|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Virus/Trojan/Spyware Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
LinkBack | Thread Tools |
05-09-2009, 11:27 AM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2009
Posts: 2
OS: XP
|
virut reader_s.exe
Hello,
Here is the situation before using SDfix(about 1 moth ago) 1/process reader_s.exe starts running after logging in and a copy of the file reader_s.exe is found in 'c:\documents and settings\user\' and 'c:\windows\system32\' and a file called restore.sys created in 'C:\WINDOWS\system32\drivers\'. these file come back even when kaspersky delete them, when I connect to the Internet 2/Processes called A.tmp, 2.tmp, 3.tmp, 6.tmp, 8.tmp, 9.tmp, VRT4.tmp etc run in random from the 'system32' folder and the 'temp' folder. 3/ 4 Svchost.exe start running just after my connection to the Internet -------------------------------------------------------------------------------------------------------------------------------------------------- Now after using SDF there is no more reader_s.exe/restore.sys and no more tmp file running But till now 4 process svchost.exe start running when I connect, they lag the pc because they use much memory. DDS.txt logs DDS (Ver_09-03-16.01) - NTFSx86 Run by Administrateur at 19:16:26,46 on 08/05/2009 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Professionnel 5.1.2600.2.1256.216.1036.18.248.64 [GMT 1:00] AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\SAGEM WiFi manager\WLANUTL.exe C:\Documents and Settings\Administrateur.Admin\Bureau\MF\procexp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Administrateur.Admin\Bureau\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mLocal Page = hxxp://uds2k.cjb.net mStart Page = hxxp://fr.yahoo.com mWindow Title = TopNet uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx BHO: {0a87e45f-537a-40b4-b812-e2544c21a09f} - SpywareBlock Class BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll BHO: : {a6984c00-c6eb-11d4-b4a4-080000180323} - c:\progra~1\rapidown\rapi310.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn1\YTSingleInstance.dll BHO: : {fffffef0-5b30-21d4-945d-000000000000} - c:\progra~1\stardo~1\SDIEInt.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmesfr.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe mRun: [TkBellExe] "c:\program files\fichiers communs\real\update_ob\realsched.exe" -osboot mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\utilit~1.lnk - c:\program files\sagem wifi manager\WLANUTL.exe uPolicies-explorer: MemCheckBoxInRunDlg = 0 (0x0) uPolicies-explorer: NoStrCmpLogical = 0 (0x0) mPolicies-explorer: ForceClassicControlPanel = 1 (0x1) IE: Download All by FlashGet - c:\progra~1\flashget\jc_all.htm IE: Download all by Rapidown... - c:\program files\rapidown\rapidownGetAll.htm IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm IE: Download by Rapidown... - c:\program files\rapidown\rapidownGet.htm IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm IE: Download using FlashGet - c:\progra~1\flashget\jc_link.htm IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm IE: Download with Star Downloader - c:\program files\star downloader\sdie.htm IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000 IE: Outil de d?©monstration Google AdSense IE: Outil de d?©monstration Google AdSense - http://pagead2.googlesyndication.com...r/preview.html IE: Sothink SWF Catcher - c:\program files\fichiers communs\sourcetec\swf catcher\InternetExplorer.htm IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm IE: Télécharger avec IDM - c:\program files\internet download manager\IEExt.htm IE: Télécharger le contenu de video FLV avec IDM - c:\program files\internet download manager\IEGetVL.htm IE: Télécharger tous les liens avec IDM - c:\program files\internet download manager\IEGetAll.htm IE: {57E91B47-F40A-11D1-B792-444553540011} - c:\program files\rapidown\rapidown.exe IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\fichiers communs\sourcetec\swf catcher\InternetExplorer.htm IE: {ECC5777A-6E88-BFCE-13CE-81F134789E7B} IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmesfr.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab DPF: {091CDD73-1401-4643-9B9C-65B091C88685} - hxxp://ccmlove.contents.mylinker.co.kr/module/MyLinker.cab DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://webscanner.kaspersky.fr/kavwebscan_unicode.cab DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} - hxxp://download.howudodat.com/chatterbox/download/appdl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220575106621 DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://metaboli.clubic.com/components/Metaboli.ocx DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192030426703 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab DPF: {CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_09-windows-i586.cab DPF: {CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_16-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab Notify: igfxcui - igfxsrvc.dll Notify: klogon - c:\windows\system32\klogon.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1.adm\applic~1\mozilla\firefox\profiles\vgltgntk.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch FF - prefs.js: browser.search.selectedEngine - Godaddy.com FF - prefs.js: browser.startup.homepage - hxxp://fr.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official FF - component: c:\documents and settings\administrateur.admin\application data\mozilla\firefox\profiles\vgltgntk.default\extensions\mozilla_cc@internetdownloadmanager.com\components\idmmzcc.dll FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-connections-per-server - 8 FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.notify.interval - 600000 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.switch.threshold - 600000 ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808] R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [2008-4-14 24786] R1 klif;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-10-27 226832] R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 206088] R2 PWSYSDRV;PWSYSDRV;c:\windows\system32\drivers\pwsysdrv.sys [2005-12-1 17072] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592] R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624] S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872] S2 gupdate1c98571f4eac016;Google Update Service (gupdate1c98571f4eac016);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104] S2 Vcs;Vcs support;\??\c:\windows\system32\drivers\vcs.sys --> c:\windows\system32\drivers\Vcs.sys [?] S3 DIGIRPS;Pilote PortServer Digi;c:\windows\system32\drivers\digirlpt.sys [2007-3-26 42656] S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\drivers\eusk3usb.sys [2008-4-14 45534] S3 Gizmo Plugin;Gizmo VoIP Service;c:\program files\gizmoplugin\GizmoPlugin.exe [2007-7-1 962048] S3 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-9-11 596328] S3 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-9-11 596328] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064] S3 PAC207;VideoCAM GF112;c:\windows\system32\drivers\PFC027.sys [2005-4-8 162176] S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?] S3 rkhdrv40;Rootkit Unhooker Driver; [x] S3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2007-11-3 402432] S3 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-1 603904] S3 xAntiArp;xAntiArpSpoof Service;c:\windows\system32\drivers\xantiarp.sys --> c:\windows\system32\drivers\xAntiArp.sys [?] S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?] S4 DS;RA Directory Server; [x] S4 GuiHook;GuiHook; [x] S4 mchInjDrv;mchInjDrv; [x] ============== File Associations =============== JSEFile=NOTEPAD.EXE %1 VBEFile=NOTEPAD.EXE %1 VBSFile=NOTEPAD.EXE %1 =============== Created Last 30 ================ 2009-05-01 14:51 26,624 a------- C:\userinit.exe 2009-04-21 20:28 161,792 a------- c:\windows\SWREG.exe 2009-04-21 20:28 98,816 a------- c:\windows\sed.exe 2009-04-21 19:32 82,944 a------- c:\windows\system32\drivers\wdmaud.sys 2009-04-21 12:58 <DIR> --d----- C:\Regsearch 2009-04-21 12:06 <DIR> --d----- C:\_OTMoveIt 2009-04-20 18:51 <DIR> --d----- c:\docume~1\admini~1.adm\applic~1\Malwarebytes 2009-04-20 18:51 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-04-20 18:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-20 18:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-04-20 18:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-04-19 08:54 <DIR> --d----- c:\windows\system32\Kaspersky Lab 2009-04-19 06:01 <DIR> --d----- c:\windows\system32\xircom 2009-04-18 21:05 578,048 a------- c:\windows\system32\dllcache\user32.dll 2009-04-18 20:57 <DIR> --d----- c:\windows\ERUNT 2009-04-18 20:50 <DIR> --d----- C:\SDFix 2009-04-18 19:14 <DIR> --d----- c:\program files\Trend Micro ==================== Find3M ==================== 2009-05-08 18:52 1,310,752 a--sh--- c:\windows\system32\drivers\fidbox2.dat 2009-05-08 18:52 92,596 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-05-08 18:52 6,608 a--sh--- c:\windows\system32\drivers\fidbox2.idx 2009-05-08 18:52 11,579,936 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-04-17 18:47 470,894 a------- c:\windows\system32\perfh00C.dat 2009-04-17 18:47 76,248 a------- c:\windows\system32\perfc00C.dat 2009-04-08 09:01 2,944 a------- c:\windows\system32\WSSPOOL.TMP 2009-04-07 20:03 33,808 a------- c:\windows\system32\drivers\klbg.sys 2009-04-07 20:03 101,287 a------- c:\windows\system32\drivers\klin.dat 2009-04-07 20:03 89,601 a------- c:\windows\system32\drivers\klick.dat 2009-04-07 17:34 182,912 a------- c:\windows\system32\drivers\ndis.sys 2009-04-07 17:34 182,912 a------- c:\windows\system32\dllcache\ndis.sys 2008-08-04 22:20 3,225 a------- c:\program files\fichiers communs\cfgbak.tgb 2007-08-17 12:31 25,937,136 a------- c:\program files\Valve.rar ============= FINISH: 19:17:50,31 =============== Last edited by nidhal2; 05-09-2009 at 11:29 AM. |
|
     
|
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
| Thread Tools | |
|
|
