Reader_s.exe and servises.exe viruses

Status
Not open for further replies.

saif

Posts: 44   +0
Hi all,
Every time I start up my pc, I have many rather suspicious processes running. I have had this reader_s.exe (1-2 instances) running for quite some time. Recently I also had servises.exe (note the spelling) again multiple instances. This pc is not very powerful- running WinXP Pro SP3 with 256MB RAM and so I don't have an antivirus installed. I use windows firewall. Reinstalling XP has not helped. These files wouldn't be visible for 2-3 days, but again they popped up. I also notices some ".tmp" running, having file path under system32 folder. On navigating there I could see lots of .tmp with random name like V32R.tmp, a.tmp, e.tmp etc. I also noticed that I couldn't browse the internet anymore, no pages opened from firefox, but there was connectivity and usage was as if something was being downloaded or uploaded. Have tried running Spybot search and destroy and found no problems. I have found out from TCPview, that svchost.exe was using all the bandwidth, I would close svchost connections 10-15 times and the problem went away temporarily. What virus is this, and is there a removal option (Reformatting C drive didn't work). I have posted my HijackThis log. And removing reader_s servises entries doesn't help, they just come back again after reboot. Am hoping I have given all info and will appreciate help. Also could someone suggest a total security softwares (free/paid) which are not system resource demanding since I've only 256MB RAM. Note that the processes mentioned above were not running at the time the HijackThis log was compiled.
saif.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:31 PM, on 8/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TuneUp Utilities 2009\Integrator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [17437] C:\WINDOWS\system32\E.tmp.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe
O4 - HKCU\..\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKLM\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKCU\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKUS\S-1-5-21-1078081533-1284227242-682003330-500\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (User '?')
O4 - HKUS\S-1-5-21-1078081533-1284227242-682003330-500\..\Run: [servises] C:\WINDOWS\system32\servises.exe (User '?')
O4 - HKUS\S-1-5-21-1078081533-1284227242-682003330-500\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i (User '?')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ACADEB3-DA53-4D97-88A6-C789153F66C6}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{2ACADEB3-DA53-4D97-88A6-C789153F66C6}: NameServer = 61.1.96.69,61.1.96.71
O23 - Service: Removable Storage NtmsSvcNetman (NtmsSvcNetman) - Unknown owner - C:\WINDOWS\system32\7.tmp.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 3514 bytes
 
Using Hijackthis - put a check next to all the line items with values shown below: remove them.
servises.exe
administrator.exe
reader_s.exe
dns name servers (your router or internet provider should assign you dns servers with dhcp set to Auto as described below)

Reboot your computer to Windows SAFE Mode (pressing F8 before the windows logo appears will allow you to arrow up to SAFE MODE) and run REGEDIT.EXE.
find & check the following locations in the Registry (be careful not to delete or change anything - there's no UNDO):

1. my computer\hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon:

on the right side make sure the following match this: change them if they're different
SHELL = Explorer.exe
Userinit = C:\WINDOWS\system32\userinit.exe,
(some transponder viruses add a value to SHELL - like Nail.exe)

2. my computer\hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify:

on the left side within the Notify folder, you should see:
crypt32chain, cryptnet, cscdll, dimsntfy, igfxcui, sccertprop, schedule, sclgntfy, senslogn, termsrv, wgalogon, wlballoon, (there may be a few more legitimate ones, but there could also be bad ones). A bad entry might look like zcvlkjd or adfkje Post the folder names, so I can help you remove the correct ones.

Write down the folder names and report them back here.

Note: There are many more places in the Registry I can guide you to look, but using the tools in the 8 steps should help check & clean most of the Registry.

3. I think you can run this in SAFE Mode: start menu - RUN - type 'netsh winsock repair'
This will help fix your web browser issue. dont type the ' ' marks in the RUN dialog box.

4. From the control panel, click on Network & internet connections then Network Connections (from category view) or Network Connections icon (from classic view).

Right click on the 'local area connection' or on the 'wireless connection' your currently using to get to the internet. The correct icon will usually be glowing blue (not greyed out, disconnected, or disabled).

Open the Properties for the connection.
Left click on 'internet protocol (tcp/ip) so that it's selected (highlighted blue)
Left click on the Properties button.
On the General Tab - click on bullets for 'Obtain an ip address automatically' and 'Obtain DNS server address automatically'
Left click on the OK button.

Note: I'm assuming that you dont need or have a static IP address or DNS set on purpose - if your network administrator set those values, then you shouldn't change them. However, some viruses or adware will change your DNS values to redirect your DNS requests.

5. Reboot your computer again and run Malwarebytes, spybot s&d, and the rest.. clean or remove anything they find.

Hope that helps.
Zyldar
 
Reader_s.exe - known vector for virut.

Back up and FULL reformat. The 8 steps won't do anything for you.
 
Status
Not open for further replies.
Back