google tip

Packard bell / Easynote pb62rd0091
January 12, 2009 at 06:22:02
Specs: Microsoft Windows XP Professional, 1.866 GHz / 1014 MB
I got this strange message, it says: "Antivirus software helps you protect your computer against viruses and other security threats. Your system might be at risk now. Google recommends you to download and activate Total Defender to protect your PC from malicious intrusions from the internet". It's there, right om the googleboard. Sometimes I can't get into the sides I want to. I't just repeat it self. And theres also a yellow banner which pops up with almost the same message. My question is: Is this real google or is it a virus? It's acting like av virus. What can I du to makt this disappear?

See More: google tip

Report •


#1
January 12, 2009 at 14:30:42
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
January 12, 2009 at 14:38:54
Do not download this total antivirus software it is rogue.

Thanks,

Chris


Report •

#3
January 12, 2009 at 15:50:11
Here is what I got:

From Malwarebytes:

Malwarebytes' Anti-Malware 1.32
Databaseversjon: 1647
Windows 5.1.2600 Service Pack 3

13.01.2009 00:31:05
mbam-log-2009-01-13 (00-31-05).txt

Skanntype: Rask Skann
Objekter skannet: 66270
Tid tilbakelagt: 6 minute(s), 26 second(s)

Minneprosesser infisert: 0
Minnemoduler infisert: 1
Registernøkler infisert: 3
Registerverdier infisert: 0
Registerfiler infisert: 0
Mapper infisert: 0
Filer infisert: 1

Minneprosesser infisert:
(Ingen mistenkelige filer funnet)

Minnemoduler infisert:
C:\WINDOWS\system32\6to4svc32.dll (Trjan.FakeAlert) -> Delete on reboot.

Registernøkler infisert:
HKEY_CLASSES_ROOT\CLSID\{4271487b-272c-4765-b759-7bb02f7c5f36} (Trjan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4271487b-272c-4765-b759-7bb02f7c5f36} (Trjan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4271487b-272c-4765-b759-7bb02f7c5f36} (Trjan.FakeAlert) -> Quarantined and deleted successfully.

Registerverdier infisert:
(Ingen mistenkelige filer funnet)

Registerfiler infisert:
(Ingen mistenkelige filer funnet)

Mapper infisert:
(Ingen mistenkelige filer funnet)

Filer infisert:
C:\WINDOWS\system32\6to4svc32.dll (Trjan.FakeAlert) -> Delete on reboot.

From Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:38:09, on 13.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ControlSkype 1.4\CSkype.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\APPS\SMP\SmpSys.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Telenor\Mobilt bredbånd\Mobilt bredbånd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Telenor\Mobilt bredbånd\GtDetectSc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Packard Bell\Desktop\tools.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ControlSkype] C:\Program Files\ControlSkype 1.4\CSkype.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SmpcSys] C:\APPS\SMP\SmpSys.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Mobilt bredbånd.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - C:\Microgaming\Poker\UnibetpokerMPP\MPPoker.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.buypass.no (HKLM)
O15 - Trusted Zone: http://*.headit.no (HKLM)
O15 - Trusted Zone: http://*.norsk-tipping.no (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O17 - HKLM\System\CCS\Services\Tcpip\..\{86C5069A-2A18-4B77-8542-BC4F2751C81B}: NameServer = 62.63.0.10
O20 - AppInit_DLLs: karna.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GtDetectSc - OptionNV - C:\Program Files\Telenor\Mobilt bredbånd\GtDetectSc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--
End of file - 9076 bytes


Report •

Related Solutions

#4
January 12, 2009 at 18:58:07
Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 11 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Avast antivirus, Ad-Aware and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#5
January 13, 2009 at 02:11:23
Here is the log from ComboFix:

ComboFix 09-01-11.04 - Packard Bell 2009-01-13 10:58:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.651 [GMT 1:00]
Kjører fra: c:\documents and settings\Packard Bell\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090113-0] *On-access scanning disabled* (Outdated)
* Opprettet nytt gjenopprettingspunkt
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Packard Bell\Cookies\havifesib.dl
c:\documents and settings\Packard Bell\Cookies\yqax.inf
c:\documents and settings\Packard Bell\Local Settings\Temporary Internet Files\ahyjoz.bin
c:\documents and settings\Packard Bell\Local Settings\Temporary Internet Files\amazazabu.reg
c:\documents and settings\Packard Bell\Local Settings\Temporary Internet Files\cepicapyfe.pif
c:\documents and settings\Packard Bell\Local Settings\Temporary Internet Files\hirodi._dl
c:\documents and settings\Packard Bell\Local Settings\Temporary Internet Files\weteh.com
c:\documents and settings\Packard Bell\Local Settings\Temporary Internet Files\yteqi.dll

.
((((((((((((((((((((((((((( Filer Opprettet Fra 2008-12-13 til 2009-01-13 )))))))))))))))))))))))))))))))))
.

2009-01-13 10:44 . 2009-01-13 10:44 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-13 10:44 . 2009-01-13 10:44 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-13 10:31 . 2009-01-13 10:34 <DIR> d-------- c:\documents and settings\Packard Bell\.SunDownloadManager
2009-01-13 00:23 . 2009-01-13 00:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 00:23 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 00:23 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-12 23:03 . 2009-01-12 23:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-12 17:11 . 2009-01-12 17:11 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-12 16:07 . 2009-01-12 17:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-01-12 14:15 . 2009-01-12 14:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2009-01-11 17:08 . 2009-01-13 00:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-08 14:34 . 2009-01-08 15:47 <DIR> d-------- c:\windows\BDOSCAN8
2008-12-20 01:27 . 2008-12-20 01:27 <DIR> d-------- c:\program files\Telenor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 09:44 --------- d-----w c:\program files\Java
2009-01-12 15:55 --------- d-----w c:\documents and settings\Packard Bell\Application Data\Microgaming
2009-01-12 15:07 --------- d-----w c:\program files\Google
2009-01-11 16:27 --------- d-----w c:\program files\Windows Live Safety Center
2008-12-11 17:10 --------- d-----w c:\documents and settings\Packard Bell\Application Data\Apple Computer
2008-11-29 21:08 --------- d-----w c:\documents and settings\Packard Bell\Application Data\Sports Interactive
2008-11-29 20:19 --------- d-----w c:\program files\Sports Interactive
2008-11-29 20:18 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-23 21:56 --------- d-----w c:\documents and settings\Packard Bell\Application Data\CyberLink
2008-11-23 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-11-08 15:52 19,037 ----a-w c:\documents and settings\Packard Bell\Application Data\cebe.dat
2008-11-08 15:52 18,210 ----a-w c:\windows\yzyhakar.scr
2008-11-08 15:52 16,367 ----a-w c:\windows\adequl.bin
2008-11-08 15:52 16,322 ----a-w c:\program files\Common Files\ygepiq.scr
2008-11-08 15:52 15,844 ----a-w c:\documents and settings\Packard Bell\Application Data\uxita.scr
2008-11-08 15:52 11,715 ----a-w c:\windows\ovaje.reg
2008-11-08 15:52 10,829 ----a-w c:\program files\Common Files\yryjuhysu.db
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-12-08 975360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-17 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"ControlSkype"="c:\program files\ControlSkype 1.4\CSkype.exe" [2006-06-09 249856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-06 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mobilt bredb†nd.lnk - c:\program files\Telenor\Mobilt bredb†nd\Mobilt bredb†nd.exe [2008-02-11 876544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-08 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-08 20560]
R4 GtDetectSc;GtDetectSc;c:\program files\Telenor\Mobilt bredbånd\GtDetectSc.exe [2007-12-18 196704]
R4 MyPort;Myport;c:\windows\system32\drivers\MyPort.sys [2006-12-05 2127]
S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [2008-11-08 84608]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-11-13 106112]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2007-10-09 59264]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-03-30 8064]
S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [2008-10-19 32000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1092e59e-aeaa-11dd-b476-0018dec14922}]
\Shell\AutoRun\command - E:\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d9cdfc3-ef85-11dc-b343-0018dec14922}]
\Shell\AutoRun\command - F:\autorun.bat
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

2008-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-12 16:07]

2009-01-13 c:\windows\Tasks\Se etter oppdateringer for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
.
- - - - TOMME PEKERE FJERNET - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe


.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - c:\microgaming\Poker\UnibetpokerMPP\MPPoker.exe
Trusted Zone: *.buypass.no
Trusted Zone: *.headit.no
Trusted Zone: *.norsk-tipping.no
TCP: {86C5069A-2A18-4B77-8542-BC4F2751C81B} = 62.63.0.10
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 11:02:52
Windows 5.1.2600 Service Pack 3 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...


c:\windows\TEMP\_av_proI.tm~a00444\dld1.tmp 0 bytes

skanning vellykket
skjulte filer: 1

**************************************************************************
.
e Kjørende Prose
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Telenor\Mobilt bredbånd\Mobilt bredbånd.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2009-01-13 11:05:07 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2009-01-13 10:05:01

Pre-Run: 95 292 080 128 bytes free
Post-Run: 95,616,839,680 byte ledig

184 --- E O F --- 2008-12-18 14:22:59


Report •

#6
January 13, 2009 at 15:27:23
Please go to Virus Total and upload the following files one at the time for analysis:

c:\documents and settings\Packard Bell\Application Data\cebe.dat
c:\windows\yzyhakar.scr
c:\windows\adequl.bin
c:\program files\Common Files\ygepiq.scr
c:\documents and settings\Packard Bell\Application Data\uxita.scr
c:\windows\ovaje.reg
c:\program files\Common Files\yryjuhysu.db

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#7
January 13, 2009 at 16:00:50
Here ar the rsult when I scan the files with virus total:

File cebe.dat received on 01.14.2009 00:34:39 (CET)
Current status: finished
Result: 0/38 (0%)
Compact
Print results
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.13 -
AhnLab-V3 2009.1.13.3 2009.01.13 -
AntiVir 7.9.0.54 2009.01.13 -
Authentium 5.1.0.4 2009.01.13 -
Avast 4.8.1281.0 2009.01.13 -
AVG 8.0.0.229 2009.01.13 -
BitDefender 7.2 2009.01.13 -
CAT-QuickHeal 10.00 2009.01.12 -
ClamAV 0.94.1 2009.01.13 -
Comodo 927 2009.01.13 -
DrWeb 4.44.0.09170 2009.01.13 -
eSafe 7.0.17.0 2009.01.13 -
eTrust-Vet 31.6.6306 2009.01.13 -
F-Prot 4.4.4.56 2009.01.13 -
F-Secure 8.0.14470.0 2009.01.13 -
Fortinet 3.117.0.0 2009.01.13 -
GData 19 2009.01.14 -
Ikarus T3.1.1.45.0 2009.01.13 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.13 -
McAfee 5494 2009.01.13 -
McAfee+Artemis 5494 2009.01.13 -
Microsoft 1.4205 2009.01.13 -
NOD32 3763 2009.01.13 -
Norman 5.93.01 2009.01.13 -
Panda 9.5.1.2 2009.01.13 -
PCTools 4.4.2.0 2009.01.13 -
Prevx1 V2 2009.01.14 -
Rising 21.12.12.00 2009.01.13 -
SecureWeb-Gateway 6.7.6 2009.01.13 -
Sophos 4.37.0 2009.01.13 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.14 -
TheHacker 6.3.1.4.218 2009.01.13 -
TrendMicro 8.700.0.1004 2009.01.13 -
VBA32 3.12.8.10 2009.01.13 -
ViRobot 2009.1.13.1556 2009.01.13 -
VirusBuster 4.5.11.0 2009.01.13 -
Additional information
File size: 19037 bytes
MD5...: 9e00b7682b5a5813a28bf6ae5cec4709
SHA1..: 0aa544d12df74c847645c40836b62ae633167aec
SHA256: e85b5878aabe9ad0ed2ba906c5e782dabe7a1cd3d586058731c8ac8b18b5c473
SHA512: cca355f6ba55ef4e17a0cc03970221ce53f18d5e33abe3c667b3373e4933eef7
0ffdd05371edddd2bbb47d0e37686c9658cd11c90dd897f662d8d88ce388c01f
ssdeep: 384:chXUDe42ySOCL5XVovdm60I4yq1AjeH4tVflSxEfnT03oUioH/hO:cW12yiV
wAqLii9lSxEfIYUig/hO
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
File yzyhakar.scr received on 01.14.2009 00:38:43 (CET)
Current status: finished
Result: 0/38 (0%)
Compact
Print results
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.13 -
AhnLab-V3 2009.1.13.3 2009.01.13 -
AntiVir 7.9.0.54 2009.01.13 -
Authentium 5.1.0.4 2009.01.13 -
Avast 4.8.1281.0 2009.01.13 -
AVG 8.0.0.229 2009.01.13 -
BitDefender 7.2 2009.01.13 -
CAT-QuickHeal 10.00 2009.01.12 -
ClamAV 0.94.1 2009.01.13 -
Comodo 927 2009.01.13 -
DrWeb 4.44.0.09170 2009.01.13 -
eSafe 7.0.17.0 2009.01.13 -
eTrust-Vet 31.6.6306 2009.01.13 -
F-Prot 4.4.4.56 2009.01.13 -
F-Secure 8.0.14470.0 2009.01.13 -
Fortinet 3.117.0.0 2009.01.13 -
GData 19 2009.01.14 -
Ikarus T3.1.1.45.0 2009.01.13 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.13 -
McAfee 5494 2009.01.13 -
McAfee+Artemis 5494 2009.01.13 -
Microsoft 1.4205 2009.01.13 -
NOD32 3763 2009.01.13 -
Norman 5.93.01 2009.01.13 -
Panda 9.5.1.2 2009.01.13 -
PCTools 4.4.2.0 2009.01.13 -
Prevx1 V2 2009.01.14 -
Rising 21.12.12.00 2009.01.13 -
SecureWeb-Gateway 6.7.6 2009.01.13 -
Sophos 4.37.0 2009.01.13 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.14 -
TheHacker 6.3.1.4.218 2009.01.13 -
TrendMicro 8.700.0.1004 2009.01.13 -
VBA32 3.12.8.10 2009.01.13 -
ViRobot 2009.1.13.1556 2009.01.13 -
VirusBuster 4.5.11.0 2009.01.13 -
Additional information
File size: 18210 bytes
MD5...: 3f73287d934e7f7616b082acac0e5adb
SHA1..: 396e7e9c067b696bd6aca9a77fa053264466c728
SHA256: c2fb32fcfe2cc1d30797cf1b663cbeb0253ccd10f703ae78d6643333abdef07b
SHA512: d8a9876c275c028968e86cfe890dc7e7c03544694b7ae21160cd1e620cfe3461
576540b9bf128ded046facd2e3f6eda43c1e10c711a6cac2856b1d2ec30205f9
ssdeep: 384:1F87r5685lyKKePv90p9RX+899jHouYzCFyrduCG6ypUSAu:1F87r568/Jb9
sX+SjIBUyrdR3yuSAu
PEiD..: -
TrID..: File type identification
MPEG Video (100.0%)
PEInfo: -
File adequl.bin received on 01.14.2009 00:41:16 (CET)
Current status: finished
Result: 0/38 (0%)
Compact
Print results
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.13 -
AhnLab-V3 2009.1.13.3 2009.01.13 -
AntiVir 7.9.0.54 2009.01.13 -
Authentium 5.1.0.4 2009.01.13 -
Avast 4.8.1281.0 2009.01.13 -
AVG 8.0.0.229 2009.01.13 -
BitDefender 7.2 2009.01.13 -
CAT-QuickHeal 10.00 2009.01.12 -
ClamAV 0.94.1 2009.01.13 -
Comodo 927 2009.01.13 -
DrWeb 4.44.0.09170 2009.01.13 -
eSafe 7.0.17.0 2009.01.13 -
eTrust-Vet 31.6.6306 2009.01.13 -
F-Prot 4.4.4.56 2009.01.13 -
F-Secure 8.0.14470.0 2009.01.13 -
Fortinet 3.117.0.0 2009.01.13 -
GData 19 2009.01.14 -
Ikarus T3.1.1.45.0 2009.01.13 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.13 -
McAfee 5494 2009.01.13 -
McAfee+Artemis 5494 2009.01.13 -
Microsoft 1.4205 2009.01.13 -
NOD32 3763 2009.01.13 -
Norman 5.93.01 2009.01.13 -
Panda 9.5.1.2 2009.01.13 -
PCTools 4.4.2.0 2009.01.13 -
Prevx1 V2 2009.01.14 -
Rising 21.12.12.00 2009.01.13 -
SecureWeb-Gateway 6.7.6 2009.01.13 -
Sophos 4.37.0 2009.01.13 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.14 -
TheHacker 6.3.1.4.218 2009.01.13 -
TrendMicro 8.700.0.1004 2009.01.13 -
VBA32 3.12.8.10 2009.01.13 -
ViRobot 2009.1.13.1556 2009.01.13 -
VirusBuster 4.5.11.0 2009.01.13 -
Additional information
File size: 16367 bytes
MD5...: e20c5601327f79bc1f13daf2d889ed1e
SHA1..: 60b19fb604524c171fccd17a87a34a0ef136a118
SHA256: ca28d54accb3fcc3463cde64fc26df0ba329c2b005cee04564d1cd3c870ddf9f
SHA512: c8e3d4a953d8d7cc3b4e1f31ae7532baaf13dbf3c1568f1607d143cbfdc17792
92c8aa8386ed5b791b8cc69711fef21c1de693282b41fadb18d5f0cdfc4f8884
ssdeep: 384:ScERnkFyrNmO8sDDf8bYhMXIqExM9fiGHWUrQt/9:ScE1sOlsIQfj2sQT
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -

File ygepiq.scr received on 01.14.2009 00:44:08 (CET)
Current status: finished
Result: 0/38 (0%)
Compact
Print results
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.13 -
AhnLab-V3 2009.1.13.3 2009.01.13 -
AntiVir 7.9.0.54 2009.01.13 -
Authentium 5.1.0.4 2009.01.13 -
Avast 4.8.1281.0 2009.01.13 -
AVG 8.0.0.229 2009.01.13 -
BitDefender 7.2 2009.01.13 -
CAT-QuickHeal 10.00 2009.01.12 -
ClamAV 0.94.1 2009.01.13 -
Comodo 927 2009.01.13 -
DrWeb 4.44.0.09170 2009.01.13 -
eSafe 7.0.17.0 2009.01.13 -
eTrust-Vet 31.6.6306 2009.01.13 -
F-Prot 4.4.4.56 2009.01.13 -
F-Secure 8.0.14470.0 2009.01.13 -
Fortinet 3.117.0.0 2009.01.13 -
GData 19 2009.01.14 -
Ikarus T3.1.1.45.0 2009.01.13 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.13 -
McAfee 5494 2009.01.13 -
McAfee+Artemis 5494 2009.01.13 -
Microsoft 1.4205 2009.01.13 -
NOD32 3763 2009.01.13 -
Norman 5.93.01 2009.01.13 -
Panda 9.5.1.2 2009.01.13 -
PCTools 4.4.2.0 2009.01.13 -
Prevx1 V2 2009.01.14 -
Rising 21.12.12.00 2009.01.13 -
SecureWeb-Gateway 6.7.6 2009.01.13 -
Sophos 4.37.0 2009.01.13 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.14 -
TheHacker 6.3.1.4.218 2009.01.13 -
TrendMicro 8.700.0.1004 2009.01.13 -
VBA32 3.12.8.10 2009.01.13 -
ViRobot 2009.1.13.1556 2009.01.13 -
VirusBuster 4.5.11.0 2009.01.13 -
Additional information
File size: 16322 bytes
MD5...: c93ed1592523fc286b7cf60cf6f5a1d6
SHA1..: d015362e9de6a50b898f025163389b3425d14ad4
SHA256: ad71cdb4b468f5ee058521d01f5af0e75fdd9c7a233f631e023f9e39d65a852b
SHA512: dc5c4c45f09502fc9552c03fe60f7e464b963f22897ab16a8cb8bd0580d3aea9
a124f7968e29b21e434d493d8346b09d46412e67651496101498cc370909438b
ssdeep: 384:OnKOnEqd7M8OG8tDv7rBMTCtUlk4//wxjN8WTXVav+/WhL8e8Rne:qK6EqRM
8ORxB40i2FTFavEWF85xe
PEiD..: -
TrID..: File type identification
MPEG Video (100.0%)
PEInfo: -
File uxita.scr received on 01.14.2009 00:46:33 (CET)
Current status: finished
Result: 0/38 (0%)
Compact
Print results
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.13 -
AhnLab-V3 2009.1.13.3 2009.01.13 -
AntiVir 7.9.0.54 2009.01.13 -
Authentium 5.1.0.4 2009.01.13 -
Avast 4.8.1281.0 2009.01.13 -
AVG 8.0.0.229 2009.01.13 -
BitDefender 7.2 2009.01.13 -
CAT-QuickHeal 10.00 2009.01.12 -
ClamAV 0.94.1 2009.01.13 -
Comodo 927 2009.01.13 -
DrWeb 4.44.0.09170 2009.01.13 -
eSafe 7.0.17.0 2009.01.13 -
eTrust-Vet 31.6.6306 2009.01.13 -
F-Prot 4.4.4.56 2009.01.13 -
F-Secure 8.0.14470.0 2009.01.13 -
Fortinet 3.117.0.0 2009.01.13 -
GData 19 2009.01.14 -
Ikarus T3.1.1.45.0 2009.01.13 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.13 -
McAfee 5494 2009.01.13 -
McAfee+Artemis 5494 2009.01.13 -
Microsoft 1.4205 2009.01.13 -
NOD32 3763 2009.01.13 -
Norman 5.93.01 2009.01.13 -
Panda 9.5.1.2 2009.01.13 -
PCTools 4.4.2.0 2009.01.13 -
Prevx1 V2 2009.01.14 -
Rising 21.12.12.00 2009.01.13 -
SecureWeb-Gateway 6.7.6 2009.01.13 -
Sophos 4.37.0 2009.01.13 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.14 -
TheHacker 6.3.1.4.218 2009.01.13 -
TrendMicro 8.700.0.1004 2009.01.13 -
VBA32 3.12.8.10 2009.01.13 -
ViRobot 2009.1.13.1556 2009.01.13 -
VirusBuster 4.5.11.0 2009.01.13 -
Additional information
File size: 15844 bytes
MD5...: 94cf297c12517a87eefebd15ed750c5a
SHA1..: 91e92e363f69b43fe2caa0da13e2afb363d07c0b
SHA256: 0dea112d6cd2d65bf537dd59e99803c657f69b3f77df7f4e9b7a62e135a46e5c
SHA512: 82283db7f24531a89200c82546b3030a5c698e6fbc1d66b72b0283484f69d3ad
72a59a2b2a230881e9d2123b07b66c555c6f623adf45e405c14728d157718d45
ssdeep: 384:WUo5O8VRCGJsQJJmcM/zyn13ioGJKwycLKFzk8jd:WvZRCG1JkcMO1zpzk8j
d
PEiD..: -
TrID..: File type identification
MPEG Video (100.0%)
PEInfo: -
File ovaje.reg received on 01.14.2009 00:48:51 (CET)
Current status: finished
Result: 0/38 (0%)
Compact
Print results
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.13 -
AhnLab-V3 2009.1.13.3 2009.01.13 -
AntiVir 7.9.0.54 2009.01.13 -
Authentium 5.1.0.4 2009.01.13 -
Avast 4.8.1281.0 2009.01.13 -
AVG 8.0.0.229 2009.01.13 -
BitDefender 7.2 2009.01.13 -
CAT-QuickHeal 10.00 2009.01.12 -
ClamAV 0.94.1 2009.01.13 -
Comodo 927 2009.01.13 -
DrWeb 4.44.0.09170 2009.01.13 -
eSafe 7.0.17.0 2009.01.13 -
eTrust-Vet 31.6.6306 2009.01.13 -
F-Prot 4.4.4.56 2009.01.13 -
F-Secure 8.0.14470.0 2009.01.13 -
Fortinet 3.117.0.0 2009.01.13 -
GData 19 2009.01.14 -
Ikarus T3.1.1.45.0 2009.01.13 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.13 -
McAfee 5494 2009.01.13 -
McAfee+Artemis 5494 2009.01.13 -
Microsoft 1.4205 2009.01.13 -
NOD32 3763 2009.01.13 -
Norman 5.93.01 2009.01.13 -
Panda 9.5.1.2 2009.01.13 -
PCTools 4.4.2.0 2009.01.13 -
Prevx1 V2 2009.01.14 -
Rising 21.12.12.00 2009.01.13 -
SecureWeb-Gateway 6.7.6 2009.01.13 -
Sophos 4.37.0 2009.01.13 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.14 -
TheHacker 6.3.1.4.218 2009.01.13 -
TrendMicro 8.700.0.1004 2009.01.13 -
VBA32 3.12.8.10 2009.01.13 -
ViRobot 2009.1.13.1556 2009.01.13 -
VirusBuster 4.5.11.0 2009.01.13 -
Additional information
File size: 11715 bytes
MD5...: 5fae3e870387d6ed337349fc511e1e61
SHA1..: 2cdc4608edd1284065b281b44090127402cf29dd
SHA256: b4f20e4a98f5b0750745de311ea2e2920e2978dc7393a36238d41e833d753c3c
SHA512: 57c1895f21bce593c50e21ed0d0967b4c5443dea0727e1ee519ab6cf26e87168
6c785de860eb523bd4d5fe0a54e7073ccaa33d420d1a7f378c025de57fa28a12
ssdeep: 192:6sWvxd+Crj7zMDyoN2vP8plmzLf2nzucrgJw4sI0kTv+sS8loMOyGo8/+yNw
RnFA:6sWXHQDyoN2vP8pSyzucrgKmv+s/yMOL
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
File yryjuhysu.db received on 01.14.2009 00:52:16 (CET)
Current status: finished
Result: 0/37 (0%)
Compact
Print results
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.13 -
AhnLab-V3 2009.1.13.3 2009.01.13 -
AntiVir 7.9.0.54 2009.01.13 -
Authentium 5.1.0.4 2009.01.13 -
Avast 4.8.1281.0 2009.01.13 -
AVG 8.0.0.229 2009.01.13 -
BitDefender 7.2 2009.01.13 -
CAT-QuickHeal 10.00 2009.01.12 -
ClamAV 0.94.1 2009.01.13 -
Comodo 927 2009.01.13 -
DrWeb 4.44.0.09170 2009.01.13 -
eSafe 7.0.17.0 2009.01.13 -
eTrust-Vet 31.6.6306 2009.01.13 -
F-Prot 4.4.4.56 2009.01.13 -
Fortinet 3.117.0.0 2009.01.13 -
GData 19 2009.01.14 -
Ikarus T3.1.1.45.0 2009.01.13 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.13 -
McAfee 5494 2009.01.13 -
McAfee+Artemis 5494 2009.01.13 -
Microsoft 1.4205 2009.01.13 -
NOD32 3763 2009.01.13 -
Norman 5.93.01 2009.01.13 -
Panda 9.5.1.2 2009.01.13 -
PCTools 4.4.2.0 2009.01.13 -
Prevx1 V2 2009.01.14 -
Rising 21.12.12.00 2009.01.13 -
SecureWeb-Gateway 6.7.6 2009.01.13 -
Sophos 4.37.0 2009.01.13 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.14 -
TheHacker 6.3.1.4.218 2009.01.13 -
TrendMicro 8.700.0.1004 2009.01.13 -
VBA32 3.12.8.10 2009.01.13 -
ViRobot 2009.1.13.1556 2009.01.13 -
VirusBuster 4.5.11.0 2009.01.13 -
Additional information
File size: 10829 bytes
MD5...: 567d0f2081c54152cb07928fce8f7b03
SHA1..: ec27eb0046930a22e3502fcd89ee863106a52c36
SHA256: c9b67a61e07fd325dcd5515a48abb391396756058d60727c2627d2dc15ae270b
SHA512: fc544345cb21de0016947980e49ccadf74a5cfbfca8c3603a740aca7e3bc165c
eec88f64e65c7e32683280bf420e92e3bd94e43fd720120f6c450dc4803f641c
ssdeep: 192:fAJWSuKDeVXhUOi3XUsFMXzLEeYczNubbUDJEjCw4Fn1yRqYsObzCykl9sTV
YH4O:fIMKD2xUOXUeYcB2wKCw4Fn8RqYsWCyM
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -


Report •

#8
January 13, 2009 at 16:46:33
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\documents and settings\Packard Bell\Application Data\cebe.dat
c:\windows\yzyhakar.scr
c:\windows\adequl.bin
c:\program files\Common Files\ygepiq.scr
c:\documents and settings\Packard Bell\Application Data\uxita.scr
c:\windows\ovaje.reg
c:\program files\Common Files\yryjuhysu.db
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •


Ask Question