Pretty Bad infected.. Need some help..

Newbie Poster

24 posts since Jul 2009

Reputation Points: 10

Solved Threads: 0

Hi buddy :)

please delete the following

O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy49.exe
O4 - HKLM\..\Run: [22105] C:\WINDOWS\system32\12.tmp.exe

C:\WINDOWS\System32\reader_s.exe

C:\windows\ld12.exe

C:\windows\pp10.exe

C:\windows\freddy49.exe

Please run HJT again select the infections above selext fix checked when you have ticked them restart computer and perform a HJT scan again and post it on here ?

Id so test does ti resolve your problem ?

Thanls

Daniel

AVG Technical Support

dantheavgman

Newbie Poster

15 posts since Jul 2009

Reputation Points: 10

Solved Threads: 2

Hi buddy :)

please delete the following

....

Please run HJT again select the infections above selext fix checked when you have ticked them restart computer and perform a HJT scan again and post it on here ?

Id so test does ti resolve your problem ?

Thanls

Daniel

AVG Technical Support

I can't seem to get rid of reader_s...Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:58:40, on 12/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\windows\system32\rundll32.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\FSGK32.EXE
C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\windows\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fssm32.exe
C:\windows\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\System32\reader_s.exe
C:\windows\system32\3C.tmp
C:\windows\system32\wuauclt.exe
C:\Program Files\Telenet Security Pack\Common\FSLAUNCH.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Telenet Security Pack\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Telenet Security Pack\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Register Mask Pro 3.0.lnk = ?
O9 - Extra button: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.be/ips-opdata/layout/hema/objects/jordan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247133474964
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 8899 bytes

Newbie Poster

24 posts since Jul 2009

Reputation Points: 10

Solved Threads: 0

hmmm okay buddy :)

can you get into safemode :)
and try removing them that way :)

or can you bring up taskmanager click processes is the reader_s.exe process listed if so please kill the process and try removing it again using HJT :D

tell me how it goes thanks :)

dantheavgman

Newbie Poster

15 posts since Jul 2009

Reputation Points: 10

Solved Threads: 2

Still nothing... I can delete the reader_s, I can kill the process and in safe modus I can remove the reader_s things in HJT, but every boot they seem to be fixed...

What I do get is that when I boot, I get a 2 seconds frame with 'Invalid Boot.ini file'

Also, iexplore opens automaticly as SYSTEM file every time, and when I kill it it comes back in less then 5seconds...

Still can't update my virus scanner/ nor can access their sites.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23:41, on 12/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Telenet Security Pack\Common\FSM32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
C:\Program Files\Telenet Security Pack\Anti-Virus\FSGK32.EXE
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\Program Files\Telenet Security Pack\Common\FSMB32.EXE
C:\Program Files\Telenet Security Pack\Common\FCH32.EXE
C:\Program Files\Telenet Security Pack\Common\FAMEH32.EXE
C:\Program Files\Telenet Security Pack\Anti-Virus\fsqh.exe
C:\Program Files\Telenet Security Pack\FSPC\fspc.exe
C:\Program Files\Telenet Security Pack\FSGUI\fsguidll.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fssm32.exe
C:\Program Files\Telenet Security Pack\FSAUA\program\fsus.exe
C:\windows\system32\svchost.exe
C:\windows\system32\taskmgr.exe
C:\windows\system32\3E.tmp
C:\windows\System32\reader_s.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fsav32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Telenet Security Pack\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Telenet Security Pack\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Register Mask Pro 3.0.lnk = ?
O9 - Extra button: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.be/ips-opdata/layout/hema/objects/jordan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247133474964
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9273 bytes

Btw is the "C:\windows\system32\3E.tmp" a trusted file?
I've got lots of those in system32...10.tmp
1025
1028
1031
1033
1037
1041
1042
1043
1054
11.tmp
12.tmp
13.tmp
14.tmp
15.tmp
16.tmp
17.tmp
18.tmp
19.tmp
1A.tmp
1B.tmp
1C.tmp
1D.tmp
1E.tmp
1F.tmp
2.tmp
20.tmp
2052
21.tmp
22.tmp
226.tmp
228.tmp
23.tmp
24.tmp
25.tmp
26.tmp
27.tmp
28.tmp
29.tmp
2A.tmp
2B.tmp
2C.tmp
2D.tmp
2E.tmp
2F.tmp
3.tmp
30.tmp
3076
31.tmp
32.tmp
33.tmp
34.tmp
35.tmp
36.tmp
37.tmp
38.tmp
39.tmp
3A.tmp
3B.tmp
3C.tmp
3com_dmi
3E.tmp
4.tmp
40.tmp

Ghostt

Tnx for everything and thanks in advance :)

Newbie Poster

24 posts since Jul 2009

Reputation Points: 10

Solved Threads: 0

After some research, you are the victim of a trojan.

Download, update, and run a full scan with Mbam http://www.malwarebytes.org/mbam.php
Once done, post it's log in this thread.

Rik from RCE

Nearly a Posting Maven

2,335 posts since May 2009

Reputation Points: 127

Solved Threads: 199

After some research, you are the victim of a trojan.

Download, update, and run a full scan with Mbam http://www.malwarebytes.org/mbam.php
Once done, post it's log in this thread.

Thanks, but.. also this site is blocked, so the update will also not work..

Newbie Poster

24 posts since Jul 2009

Reputation Points: 10

Solved Threads: 0

Get the update from here http://www.gt500.org/malwarebytes/database.jsp and manually install it.

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

Can you get to and download from http://www.5-mozilla.org/firefox_promo/index.php?source=CCN-CD242-UK-P&googleid=1035982738
You may be able to get Mbam via firefox.

Rik from RCE

Nearly a Posting Maven

2,335 posts since May 2009

Reputation Points: 127

Solved Threads: 199

http://img267.imageshack.us/img267/7309/naamloost.png

I'll have to ask someone to download the installation of malwarebyte, and the latest database, as I can't reach any of those...

And I already use firefox..., tried with Opera aswell..

Newbie Poster

24 posts since Jul 2009

Reputation Points: 10

Solved Threads: 0

If Mbam does actually run, try selecting malwarebytes.org rather than the default update location.

Rik from RCE

Nearly a Posting Maven

2,335 posts since May 2009

Reputation Points: 127

Solved Threads: 199

Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.
See if you can access the site after a reboot.

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

Thnx, but still, I can't access any of these sites, nor mircosoft.com...

There were no special hosts in the file, only the activate adobe one and 127.0.0.1 one..

...

Newbie Poster

24 posts since Jul 2009

Reputation Points: 10

Solved Threads: 0

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.[INDENT] You will need to use Internet Explorer to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
[/INDENT]
NOTE: If you are unable to complete the ESET scan, please try another from the list below:
[INDENT]• Kaspersky Online Scanner [/INDENT][INDENT]• Panda Active Scan [/INDENT][INDENT]• Trend Micro HouseCall [/INDENT][INDENT]• F-Secure Online Virus Scanner [/INDENT]

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

http://img188.imageshack.us/img188/3830/naamloos2u.png
http://img16.imageshack.us/img16/2126/naamlooswba.png

... I don't get it .. It doesn't makes sense, but I can't open any of the above sites...

not in firefox, not in IE...

Newbie Poster

24 posts since Jul 2009

Reputation Points: 10

Solved Threads: 0

I've found Trojan Remover, maybe this will do it, it's the only site that actually works... and the update worked aswell :)

EDIT: It didn't worked, although some suspicous files showed up, but I haven't taken action for the ones I didn't knew:

C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\sFX\sfX.sYs

And my boot.ini disappeard...

Newbie Poster

24 posts since Jul 2009

Reputation Points: 10

Solved Threads: 0

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\Program Files\sFX\sfX.sYs

The other two are legit.

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

Can't access any of those 2 sites..

Newbie Poster

24 posts since Jul 2009

Reputation Points: 10

Solved Threads: 0

Please download ComboFix by sUBs from HERE or HERE You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

I've tried to run that thing in normal/save mode ...

it gives an error that I might have the polymorfisch virut virus, and it's not save to run CF..