Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Reader_s.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 HolyCow89

HolyCow89

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 25 September 2009 - 10:18 AM

Hi there! First of all, I'd like to thank you in advanced for your time.

I got infected by the Reader_s virus two days ago via a friend's thumbdrive. I've tried various methods to kill it (running Symantec's FixVirut tool and AVG's RMVirut tool) but nothing seems to be working. I tried to use Combofix but it wouldn't run on my PC because virut constantly hijacks it.

Reader_s.exe constantly shows up under %User and %system32, while the *.tmp files show up under C:\Program Files\Stardock\Object Desktop\WindowsBlinds. After being infected by Reader_s, I seem to have been infected with servises.exe too.

Running Microsoft's AntiMalware tool also gives me results on NDIS.sys. In addition, I cannot shut down my PC normally as I get a BSoD the moment I shut down. I have also noticed that if I leave the PC idle long enough at the login screen, an error will pop up regarding 8.tmp being unable to reference certain memory locations.



Here is the DDS log:
(Reader_S.exe does not turn up under Running processes because I ended the process before I ran DDS)


DDS (Ver_09-09-24.01) - FAT32x86
Run by User at 23:00:03.65 on Fri 09/25/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.386 [GMT 8:00]

AV: AVG 7.5.524 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\servises.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Mozilla\firefox.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder\comdlls\TDAtOnce_Now.dll
BHO: Thunder Browser Helper: {02478d37-c3f9-4efb-9b51-7695eca05670} - c:\program files\thunder\comdlls\xunleiBHO_Now.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [reader_s] c:\documents and settings\user\reader_s.exe
uRun: [servises] c:\windows\system32\servises.exe
mRun: [11991] c:\windows\system32\8.tmp.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [servises] c:\windows\system32\servises.exe
dRun: [reader_s] c:\windows\system32\config\systemprofile\reader_s.exe
uExplorerRun: [servises] c:\windows\system32\servises.exe
mExplorerRun: [servises] c:\windows\system32\servises.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Download Using &BitSpirit - c:\program files\bitspirit\bsurl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: 用比特精灵下载(&:(
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - hxxps://www.e-games.com.my/com/EGamesPlugin.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: igfxcui - igfxdev.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: wbsys.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\65vffle9.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-1 28544]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-3-29 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-3-29 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-3-29 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-3-29 10760]
R1 zbptqnieg3;zbptqnieg3.sys;c:\windows\system32\drivers\zbptqnieg3.sys [2009-9-25 40192]
R1 zfdntmramhb1;zfdntmramhb1;c:\windows\system32\drivers\zfdntmramhb1.sys [2009-9-25 40192]
R1 ziuuhufe3;ziuuhufe3.sys;c:\windows\system32\drivers\ziuuhufe3.sys [2009-9-25 40192]
R1 zmctyijykudcx7;zmctyijykudcx7.sys;c:\windows\system32\drivers\zmctyijykudcx7.sys [2009-9-25 40192]
R1 zvsdheabx7;zvsdheabx7;c:\windows\system32\drivers\zvsdheabx7.sys [2009-9-25 40192]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2007-3-29 439296]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2007-3-29 70144]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2007-3-29 427008]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-3-29 4960]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2007-3-29 1097728]
RUnknown zmuaytdbpgs9;zmuaytdbpgs9; [x]
S1 zijdcmwe7;zijdcmwe7;c:\windows\system32\drivers\zijdcmwe7.sys --> c:\windows\system32\drivers\zijdcmwe7.sys [?]
S1 zsljqqskyquh5;zsljqqskyquh5.sys;c:\windows\system32\drivers\zsljqqskyquh5.sys --> c:\windows\system32\drivers\zsljqqskyquh5.sys [?]
S2 FCI;FCI;c:\windows\system32\fci.exe.exe:ext.exe --> c:\windows\system32\fci.exe.exe:ext.exe [?]
S2 mjfogjxby;Config Shell;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 34816]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-7 34064]
S3 npkycryp;npkycryp;\??\d:\tsukiyo sousuke\ro\npkycryp.sys --> d:\tsukiyo sousuke\ro\npkycryp.sys [?]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]

=============== Created Last 30 ================

2009-09-25 20:50 19,456 a------- c:\windows\system32\8.tmp
2009-09-25 20:49 176 a------- c:\windows\system32\4.tmp
2009-09-25 20:01 19,456 a------- c:\windows\system32\5.tmp
2009-09-25 20:01 40,192 a------- c:\windows\system32\drivers\zvsdheabx7.sys
2009-09-25 20:01 34,304 a------- c:\windows\system32\3.tmp
2009-09-25 20:01 176 a------- c:\windows\system32\2.tmp
2009-09-25 19:38 65,536 a------- c:\windows\system32\servises.exe
2009-09-25 19:38 59,392 a------- c:\windows\system32\reader_s.exe
2009-09-25 19:38 59,392 a------- c:\documents and settings\user\reader_s.exe
2009-09-25 19:38 40,192 a------- c:\windows\system32\drivers\zfdntmramhb1.sys
2009-09-25 11:30 40,192 a------- c:\windows\system32\drivers\zmctyijykudcx7.sys
2009-09-25 09:22 98,304 a------- c:\windows\DUMP6a62.tmp
2009-09-25 09:09 2,986,872 a------- C:\FixVirut.com
2009-09-25 09:08 40,192 a------- c:\windows\system32\drivers\ziuuhufe3.sys
2009-09-25 08:22 <DIR> --d----- C:\cfix
2009-09-25 08:07 40,192 a------- c:\windows\system32\drivers\zbptqnieg3.sys
2009-09-25 08:01 <DIR> --dsh--- C:\FOUND.002
2009-09-25 07:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-25 07:18 <DIR> --d----- c:\program files\STOPzilla!
2009-09-25 07:18 <DIR> --d----- c:\program files\common files\iS3
2009-09-25 07:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-25 06:48 <DIR> --dsh--- C:\FOUND.001
2009-09-25 05:59 <DIR> --d----- c:\docume~1\user\applic~1\Uniblue
2009-09-25 05:59 <DIR> --d----- c:\program files\Uniblue
2009-09-25 05:49 6 a------- c:\windows\system32\_id.dat
2009-09-24 22:22 <DIR> --d----- c:\program files\ElcomSoft
2009-09-24 22:13 <DIR> --d----- c:\program files\Intelore
2009-09-15 06:20 157 a------- c:\windows\matlab.ini
2009-09-15 06:20 <DIR> --d----- c:\docume~1\user\applic~1\MathWorks
2009-09-15 06:03 647,872 a------- c:\windows\system32\mscomct2.ocx
2009-09-15 06:03 2,362 a------- c:\windows\system32\mscomct2.dep
2009-09-15 06:01 645,120 a------- c:\windows\system32\config.gms
2009-09-01 19:45 <DIR> --d----- C:\Qsmith
2009-09-01 16:10 <DIR> --d----- c:\program files\Mozilla

==================== Find3M ====================

2009-09-25 08:35 3,888 a------- c:\windows\system32\drivers\NTHANDLE.SYS
2009-09-25 06:51 98,304 a------- c:\windows\DUMP4882.tmp
2009-09-25 01:54 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-09-25 01:54 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-09-23 01:07 98,304 a------- c:\windows\DUMP881b.tmp
2009-07-26 18:27 2,132,480 a------- c:\windows\system32\logonuiX.exe
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-09 15:52 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-07-09 15:50 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-09 15:47 724,992 a----r-- c:\windows\system32\IS3Base5.dll

============= FINISH: 23:00:43.23 ===============


Attach.txt and Ark.txt are already attached.

Help would be very much appreciated. Thank you very much.

Attached Files



BC AdBot (Login to Remove)

 


#2 HolyCow89

HolyCow89
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 27 September 2009 - 02:57 AM

Never mind, I managed to get it fixed. Thanks anyway!

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 27 September 2009 - 05:25 PM

Thank you for letting us know HolyCow89. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users