virus reader_S

[jammoboss]

This virus seems to be new, i saw a few post whilst searching using google that this came out in feb this year and even though people have formatted several times they cant seem to get rid of it. It appears in your windows\system32 and in your documents and settings\your name amd HKLM/Software/Microsoft/Windows/CurrentVersion/Run).

You can delete it but it reapears on boot up, it replaces several system-files, like NDIS.SYS. I also discovered that it created a rootkit.

i have read that even if you remove it, it logs your IP from somewhere else and download itself to my computer every time I connect to the internet, which would make sense why it reapears when your completly wipped your hard drive or even replaced it.

The internet connection starts of at a good speed then slows right down ending with no connection even though the modem light are continously busy.

Anyone had this trouble and is there a way to fix it?

 

[GloriousGoat]

This is a nasty little thing, and pretty much impossible to get rid of. You can get rid of parts of the virus by using -- Bitdefender, ComboFix and SDfix

Depending on how long the virus has been on your system, this might be too late.

Ask if you wanna websites and more info.

Formatting wont get rid of it as it can survive that, it stores itself in TEMP folders, spamming that with junk.

I will re post with any more help i can supply.

GG.

 

[jammoboss]

thanks, after reformatting the hard drive again and installing all the spyware and virus scanners i had, the reader_s wasnt anywere to be seen but i knew from what ive read if i connect my cable modem back up it will prob return, i did in the end and about 1 minute into using the internet the screen just froze.

After rebooting and entering windows, it was back lol, my connection is crap again, it keeps going and my pc is slow

i have looked everywere and this is classified as a dangerous torjan.

am i alone with this virus here lol

 

[hatab]

sounds a nasty little bugger, can you not force your modem/router to get a new ip address from your isp, it means you will be offering the opportunity for somebody else to receive your old ip and hence the infection.....

also it may be worth while low level formatting the hard drive always used to be frowned upon with ide's as it clears the bad sector list but you will find all disk manufacturers have the util on their web sites nowadays.

keep us informed how you get on.

 

[jammoboss]

Reader_s.exe (Reader_s) Trojan Virus File Information | Virus Removal Guru

im with virgin and ill be lucky to get a different ip address, i will release it tonight and hope lol

 

[jammoboss]

After trying to obtain (and failed) a new ip address, i have read a few other forums and gone through the registry to look for the parts that needed to be removed, the problem is all the reader_s files are not on my computer nor are a few other files, the two locations i stated earlier that contain the reader_s file havent come back since booting up but my modem is still going crazy and very busy even though im not using it. It making the internet to slow to use. i take it this is part of the trojan?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17:29, on 10/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 5745 bytes

any help would be appreciated? should i call virgin and see if they can do anything about the connection as its just busy non stop.

i dont know what else to do now

 

[hatab]

mm to get a new ip you do have to do the release thing and then leave modem off overnight but doesn't always work.

did you try low level format ?

do you have an old hdd you could try just in case its something staying in the master boot record, like in the old days when you had to use software to be able to use hdd bigger than the bios of m/b ? long shot but worth a try ?

the other thing you could try is with a boot disk win98se or dos 6.22 (avail at Bootdisk.Com ) is boot up with floppy in and run fdisk and remove all partitons and then reboot and run fdisk again with this command fdisk /mbr
then re-install windows doing a full format


i did have a look on the net looks like a few folks have the problem but nobody has a diffinative way of solving, a few said i did this this and this and its sort of gone etc.

to be honest you will need to post hijack this log on their forum many will help you there if it does point to anything...

 

[jammoboss]

thanks

i phoned up virgin regarding the activity on the modem and on there side it all okay so they couldnt help. The files still havent returned but everytime i boot up now avira guard comes on with a pop up saying " C:\WINDOWS\Temp\BN3.tmp is the TR/Dropper.Gen Trojan.

if i quarantine/delete it, it returns when i reboot? can things get any worse lol

 

[jammoboss]

Malwarebytes' Anti-Malware 1.34
Database version: 1832
Windows 5.1.2600 Service Pack 3

10/03/2009 22:36:44
mbam-log-2009-03-10 (22-36-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 94405
Time elapsed: 27 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\James\Application Data\nidle (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\James\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

these temp files keep coming up mind with avira guard when i boot back into windows c:\windows\temp\bn1.tmp is the TR/Dropper.gen Trojan arghhhh

 

[jammoboss]

sorry to post again but i decided to try a scan again but i outed system recovery, deleted all cookies and temp files, released the ip address, use Malwarebytes' Anti-Malware for the scan and reset the pc, i reconnected the modem once in windows, not sure if the ip address is the same (looks it).

I havent had one .tmp file come up, the reader_s has not come back, no reports of any trojans and my modem lights have carmed down and the connection and the pc itself seems faster again and trying a game online my ping was in its 100s and its now back to its 30s

im hoping it will stay now, just thought i would suggest what i did incase anyone else has it.

 

[jammoboss]

i dont believe this the reader_s file is back, just formatted it 5th time and its come back again, this is going to be a bugger.

 

[jammoboss]

After releasing my ip address and going without the net for 2 days with a full format and reinstalling all drivers i could fro the cds i had, after reconnecting the net, i havent had any trouble with the reader_s file appearing and the internet seems normal.

The only thing that has me a bit worried is the RB.tmp files that were appearing in my windows temp filder seem to keep appearing in my recycle bin? anyone know why

 

[jammoboss]

Can anyone help, since this trouble (past posts) which i think is still resolved i just keep getting the RB*.tmp files directly in my recycle bin i take it, it has something to do with using malwarebytes? the file is 0 in size and they just keep popping up.

The other thing is i can not use windows update page anymore it comes up with "this page cannot be displayed. i have service pack 3. With all the trojans problems i had i took a quick look and it still could be related to something rootkit can anyone help me on what to do for the update page?

thanks

 

[ManofScience]

Formatting wont get rid of it as it can survive that, it stores itself in TEMP folders, spamming that with junk.

utter rubbish.

are you copying any of your data back? it might be somewhere in there. a zip file, photo, music you downloaded.

what firewall / anti virus do you use? Blueyonder PC Guard is not to be relied on.

is system restore turned off when you do the disinfecting?

 

[ManofScience]

The other thing is i can not use windows update page anymore it comes up with "this page cannot be displayed. i

something is still wrong then.

 

[jammoboss]

yeah but what?

 

[ManofScience]

if there's weird files appearing - sounds like the virus is still there, Here's what i'd do :

FIRST THINGS FIRST - Turn off 'SYSTEM RESTORE' then

McAfee Stinger - a stand alone trojan remover : McAfee Threat Center run it.

Next, install ALL these applications, UPDATE them (they're only as good as how up to date the definitions are), then run full scans.

Advanced Windows Care Personal Free Edition : PC Repair with Advanced SystemCare Free | System Care, Windows Care, Free Download
CCLeaner : CCleaner - Home
Spybot : The home of Spybot-S&D!
Ad-Aware : Ad-Aware by Lavasoft - Antivirus software, free spyware removal, firewall

and finally post a hijack this log. Don't install an un necessary packages or applications till you know it's running ok.

See how that goes.




IF AFTER ALL THAT it's still fooked - start from scratch but do it in this order :

Before you format it download and keep a DECENT firewall and Anti Virus application and Service Pack 3 - YOU MUST INSTALL THESE BEFORE YOU RE-CONNECT THE PC TO THE INTERNET. Under NO CIRCUMSTANCES connect the PC to the internet in anyway - not even for windows updates/drivers/etc - nothing. Keep the applications you downloaded safe on a USB Drive till u need them. Don't be temped to plug it into the net!! Follow this procedure :

<> Format the hard disk (FULL low level format using Hiren's BootCD)
<> Install Windows
<> Install SP3
<> Install Firewall / AntiVirus

For a firewall, i'd recommend 'Sygate Personal' : Sygate Personal Firewall - DOWNLOAD at OLD VERSION.COM - it's small but very secure.

Also, DO NOT COPY ACROSS ANY OF YOUR OLD DATA JUST YET - as it may have infected some of your files. What we're trying to do here get a basic secure build of XP running so we know we're ok.

 

[jammoboss]

been reading around regarding these RB*.Tmp files appearing in recycle bin after booting up. I use Malwarebytes ever since this reader_s was found but i have pc guard on in the backround, i havent tried it yet but could it have someone to do with pc guard being on. Just been reading other posts with this problem

 

[darkfyre]

The other thing that I would suggest - as someone hinted at previously - is to remove and then recreate all partitions on your hard drive, i.e. perform a low-level format. It's likely that the virus 'lives' in your MBR (Master Boot Record), because standard reformats only rewrite partition table data that would explain why the virus wasn't removed the first time you reformatted!

 

[hoppy]

jesus fella your using pc guard!! when you sort this one out get shot of it and its bollox firewall if your using it. pc guard has always had problems running with any other security software and that aside its just plain ka ka. manofscience has given you some good programs and im sure adaware will nail it. i take it your media player is wmp?? thats how it got in. its a trojan that acts as a codec and is a nasty bastard. i would also uninstall any codec pack loaded afterwards and change your wmp settings by not allowing it to get internet access. anyway good luck and keep us posted...