all running instances.
I will post my HIJACK IT log as I belie that still works
Look fwd to your reply
thx Hans

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:10 AM, on 7/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Jetico\Jetico Personal Firewall\jpfsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Jetico\Jetico Personal Firewall\jpf.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PhotoFiltre\PhotoFiltre.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\HANS100\Desktop\dds(2).scr
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [RegistryBot] "C:\Program Files\RegistryBot\RegistryBot.exe" -boot
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\jpf.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nwprovau.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{6687B2E7-CEB0-494D-8BFD-7C8F0107878F}: NameServer = 196.41.124.11 196.41.124.10
O23 - Service: IS360service - Unknown owner - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jetico Personal Firewall server - Jetico, Inc. - C:\Program Files\Jetico\Jetico Personal Firewall\jpfsrv.exe

--
End of file - 3095 bytes

#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:02 PM

Posted 17 July 2009 - 11:42 AM

Hi,

Let's take a look at situation in your system files.

Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read the requirements and privacy statement then click on the Accept button.
  • The program will launch and start to download the latest definition files.
  • You will be prompted to install an application from Kaspersky. Click Run
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • Click on Save Report As....
  • Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Save this report to a convenient place.
  • Copy and paste that information into your topic.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
If you need a tutorial, see here

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:02 PM

Posted 27 July 2009 - 02:56 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users