Reader_s.exe and services.exe

[BigThing]

Hello everybody, hopefully you can help me solve these problems.

Two days ago my system got infected. I ran scans in safe mode and a lot of malware was removed, but a few problems remain and appear to be getting progressively worse. My computer is now very slow and unstable, programs like Windows Media Player and Firefox start out performing reasonably but after a while they encounter strange bugs that cause them to cease working. Also, on Firefox' start-up, AVG gives the following threat notification:
jl.chura.pl/rc/ - Exploit JavaScript Obfuscation (type 604)

Two processes seem to be the main culprits: one is C:\WINDOWS\services.exe, which so far has only been detected by Spybot S&D. Spybot identifies it as SpambotLoad.cn.
The other one, reader_s.exe, shows up in several main directories like WINDOWS\system32 and Documents and Settings. According to Ad-Aware it's called Win32TrojanAgent2, while AVG identifies it as Trojan horse SHeur2.WNC.
These processes not only return after deletion, but appear to clone themselves - so I get the feeling I have to take action quickly.

This morning I disabled all real-time protection (AVG, Spybot, Ad-Aware) and performed scans with AVG, Spybot S&D, Ad-Aware, Malwarebytes and SUPERAntiSpyware. I went out while they were in progress and when I returned I found a blue screen. However, logs were available for the Malwarebytes and SUPERAntiSpyware scans. The log for AVG was "corrupted (scan did not finish properly)". I can't seem to retrieve a log from Ad-Aware.

Now that I followed the 8 steps from the sticky thread as best I could, I really hope someone here can help me out. Big thanks in advance!

 

[Bobbye]

Please do this first:
Temporarily disable Real Time protection:
AD-AWARE AD-WATCH

* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

SPYBOT TEATIMER

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Update and rescan with HijackThis. Check the following entries:

C:\DOCUME~1\Tjeerd\LOCALS~1\Temp\clclean.0001
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [el] "C:\WINDOWS\system32\regsvr32.exe" /u /s "C:\WINDOWS\system32\el32.dll">> Trojan Downloader
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe>> Added by the Troj/Agent-IUT Trojan.
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\>> Trojan/Backdoor

Close all Windows except HijackThis and click on Fix Checked.

When finished: run a full system scan with Avira. Allow it to quarantine all entries it finds. Save the log.

Reboot the computer and Run CombpFix:

Please download ComboFix HERE:

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Update and rescan with HijackThis.

Attach the logs and report from Avira, ComboFix and HijackThis..Your system is badly infected and we must be sure to find and remove all the malware. Stopping the Real Time protection of Spybot and AdAware is essential to allowing the cleaning programs to function correctly.

 

[BigThing]

Thanks a lot for the reply. I'll get to it immediately, just one more question: since I don't have Avira, should I replace AVG with it?

 

[Bobbye]

Where did Avira go? The HijackThis log shows:
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

Please verify if this is your ISP:
The IP 195.121.1.34 is on the Ripe Network:
netname: NL-PI-ACCESS
descr: Platform-I
country: NL (Netherlands)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A091F55-E04F-45E6-B310-7F2AB07F2DEB}: NameServer = 195.121.1.34,195.121.1.66

 

[BigThing]

I did have Avira at one point IIRC, but for some reason I can't remember I switched to AVG...
How do I check if the info you mentioned is about my computer?

EDIT: There is no Avira directory in my Program Files folder.

 

[BigThing]

I went ahead and downloaded the Avira installer. I need to go away again for a while in a few minutes, so I will just shut down the computer and check back here when I get home. Unless someone here tells me not to, I will then uninstall AVG, install Avira, perform the actions as suggested by Bobbye and check back with the requested logs.
Again, thanks a lot for your time!

 

[Bobbye]

I did have Avira at one point IIRC, but for some reason I can't remember I switched to AVG...

Apparently you ran the HijackThis program first on 3/29, then made the AV change, then ran Malwarebytes and SuperAntispyware on 3/31. I can only go by the information I am given. HJ should be run AFTER the two other cleaning programs and after you have disabled the Real Time programs:
You would have had to install AVG AFTER 09:00:08, on 29/03/2009.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:00:08, on 29/03/2009
Has entries:

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

which show a functioning, loading Avira program.

SUPERAntiSpyware Scan Log
Generated 03/31/2009 at 00:35 AM

Malwarebytes' Anti-Malware 1.35
mbam-log-2009-03-31 (02-43-59).txt

If you changed in the last 30 days, the ComboFix report will show it.

EDIT: There is no Avira directory in my Program Files folder.

See if Avira is still listed in Add/Remove programs in the Control Panel.
Look for the Avira entry. Update and use it if present.

FYI: Avira is the better of the two AV programs mentioned.

How do I check if the info you mentioned is about my computer?

Control Panel> System> System Properties.

 

[BigThing]

I opened the same hijackthis.log from my desktop just now and I cannot find any of the lines about Avira you mention... then I opened it from the attachment to my post and again I did not see them... I also made the log after performing the scans (as per the 8 step program) so, at the risk of being out of order, are you sure we're talking about the same logfile?

EDIT:
Mine says
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:54, on 31-3-2009

EDIT 2:
The strings you suggested to have fixed by HJT do match my log however. I un-installed AVG and am now updating Avira, and will follow the rest of your instructions. Sorry for turning this thread into a log of my own but I figure it can't hurt to be able to replace my steps.

 

[Bobbye]

Well you know, I didn't make up the copy and paste of the date and time shown on your HijackThis log! And I sure didn't invent the entries I copied!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:00:08, on 29/03/2009
versus
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:54, on 31-3-2009

I had your log up because I remember this entry:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

The only different entries I see in the log for above date and time are for AVG.

You still have this.
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\

You still have this which I asked you to verify:
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A091F55-E04F-45E6-B310-7F2AB07F2DEB}: NameServer = 195.121.1.34,195.121.1.66

You still show this which I advised to stop:
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

You still have this which I said to check and remove:
C:\DOCUME~1\Tjeerd\LOCALS~1\Temp\clclean.0001

You still have Teatimer which I said to disable:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

You still have this which was listed to remove:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

And interestingly enough, you do not have AdWatch running. It now shows as:
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.ex which is:
Ad-Aware.exe
Status: Lavasoft Ad-Aware should not be running at startup. It is likely a virus, spyware, Trojan, or some other sort of malicious program. Use a virus scanner, and/or spyware removal tool to remove it.
Additional Info: Added by the RBOT-SO WORM! Note - this is not the popular Ad-aware spware/adware removal tool
https://www.techspot.com/startup/3610/

Kind of make one wonder!

 

[BigThing]

Hello Bobbye,

Sadly my installation could not be saved anymore. When I ran Avira it returned over 11,000 infected files (including each and every .exe and .html) and upon reboot I got sent into a loop, I got logged off immediately after logging on. A repair install was not an option so I had to resort to the old format and reinstall.

I do want to thank you much muchly for your time and effort to help me. Thanks!

 

[Bobbye]

Too bad we couldn't save it. Hopefully when you're up again. you will get good security on the system, keep it updated and scan often.

A suggestion: take a look at the first HijackThis log here. See all those 'running processes' at the top? Those are all loading at boot when you startup. You should keep that to as few as possible.

The 04 entries are loading from the Registry and the Startup menu to make those processes run. The ONLY programs that need to load at Startup are the antivirus program, firewall if you have 3rd party firewall, touchpad if on laptop and possibly network process>>> nothing else!

No QuickTime, no WinAmp, no Adobe Reader, no Creative processes, no updates for RealPlayer and Java, no printer or scanner, etc. And the fewer 02 BHOs- browser helper objects and 03 Toolbars the better. The more running, the more resources are used and the more possibility of security threats. Make that system lean and mean and you will enjoy the computer. Whoops! Forgot> practice Surf Surfing! Stay after from the poker sites.

As for this:
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

Services Utility: Remote Packet Capture Protocol v.0 (experimental) Service
Display Name (?): Remote Packet Capture Protocol v.0 (experimental)
Short Name (?): rpcapd
Executable (?): rpcapd.exe
Library (?): None.
Depends On (?): None.
Supports (?): None.
Description (?): Allows to capture traffic on this machine from a remote machine.
OS (?): Third party or non-default
RCPC is installed by WinPCap. It can be a security risk. If you are not using this, disable the Service and uninstall the program.

Look here to find information about the WinPCap program download:
http://www.winpcap.org/
While it does need to startup on boot, it is suggested you keep the Service Startup type set to Manual, not Automatic.