TechSpot

Reader_s.exe and services.exe

By BigThing
Mar 31, 2009
  1. Hello everybody, hopefully you can help me solve these problems.

    Two days ago my system got infected. I ran scans in safe mode and a lot of malware was removed, but a few problems remain and appear to be getting progressively worse. My computer is now very slow and unstable, programs like Windows Media Player and Firefox start out performing reasonably but after a while they encounter strange bugs that cause them to cease working. Also, on Firefox' start-up, AVG gives the following threat notification:
    jl.chura.pl/rc/ - Exploit JavaScript Obfuscation (type 604)

    Two processes seem to be the main culprits: one is C:\WINDOWS\services.exe, which so far has only been detected by Spybot S&D. Spybot identifies it as SpambotLoad.cn.
    The other one, reader_s.exe, shows up in several main directories like WINDOWS\system32 and Documents and Settings. According to Ad-Aware it's called Win32TrojanAgent2, while AVG identifies it as Trojan horse SHeur2.WNC.
    These processes not only return after deletion, but appear to clone themselves - so I get the feeling I have to take action quickly.

    This morning I disabled all real-time protection (AVG, Spybot, Ad-Aware) and performed scans with AVG, Spybot S&D, Ad-Aware, Malwarebytes and SUPERAntiSpyware. I went out while they were in progress and when I returned I found a blue screen. However, logs were available for the Malwarebytes and SUPERAntiSpyware scans. The log for AVG was "corrupted (scan did not finish properly)". I can't seem to retrieve a log from Ad-Aware.

    Now that I followed the 8 steps from the sticky thread as best I could, I really hope someone here can help me out. Big thanks in advance!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please do this first:
    Temporarily disable Real Time protection:
    AD-AWARE AD-WATCH
    SPYBOT TEATIMER
    Update and rescan with HijackThis. Check the following entries:
    Close all Windows except HijackThis and click on Fix Checked.

    When finished: run a full system scan with Avira. Allow it to quarantine all entries it finds. Save the log.

    Reboot the computer and Run CombpFix:

    Please download ComboFix HERE:

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    Update and rescan with HijackThis.

    Attach the logs and report from Avira, ComboFix and HijackThis..Your system is badly infected and we must be sure to find and remove all the malware. Stopping the Real Time protection of Spybot and AdAware is essential to allowing the cleaning programs to function correctly.
     
  3. BigThing

    BigThing TS Rookie Topic Starter

    Thanks a lot for the reply. I'll get to it immediately, just one more question: since I don't have Avira, should I replace AVG with it?
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Where did Avira go? The HijackThis log shows:
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

    Please verify if this is your ISP:
    The IP 195.121.1.34 is on the Ripe Network:
    netname: NL-PI-ACCESS
    descr: Platform-I
    country: NL (Netherlands)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1A091F55-E04F-45E6-B310-7F2AB07F2DEB}: NameServer = 195.121.1.34,195.121.1.66
     
  5. BigThing

    BigThing TS Rookie Topic Starter

    I did have Avira at one point IIRC, but for some reason I can't remember I switched to AVG...
    How do I check if the info you mentioned is about my computer?

    EDIT: There is no Avira directory in my Program Files folder.
     
  6. BigThing

    BigThing TS Rookie Topic Starter

    I went ahead and downloaded the Avira installer. I need to go away again for a while in a few minutes, so I will just shut down the computer and check back here when I get home. Unless someone here tells me not to, I will then uninstall AVG, install Avira, perform the actions as suggested by Bobbye and check back with the requested logs.
    Again, thanks a lot for your time!
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Apparently you ran the HijackThis program first on 3/29, then made the AV change, then ran Malwarebytes and SuperAntispyware on 3/31. I can only go by the information I am given. HJ should be run AFTER the two other cleaning programs and after you have disabled the Real Time programs:
    You would have had to install AVG AFTER 09:00:08, on 29/03/2009.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:00:08, on 29/03/2009

    Has entries:
    which show a functioning, loading Avira program.

    SUPERAntiSpyware Scan Log
    Generated 03/31/2009 at 00:35 AM

    Malwarebytes' Anti-Malware 1.35
    mbam-log-2009-03-31 (02-43-59).txt

    If you changed in the last 30 days, the ComboFix report will show it.
    See if Avira is still listed in Add/Remove programs in the Control Panel.
    Look for the Avira entry. Update and use it if present.

    FYI: Avira is the better of the two AV programs mentioned.

    Control Panel> System> System Properties.
     
  8. BigThing

    BigThing TS Rookie Topic Starter

    I opened the same hijackthis.log from my desktop just now and I cannot find any of the lines about Avira you mention... then I opened it from the attachment to my post and again I did not see them... I also made the log after performing the scans (as per the 8 step program) so, at the risk of being out of order, are you sure we're talking about the same logfile?

    EDIT:
    Mine says
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:46:54, on 31-3-2009


    EDIT 2:
    The strings you suggested to have fixed by HJT do match my log however. I un-installed AVG and am now updating Avira, and will follow the rest of your instructions. Sorry for turning this thread into a log of my own but I figure it can't hurt to be able to replace my steps.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well you know, I didn't make up the copy and paste of the date and time shown on your HijackThis log! And I sure didn't invent the entries I copied!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:00:08, on 29/03/2009
    versus
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:46:54, on 31-3-2009

    I had your log up because I remember this entry:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

    The only different entries I see in the log for above date and time are for AVG.

    You still have this.
    O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\

    You still have this which I asked you to verify:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1A091F55-E04F-45E6-B310-7F2AB07F2DEB}: NameServer = 195.121.1.34,195.121.1.66

    You still show this which I advised to stop:
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

    You still have this which I said to check and remove:
    C:\DOCUME~1\Tjeerd\LOCALS~1\Temp\clclean.0001

    You still have Teatimer which I said to disable:
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    You still have this which was listed to remove:
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

    And interestingly enough, you do not have AdWatch running. It now shows as:
    C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.ex which is:
    Ad-Aware.exe
    Status: Lavasoft Ad-Aware should not be running at startup. It is likely a virus, spyware, Trojan, or some other sort of malicious program. Use a virus scanner, and/or spyware removal tool to remove it.
    Additional Info: Added by the RBOT-SO WORM! Note - this is not the popular Ad-aware spware/adware removal tool
    http://www.techspot.com/startup/3610/

    Kind of make one wonder!
     
  10. BigThing

    BigThing TS Rookie Topic Starter

    Hello Bobbye,

    Sadly my installation could not be saved anymore. When I ran Avira it returned over 11,000 infected files (including each and every .exe and .html) and upon reboot I got sent into a loop, I got logged off immediately after logging on. A repair install was not an option so I had to resort to the old format and reinstall.

    I do want to thank you much muchly for your time and effort to help me. Thanks!
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Too bad we couldn't save it. Hopefully when you're up again. you will get good security on the system, keep it updated and scan often.

    A suggestion: take a look at the first HijackThis log here. See all those 'running processes' at the top? Those are all loading at boot when you startup. You should keep that to as few as possible.

    The 04 entries are loading from the Registry and the Startup menu to make those processes run. The ONLY programs that need to load at Startup are the antivirus program, firewall if you have 3rd party firewall, touchpad if on laptop and possibly network process>>> nothing else!

    No QuickTime, no WinAmp, no Adobe Reader, no Creative processes, no updates for RealPlayer and Java, no printer or scanner, etc. And the fewer 02 BHOs- browser helper objects and 03 Toolbars the better. The more running, the more resources are used and the more possibility of security threats. Make that system lean and mean and you will enjoy the computer. Whoops! Forgot> practice Surf Surfing! Stay after from the poker sites.

    As for this:
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

    Services Utility: Remote Packet Capture Protocol v.0 (experimental) Service
    Display Name (?): Remote Packet Capture Protocol v.0 (experimental)
    Short Name (?): rpcapd
    Executable (?): rpcapd.exe
    Library (?): None.
    Depends On (?): None.
    Supports (?): None.
    Description (?): Allows to capture traffic on this machine from a remote machine.
    OS (?): Third party or non-default
    RCPC is installed by WinPCap. It can be a security risk. If you are not using this, disable the Service and uninstall the program.

    Look here to find information about the WinPCap program download:
    http://www.winpcap.org/
    While it does need to startup on boot, it is suggested you keep the Service Startup type set to Manual, not Automatic.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...