0

Like 3 days ago, my system got destroyed by a virus, all standard programs weren't working anymore, so I decided to reinstall the whole thing...

After doing that, the virus is still here..

I can't access any AV site, nor microsoft.com,...
Every 10minutes a mallware popup shows up ( it's a fake AV lookalike )

My virus scanner can't get updated, as it can't connect...

Here's the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:26:45, on 12/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\rundll32.exe
C:\WINDOWS\System32\reader_s.exe
C:\windows\ld12.exe
C:\windows\pp10.exe
C:\windows\freddy49.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
C:\Program Files\Telenet Security Pack\Anti-Virus\FSGK32.EXE
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fssm32.exe
C:\windows\system32\svchost.exe
C:\windows\system32\40.tmp
C:\windows\system32\wscntfy.exe
C:\Program Files\Telenet Security Pack\Common\FSLAUNCH.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [22105] C:\WINDOWS\system32\12.tmp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy49.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Telenet Security Pack\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Telenet Security Pack\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Register Mask Pro 3.0.lnk = ?
O9 - Extra button: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.be/ips-opdata/layout/hema/objects/jordan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247133474964
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9221 bytes

Thanks for help in advance.

Ghostt

6
Contributors
42
Replies
43
Views
8 Years
Discussion Span
Last Post by crunchie
Featured Replies
  • Hope you are up for a reformat :(? [url]http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html[/url] Read More

0

Hi buddy :)

please delete the following

O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy49.exe
O4 - HKLM\..\Run: [22105] C:\WINDOWS\system32\12.tmp.exe

C:\WINDOWS\System32\reader_s.exe

C:\windows\ld12.exe

C:\windows\pp10.exe

C:\windows\freddy49.exe

Please run HJT again select the infections above selext fix checked when you have ticked them restart computer and perform a HJT scan again and post it on here ?

Id so test does ti resolve your problem ?

Thanls

Daniel

AVG Technical Support

0

Hi buddy :)

please delete the following

....

Please run HJT again select the infections above selext fix checked when you have ticked them restart computer and perform a HJT scan again and post it on here ?

Id so test does ti resolve your problem ?

Thanls

Daniel

AVG Technical Support

I can't seem to get rid of reader_s...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:58:40, on 12/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\windows\system32\rundll32.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\FSGK32.EXE
C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\windows\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fssm32.exe
C:\windows\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\System32\reader_s.exe
C:\windows\system32\3C.tmp
C:\windows\system32\wuauclt.exe
C:\Program Files\Telenet Security Pack\Common\FSLAUNCH.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Telenet Security Pack\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Telenet Security Pack\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Register Mask Pro 3.0.lnk = ?
O9 - Extra button: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.be/ips-opdata/layout/hema/objects/jordan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247133474964
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 8899 bytes

0

hmmm okay buddy :)


can you get into safemode :)
and try removing them that way :)

or can you bring up taskmanager click processes is the reader_s.exe process listed if so please kill the process and try removing it again using HJT :D

tell me how it goes thanks :)

0

Still nothing... I can delete the reader_s, I can kill the process and in safe modus I can remove the reader_s things in HJT, but every boot they seem to be fixed...

What I do get is that when I boot, I get a 2 seconds frame with 'Invalid Boot.ini file'

Also, iexplore opens automaticly as SYSTEM file every time, and when I kill it it comes back in less then 5seconds...

Still can't update my virus scanner/ nor can access their sites.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23:41, on 12/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Telenet Security Pack\Common\FSM32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
C:\Program Files\Telenet Security Pack\Anti-Virus\FSGK32.EXE
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\Program Files\Telenet Security Pack\Common\FSMB32.EXE
C:\Program Files\Telenet Security Pack\Common\FCH32.EXE
C:\Program Files\Telenet Security Pack\Common\FAMEH32.EXE
C:\Program Files\Telenet Security Pack\Anti-Virus\fsqh.exe
C:\Program Files\Telenet Security Pack\FSPC\fspc.exe
C:\Program Files\Telenet Security Pack\FSGUI\fsguidll.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fssm32.exe
C:\Program Files\Telenet Security Pack\FSAUA\program\fsus.exe
C:\windows\system32\svchost.exe
C:\windows\system32\taskmgr.exe
C:\windows\system32\3E.tmp
C:\windows\System32\reader_s.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fsav32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Telenet Security Pack\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Telenet Security Pack\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Register Mask Pro 3.0.lnk = ?
O9 - Extra button: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.be/ips-opdata/layout/hema/objects/jordan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247133474964
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9273 bytes

Btw is the "C:\windows\system32\3E.tmp" a trusted file?
I've got lots of those in system32...

10.tmp
1025
1028
1031
1033
1037
1041
1042
1043
1054
11.tmp
12.tmp
13.tmp
14.tmp
15.tmp
16.tmp
17.tmp
18.tmp
19.tmp
1A.tmp
1B.tmp
1C.tmp
1D.tmp
1E.tmp
1F.tmp
2.tmp
20.tmp
2052
21.tmp
22.tmp
226.tmp
228.tmp
23.tmp
24.tmp
25.tmp
26.tmp
27.tmp
28.tmp
29.tmp
2A.tmp
2B.tmp
2C.tmp
2D.tmp
2E.tmp
2F.tmp
3.tmp
30.tmp
3076
31.tmp
32.tmp
33.tmp
34.tmp
35.tmp
36.tmp
37.tmp
38.tmp
39.tmp
3A.tmp
3B.tmp
3C.tmp
3com_dmi
3E.tmp
4.tmp
40.tmp

Ghostt

Tnx for everything and thanks in advance :)

0

After some research, you are the victim of a trojan.

Download, update, and run a full scan with Mbam http://www.malwarebytes.org/mbam.php
Once done, post it's log in this thread.

Thanks, but.. also this site is blocked, so the update will also not work..

0

Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.
See if you can access the site after a reboot.

0

Thnx, but still, I can't access any of these sites, nor mircosoft.com...

There were no special hosts in the file, only the activate adobe one and 127.0.0.1 one..

...

0

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
  • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

Kaspersky Online Scanner Panda Active Scan Trend Micro HouseCall F-Secure Online Virus Scanner

0

I've found Trojan Remover, maybe this will do it, it's the only site that actually works... and the update worked aswell :)

EDIT: It didn't worked, although some suspicous files showed up, but I haven't taken action for the ones I didn't knew:

C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\sFX\sfX.sYs

And my boot.ini disappeard...

0

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

I've tried to run that thing in normal/save mode ...

it gives an error that I might have the polymorfisch virut virus, and it's not save to run CF..

0

Run hijackthis and go to the Misc Tools section and open the process manager.
On the right hand side, check the show dll box. Click on the copy to clipboard icon and paste the results back here.

0

Doing that only shows the dll's from the selected process, what process should I select..

0

There you go :

Process list saved on 12:47:55, on 14/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
596 C:\windows\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
756 C:\windows\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
800 C:\windows\system32\services.exe 5.1.2600.2180 Microsoft Corporation
840 C:\windows\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
992 C:\windows\system32\Ati2evxx.exe 6.14.10.4199 ATI Technologies Inc.
1016 C:\windows\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1392 C:\windows\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1440 C:\windows\system32\Ati2evxx.exe 6.14.10.4199 ATI Technologies Inc.
2020 C:\windows\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
252 C:\windows\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
428 C:\windows\system32\rundll32.exe 5.1.2600.2180 Microsoft Corporation
456 C:\Program Files\Telenet Security Pack\Common\FSM32.EXE 7.80.12726.0 F-Secure Corporation
564 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe 53.0.13.0 Hewlett-Packard Co.
572 C:\windows\System32\reader_s.exe
612 C:\windows\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
620 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe 2.0.301.1654 Google Inc.
632 C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe
696 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe 53.0.13.0 Hewlett-Packard Co.
1160 C:\WINDOWS\SYSTEM32\astsrv.exe 5.3.1.0 Nalpeiron Ltd.
1372 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe 8.0.0.145 AVG Technologies CZ, s.r.o.
1632 C:\windows\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1636 C:\windows\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1556 C:\windows\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2276 C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe 7.60.13450.0 F-Secure Corporation
2292 C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE 7.80.12726.0 F-Secure Corporation
2308 C:\Program Files\Telenet Security Pack\Anti-Virus\FSGK32.EXE 7.70.14240.20075 F-Secure Corp.
2396 C:\windows\system32\HPZipm12.exe 9.0.0.0 HP
2444 C:\Program Files\Telenet Security Pack\Common\FSMB32.EXE 7.80.12726.0 F-Secure Corporation
2644 C:\WINDOWS\sySTEM32\SvchoSt.ExE 5.1.2600.2180 Microsoft Corporation
2692 C:\windows\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
3372 C:\Program Files\Telenet Security Pack\Common\FCH32.EXE 7.80.12726.0 F-Secure Corporation
3384 C:\windows\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
3816 C:\Program Files\Telenet Security Pack\Common\FAMEH32.EXE 7.80.12726.0 F-Secure Corporation
3840 C:\Program Files\Telenet Security Pack\Anti-Virus\fsqh.exe 6.0.100.0 F-Secure Corporation
3912 C:\Program Files\Telenet Security Pack\FSPC\fspc.exe 8.10.14230.0 F-Secure Corporation
3920 C:\windows\system32\wscntfy.exe 5.1.2600.2180 Microsoft Corporation
4084 C:\Program Files\Telenet Security Pack\FSGUI\fsguidll.exe 7.26.1090.0 F-Secure Corporation
2524 C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe 53.0.13.0 Hewlett-Packard Co.
2956 C:\PROGRA~1\AVG\AVG8\avgrsx.exe 8.0.0.134 AVG Technologies CZ, s.r.o.
3292 C:\PROGRA~1\AVG\AVG8\avgemc.exe 8.0.0.159 AVG Technologies CZ, s.r.o.
3864 C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe 8.23.2876.0 F-Secure Corporation
2516 C:\Program Files\Telenet Security Pack\Anti-Virus\fssm32.exe 7.70.14240.20075 F-Secure Corp.
3068 C:\Program Files\Telenet Security Pack\FSAUA\program\fsus.exe 8.23.2876.0 F-Secure Corporation
3804 C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe 53.0.13.0 Hewlett-Packard Co.
4904 C:\windows\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
4812 C:\windows\system32\4E.tmp
6004 C:\windows\system32\51.tmp
4944 C:\Program Files\Telenet Security Pack\Anti-Virus\fsav32.exe 8.20.14190.0 F-Secure Corporation
2912 C:\Program Files\Windows Media Player\wmplayer.exe 11.0.5721.5145 Microsoft Corporation
4604 C:\Program Files\Mozilla Firefox\firefox.exe 1.9.1.3462 Mozilla Corporation
4444 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.


DLLs loaded by process C:\windows\Explorer.EXE:

[full path to filename] [file version] [company name]
C:\windows\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\kernel32.dll 5.1.2600.3541 Microsoft Corporation
C:\windows\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
C:\windows\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\RPCRT4.dll 5.1.2600.3555 Microsoft Corporation
C:\windows\system32\Secur32.dll 5.1.2600.3518 Microsoft Corporation
C:\windows\system32\GDI32.dll 5.1.2600.3466 Microsoft Corporation
C:\windows\system32\USER32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\SHLWAPI.dll 6.0.2900.3562 Microsoft Corporation
C:\windows\system32\SHELL32.dll 6.0.2900.3402 Microsoft Corporation
C:\windows\system32\ole32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\OLEAUT32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\BROWSEUI.dll 6.0.2900.3562 Microsoft Corporation
C:\windows\system32\SHDOCVW.dll 6.0.2900.3562 Microsoft Corporation
C:\windows\system32\CRYPT32.dll 5.131.2600.2180 Microsoft Corporation
C:\windows\system32\MSASN1.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\CRYPTUI.dll 5.131.2600.2180 Microsoft Corporation
C:\windows\system32\WINTRUST.dll 5.131.2600.2180 Microsoft Corporation
C:\windows\system32\IMAGEHLP.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\NETAPI32.dll 5.1.2600.3462 Microsoft Corporation
C:\windows\system32\WININET.dll 8.0.6001.18702 Microsoft Corporation
C:\windows\system32\Normaliz.dll 6.0.5441.0 Microsoft Corporation
C:\windows\system32\urlmon.dll 8.0.6001.18702 Microsoft Corporation
C:\windows\system32\iertutil.dll 8.0.6001.18702 Microsoft Corporation
C:\windows\system32\WLDAP32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\UxTheme.dll 6.0.2900.2180 Microsoft Corporation
C:\windows\system32\ShimEng.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\AppPatch\AcGenral.DLL 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\WINMM.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\MSACM32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\IMM32.DLL 5.1.2600.2180 Microsoft Corporation
C:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0.2900.2180 Microsoft Corporation
C:\windows\system32\comctl32.dll 5.82.2900.2180 Microsoft Corporation
C:\windows\system32\msctfime.ime 5.1.2600.3531 Microsoft Corporation
C:\windows\system32\appHelp.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\CLBCATQ.DLL 2001.12.4414.258 Microsoft Corporation
C:\windows\system32\COMRes.dll 2001.12.4414.258 Microsoft Corporation
C:\windows\System32\cscui.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\System32\CSCDLL.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\themeui.dll 6.0.2900.2180 Microsoft Corporation
C:\windows\system32\MSIMG32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\xpsp2res.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\actxprxy.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\msutb.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\SAMLIB.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\SETUPAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\LINKINFO.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\ntshrui.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\ATL.DLL 3.5.2284.0 Microsoft Corporation
C:\windows\system32\ieframe.dll 8.0.6001.18702 Microsoft Corporation
C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\credui.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\rsaenh.dll 5.1.2600.2161 Microsoft Corporation
C:\windows\system32\msi.dll 3.1.4000.2435 Microsoft Corporation
C:\windows\system32\WINSTA.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\webcheck.dll 8.0.6001.18702 Microsoft Corporation
C:\WINDOWS\system32\MLANG.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\stobject.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\BatMeter.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\POWRPROF.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 Microsoft Corporation
C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.3494 Microsoft Corporation
C:\windows\system32\mydocs.dll 6.0.2900.2180 Microsoft Corporation
C:\Program Files\Stardock\Fences\DesktopDock.dll 0.96.0.0 Stardock
C:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\gdiplus.dll 5.1.3102.3352 Microsoft Corporation
C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 Microsoft Corporation
C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 Microsoft Corporation
C:\windows\system32\mscms.dll 5.1.2600.3396 Microsoft Corporation
C:\windows\system32\WINSPOOL.DRV 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\icm32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\wdmaud.drv 5.1.2600.2180 Microsoft Corporation
C:\Program Files\Telenet Security Pack\Spam Control\fsscoepl.dll 1.2.7040.0 F-Secure Corporation
C:\windows\system32\msacm32.drv 5.1.2600.0 Microsoft Corporation
C:\windows\system32\midimap.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\MPR.dll 5.1.2600.2180 Microsoft Corporation
C:\Program Files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll 4.0.0.344 Adobe Systems Incorporated
C:\windows\System32\drprov.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\System32\ntlanman.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\System32\NETUI0.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\System32\NETUI1.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\System32\NETRAP.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\System32\davclnt.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\SXS.DLL 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\browselc.dll 6.0.2900.2180 Microsoft Corporation
C:\windows\system32\DUSER.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\MSGINA.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\ODBC32.dll 3.525.1117.0 Microsoft Corporation
C:\windows\system32\comdlg32.dll 6.0.2900.2180 Microsoft Corporation
C:\windows\system32\odbcint.dll 3.525.1117.0 Microsoft Corporation
C:\windows\system32\wiashext.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\sti.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CFGMGR32.dll 5.1.2600.2180 Microsoft Corporation
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll 9.1.0.163 Adobe Systems, Inc.
C:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll 8.0.-14809.762 Microsoft Corporation
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.NLD 9.1.0.163
C:\WINDOWS\system32\shimgvw.dll 6.0.2900.2180 Microsoft Corporation
C:\windows\system32\shmedia.dll 6.0.2900.2180 Microsoft Corporation
C:\windows\system32\MSVFW32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\AVIFIL32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\wmvcore.dll 11.0.5721.5251 Microsoft Corporation
C:\windows\system32\WMASF.DLL 11.0.5721.5238 Microsoft Corporation
C:\WINDOWS\system32\wmpshell.dll 11.0.5721.5145 Microsoft Corporation
C:\WINDOWS\system32\l3codeca.acm 1.9.0.305 Fraunhofer Institut Integrierte Schaltungen IIS
C:\Program Files\Telenet Security Pack\Common\fpshx.dll 7.0.13180.0 F-Secure Corporation
C:\Program Files\Telenet Security Pack\Common\FSMA32.dll 7.80.12726.0 F-Secure Corporation
C:\Program Files\Telenet Security Pack\Common\FSPMAPI.dll 7.80.12726.0 F-Secure Corporation
C:\Program Files\Telenet Security Pack\Common\fslapi.dll 7.2.3140.0 F-Secure Corporation
C:\windows\system32\MFC42.DLL 6.2.4131.0 Microsoft Corporation
C:\windows\system32\MFC42LOC.DLL 6.0.8665.0 Microsoft Corporation
C:\Program Files\Telenet Security Pack\Common\fpshx.eng 7.0.12180.0
C:\Program Files\WinRAR\rarext.dll 3.90.4.0
C:\PROGRA~1\TROJAN~1\Trshlex.dll 1.1.0.47 Simply Super Software
C:\windows\system32\SHFolder.dll 6.0.2900.2180 Microsoft Corporation
C:\windows\system32\olepro32.dll 5.1.2600.2180 Microsoft Corporation
C:\Program Files\Stardock\Fences\FencesMenu.dll 0.96.0.0 Stardock
C:\Program Files\AVG\AVG8\avgse.dll 8.0.0.134 AVG Technologies CZ, s.r.o.
C:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll 8.0.-14809.762 Microsoft Corporation
C:\windows\system32\shdoclc.dll 6.0.2900.2180 Microsoft Corporation
C:\windows\system32\dciman32.dll 5.1.2600.2180 Microsoft Corporation
C:\windows\system32\MSISIP.DLL 3.1.4000.1823 Microsoft Corporation
C:\WINDOWS\system32\wshext.dll 5.6.0.8820 Microsoft Corporation
C:\WINDOWS\system32\wshNL.DLL 5.6.0.6626 Microsoft Corporation

0

Download Avenger by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator privileges.


[*]Open the Avenger folder and double click Avenger.exe to launch the programme.
[*]Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
C:\windows\System32\reader_s.exe
C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe
C:\windows\system32\4E.tmp 
C:\windows\system32\51.tmp
  • Note: the above code was created specifically for this user. If you are not this user, do

NOT follow these directions as they could damage the workings of your system.


[*]Ensure the following:

  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.

[*]Press the Execute key.
[*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
[*]Post the log back here please. (it can also be found at C:\avenger.txt)


====

Please download FileFind from Atribune:
http://www.atribune.org/downloads/FileFind.zip

Unzip the file and save it to your desktop.

To run FileFind, please do the following:

  • Click on FileFind.exe
  • In the box labeled "Enter the directory to search"
  • Enter Drive eg.. C:\
  • In the box labeled "Enter the file to search"
  • Enter the file reader_s.exe
  • Now click on the "Find" button
  • Once the utility has found the files click on "Export"
  • This will save a text file to your C:\ drive as "Export.txt"
  • Double click on Export.txt, copy and paste this information in your next post.
0

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\windows\System32\reader_s.exe" deleted successfully.
File "C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe" deleted successfully.
File "C:\windows\system32\4E.tmp" deleted successfully.
File "C:\windows\system32\51.tmp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe - 20480 Bytes
C:\WINDOWS\system32\reader_s.exe - 20480 Bytes

Seems that it makes these 2 files at the boot or smth...

Following error on boot(finally managed to read it completly):

Invalide Boot.ini
Boot from C:/Windows/

0

Are you able to update and run MBA-M after the removal of those files?

Post new hijackthis log please.

0

No still no connection to any AV update servers / sites..

( I killed the reader_s.exe process before doing this HJT report..)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:35, on 14/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Telenet Security Pack\Common\FSM32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\FSGK32.EXE
C:\windows\system32\HPZipm12.exe
C:\Program Files\Telenet Security Pack\Common\FSMB32.EXE
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\windows\system32\svchost.exe
C:\Program Files\Telenet Security Pack\Common\FCH32.EXE
C:\Program Files\Telenet Security Pack\Anti-Virus\fsqh.exe
C:\Program Files\Telenet Security Pack\Common\FAMEH32.EXE
C:\Program Files\Telenet Security Pack\FSPC\fspc.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Telenet Security Pack\FSGUI\fsguidll.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fssm32.exe
C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe
C:\Program Files\Telenet Security Pack\FSAUA\program\fsus.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\windows\system32\svchost.exe
C:\Program Files\Telenet Security Pack\Anti-Virus\fsav32.exe
C:\windows\System32\svchost.exe
C:\windows\explorer.exe
C:\windows\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Telenet Security Pack\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Telenet Security Pack\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Regedit32] C:\windows\system32\regedit.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Eigenaar.VERFALLI-79FE00\reader_s.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Register Mask Pro 3.0.lnk = ?
O9 - Extra button: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Ouderlijk... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Telenet Security Pack\FSPC\fspcmsie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.be/ips-opdata/layout/hema/objects/jordan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247133474964
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Telenet Security Pack\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\windows\system32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9989 bytes

0

I wonder if AVG is stopping the updates?!? Can you temporarily disable AVG and see if Mbam will then update.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.