We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Infected Laptop
Comments
-
Still checking, but I am still unsure about thesehijackthis log is clearO4 - HKUS\S-1-5-19\..\Run: [ruluvayulu] Rundll32.exe "C:\WINDOWS\system32\zehakebo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ruluvayulu] Rundll32.exe "C:\WINDOWS\system32\zehakebo.dll",s (User 'NETWORK SERVICE')0 -
I would be interested in another opinion, but everything I can find about zehakebo.dll is bad.Still checking, but I am still unsure about these
It's up to you, but if it's not something you have installed, then Personally I would get rid (from HijackThis, tick the items and fix selected).0 -
I would be interested in another opinion, but everything I can find about zehakebo.dll is bad.
It's up to you, but if it's not something you have installed, then Personally I would get rid (from HijackThis, tick the items and fix selected).
Completely agree
I did ask for combofix to be run. Attempting to install a service pack on an infected computer isnt recommended in the slightest:idea:0 -
I would be interested in another opinion, but everything I can find about zehakebo.dll is bad.
It's up to you, but if it's not something you have installed, then Personally I would get rid (from HijackThis, tick the items and fix selected).
agree , missed them :eek:
glad you spotted them
run combofix as Rik suggested...Ex forum ambassador
Long term forum member0 -
No worries mate, these logs all start to blur after a while
:idea:0 -
Apologies for the delay, been travelling today, so I've deleted those two files, begin with ze, and installed SP3, it looks like the virus sent out e-mails to all in my address book, but most have been caught by AV software. The laptop appears to be ok today
Anyway I've run combofix and here's the log
ComboFix 09-12-26.05 - john 27/12/2009 18:21:52.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.532 [GMT 0:00]
Running from: c:\documents and settings\john\Desktop\Various programmes\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
C:\s
c:\windows\kb913800.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_NPF
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.
2009-12-27 14:21 . 2009-12-27 14:21
d
w- c:\documents and settings\john\Application Data\Birdstep Technology
2009-12-27 14:20 . 2009-12-27 14:20
d
w- c:\program files\ZTE_MF627_LEGACY_DRIVER_1.2059.0.4
2009-12-27 14:20 . 2007-05-28 17:00 10240
w- c:\windows\system32\drivers\mdvrmng.sys
2009-12-27 14:19 . 2009-12-27 14:19
d
w- c:\program files\3 Mobile Broadband
2009-12-27 13:45 . 2009-12-27 13:45
d
w- c:\program files\Windows Service
2009-12-26 22:00 . 2009-12-26 22:00
d
w- c:\windows\system32\scripting
2009-12-26 22:00 . 2009-12-26 22:00
d
w- c:\windows\l2schemas
2009-12-26 22:00 . 2009-12-26 22:00
d
w- c:\windows\system32\en
2009-12-26 22:00 . 2009-12-26 22:00
d
w- c:\windows\system32\bits
2009-12-26 20:57 . 2009-12-26 20:55 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-26 20:57 . 2009-12-26 20:55 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-26 20:57 . 2009-12-26 20:55 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-26 20:57 . 2009-12-26 20:55 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-26 20:57 . 2009-12-26 20:55 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-26 20:56 . 2009-12-26 20:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-26 20:56 . 2009-12-26 20:56 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-26 20:55 . 2009-12-26 20:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-26 20:55 . 2009-12-26 20:55 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-26 20:55 . 2009-12-26 20:55
d
w- c:\windows\system32\drivers\Avg
2009-12-26 20:55 . 2009-12-26 20:55
d
w- c:\documents and settings\All Users\Application Data\avg9
2009-12-26 20:55 . 2009-12-26 20:55
d
w- c:\windows\SxsCaPendDel
2009-12-26 20:23 . 2009-12-26 20:23
d
w- c:\windows\system32\wbem\Repository
2009-12-26 20:16 . 2009-12-26 20:16
d
w- c:\program files\Trend Micro
2009-12-19 14:46 . 2009-12-19 14:46
d
w- C:\FOUND.000
2009-12-09 20:31 . 2009-12-09 20:32 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-09 20:31 . 2009-12-09 20:31
d
w- c:\documents and settings\All Users\Application Data\NOS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 18:28 . 2006-10-12 14:34 12 ----a-w- c:\windows\bthservsdp.dat
2009-12-27 05:47 . 2007-01-12 06:47 42632 ----a-w- c:\documents and settings\john\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-26 22:07 . 2006-08-18 22:17 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-07 17:50 . 2009-03-26 20:47 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-04 13:03 . 2009-01-05 19:58 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 16:14 . 2008-12-12 16:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2008-12-12 16:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 22:39 . 2009-11-23 22:38 152576 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-23 22:38 . 2009-11-23 22:37 79488 ----a-w- c:\documents and settings\john\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-21 05:38 . 2004-08-10 20:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 20:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 20:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-11 04:17 . 2009-02-07 20:55 411368 ----a-w- c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-20 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"EPSON Stylus C44 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-12-10 75776]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 72192]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"HostManager"="c:\program files\Common Files\AOL\1231010687\ee\AOLSoftware.exe" [2006-09-26 50736]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-02-21 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-28 68592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-26 2033432]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-5-12 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-26 20:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2007-12-07 15:30 71008
r- c:\program files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-02-21 18:41 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 18:04 2879488 ----a-w- c:\windows\SkyTel.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\WINDOWS\\System32\\PnkBstrA.exe"=
"c:\\WINDOWS\\System32\\PnkBstrB.exe"=
"c:\\Program Files\\Real\\RealPlayer\\REALPLAY.EXE"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1231010687\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/26/2009 8:55 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/26/2009 8:56 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/26/2009 8:55 PM 285392]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/27/2009 4:05 PM 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 4:59 PM 133104]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [4/7/2009 8:53 PM 13224]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [9/7/2009 2:55 PM 7680]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/12/2008 4:57 PM 38224]
.
Supplementary Scan
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.smile.co.uk/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {862C4D7C-E7FE-464B-A1C0-85A5CD796BFA} = 217.171.132.1 217.171.135.1
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
AddRemove-Free WMA MP3 Converter - c:\progra~1\FREEWM~1\UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 18:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(5300)
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLACSD.EXE
c:\acer\Empowering Technology\admServ.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\bgsvcgen.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\john\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-12-27 18:35:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 18:35
Pre-Run: 12,877,561,856 bytes free
Post-Run: 13,714,882,560 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - 25AAC5581DF6257AAA4F5B47B80BC8960 -
Log looks clean now
Just as a double check id run Dr web
Download and run the FREE version of DR WEB
http://www.freedrweb.com/download+cureit/gr/
Turn your anti virus OFF
It will auto QUICK scan
After that set to scan the WHOLE computer and press the 'play' icon
***DO NOT UPGRADE TO FULL VERSION***:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.6K Work, Benefits & Business
- 603K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards