Hi all,
Every time I start up my pc, I have many rather suspicious processes running. I have had this reader_s.exe (1-2 instances) running for quite some time. Recently I also had servises.exe (note the spelling) again multiple instances. This pc is not very powerful- running WinXP Pro SP3 with 256MB RAM and so I don't have an antivirus installed. I use windows firewall. Reinstalling XP has not helped. These files wouldn't be visible for 2-3 days, but again they popped up. I also notices some ".tmp" running, having file path under system32 folder. On navigating there I could see lots of .tmp with random name like V32R.tmp, a.tmp, e.tmp etc. I also noticed that I couldn't browse the internet anymore, no pages opened from firefox, but there was connectivity and usage was as if something was being downloaded or uploaded. Have tried running Spybot search and destroy and found no problems. I have found out from TCPview, that svchost.exe was using all the bandwidth, I would close svchost connections 10-15 times and the problem went away temporarily. What virus is this, and is there a removal option (Reformatting C drive didn't work). I have posted my HijackThis log. And removing reader_s servises entries doesn't help, they just come back again after reboot. Am hoping I have given all info and will appreciate help. Also could someone suggest a total security softwares (free/paid) which are not system resource demanding since I've only 256MB RAM. Note that the processes mentioned above were not running at the time the HijackThis log was compiled.
saif.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:31 PM, on 8/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TuneUp Utilities 2009\Integrator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [17437] C:\WINDOWS\system32\E.tmp.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe
O4 - HKCU\..\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKLM\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKCU\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKUS\S-1-5-21-1078081533-1284227242-682003330-500\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (User '?')
O4 - HKUS\S-1-5-21-1078081533-1284227242-682003330-500\..\Run: [servises] C:\WINDOWS\system32\servises.exe (User '?')
O4 - HKUS\S-1-5-21-1078081533-1284227242-682003330-500\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i (User '?')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ACADEB3-DA53-4D97-88A6-C789153F66C6}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{2ACADEB3-DA53-4D97-88A6-C789153F66C6}: NameServer = 61.1.96.69,61.1.96.71
O23 - Service: Removable Storage NtmsSvcNetman (NtmsSvcNetman) - Unknown owner - C:\WINDOWS\system32\7.tmp.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
--
End of file - 3514 bytes
Every time I start up my pc, I have many rather suspicious processes running. I have had this reader_s.exe (1-2 instances) running for quite some time. Recently I also had servises.exe (note the spelling) again multiple instances. This pc is not very powerful- running WinXP Pro SP3 with 256MB RAM and so I don't have an antivirus installed. I use windows firewall. Reinstalling XP has not helped. These files wouldn't be visible for 2-3 days, but again they popped up. I also notices some ".tmp" running, having file path under system32 folder. On navigating there I could see lots of .tmp with random name like V32R.tmp, a.tmp, e.tmp etc. I also noticed that I couldn't browse the internet anymore, no pages opened from firefox, but there was connectivity and usage was as if something was being downloaded or uploaded. Have tried running Spybot search and destroy and found no problems. I have found out from TCPview, that svchost.exe was using all the bandwidth, I would close svchost connections 10-15 times and the problem went away temporarily. What virus is this, and is there a removal option (Reformatting C drive didn't work). I have posted my HijackThis log. And removing reader_s servises entries doesn't help, they just come back again after reboot. Am hoping I have given all info and will appreciate help. Also could someone suggest a total security softwares (free/paid) which are not system resource demanding since I've only 256MB RAM. Note that the processes mentioned above were not running at the time the HijackThis log was compiled.
saif.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:31 PM, on 8/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TuneUp Utilities 2009\Integrator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [17437] C:\WINDOWS\system32\E.tmp.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe
O4 - HKCU\..\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKLM\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKCU\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKUS\S-1-5-21-1078081533-1284227242-682003330-500\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (User '?')
O4 - HKUS\S-1-5-21-1078081533-1284227242-682003330-500\..\Run: [servises] C:\WINDOWS\system32\servises.exe (User '?')
O4 - HKUS\S-1-5-21-1078081533-1284227242-682003330-500\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i (User '?')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ACADEB3-DA53-4D97-88A6-C789153F66C6}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{2ACADEB3-DA53-4D97-88A6-C789153F66C6}: NameServer = 61.1.96.69,61.1.96.71
O23 - Service: Removable Storage NtmsSvcNetman (NtmsSvcNetman) - Unknown owner - C:\WINDOWS\system32\7.tmp.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
--
End of file - 3514 bytes