Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Should I send combofix log


  • Please log in to reply
8 replies to this topic

#1 ldcoburn

ldcoburn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 January 2009 - 12:15 PM

I have Windows XP and I began having problems after trying to download Kodak's Easyshare software. They told me to turn off my security to download because I was having trouble getting the program to download. I began having problems with the computer running slow, lots of pop-ups, etc.

After running combofix, all seems to running normal again but I don't know if I should send the log from Combofix to be looked at.

Edited by Orange Blossom, 04 January 2009 - 12:23 PM.
Move from HiJack This forum to Am I Infected as there are no logs. ~ OB


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 PM

Posted 04 January 2009 - 01:05 PM

Hello.

Please do not post any ComboFix logs unless specifically asked.

Could you kindly tell us what antimalware programs you have installed?
---
Let's check for anything leftover.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Re-enable your protection at this time.

With Regards,
The Panda

#3 ldcoburn

ldcoburn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 January 2009 - 02:52 PM

I have Panda Antivirus and Firewall. I also use the free copy of Lavasoft Ad-aware. While I was trying to solve my problem I ran the Avast virus removal and Vundofix, but neither one detected a virus. However in msconfig start up were files named Yohefani, Zanaruma, OEaddon and Pedabara which seem to associated with viruses if I understood what I read during my searches correctly.

#4 ldcoburn

ldcoburn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 04 January 2009 - 03:37 PM

Here is the logfile:

Malwarebytes' Anti-Malware 1.31
Database version: 1612
Windows 5.1.2600 Service Pack 3

1/4/2009 2:34:15 PM
mbam-log-2009-01-04 (14-34-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 104902
Time elapsed: 16 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 56

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\bufesine.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fifanoru.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fugolada.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ginihini.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hifutizi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jalopeya.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jayizita.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jebineye.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lugesate.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nozotinu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nunuwege.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pedabara.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sohizaji.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tomavita.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vedemigo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vonibusa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\voyuvofe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wojifoge.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wolopase.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wosazabu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuwabase.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yohefani.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zanaruma.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zotokufa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002098.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002104.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002109.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002110.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002111.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002112.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002113.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002114.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002115.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002116.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002117.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002118.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002119.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002120.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002122.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002123.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002124.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002125.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002127.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002128.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002129.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002130.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002131.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002108.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{229E1089-96B8-46AD-8A5A-81DE5291B802}\RP2\A0002126.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dawarije.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fiwimipo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mehumifo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rijuhake.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\duvanima.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kokidafi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 PM

Posted 05 January 2009 - 06:33 PM

Hello.

Sorry, I miss topics in the Am I infected forum sometimes.

Looks like a classic Vundo infection. Usually MBAM takes care of it nicely.

Please run MalwareBytes one more time to make sure they stay gone.

F-Secure Online Scan
Let's check what's left.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
With Regards,
The Panda

#6 ldcoburn

ldcoburn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 05 January 2009 - 08:48 PM

Completed the above steps. Hope this has everything corrected. Should I run these type scans on a regular basis? I am assuming my problem started with turning off Panda and trying to download the Kodak program. However, while trying to download and install the program, I did not go to any other sights and I turned the security back on before doing anything else. I was never able to get the program to install and finally gave up. The Kodak people were no help at all.

Here is the report I got:

Scanning Report
Monday, January 05, 2009 19:08:12 - 19:40:31
Computer name: MSHOME
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 12 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adbrite (spyware)
System
TrackingCookie.Adinterax (spyware)
System
TrackingCookie.Admeta (spyware)
System
TrackingCookie.Adrevolver (spyware)
System
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Imrworldwide (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Specificclick (spyware)
System
TrackingCookie.Tradedoubler (spyware)
System
TrackingCookie.Webtrends (spyware)
System
W32/Packed_PeX.B (virus)
C:\DATA BACKUP\ASHLEY\KMD.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 30548
System: 2815
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 12
Submitted: 1
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-06
F-Secure AVP: 7.0.171, 2009-01-05
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 PM

Posted 06 January 2009 - 03:27 PM

Hello.

I would suggest doing weekly scans using online scans such as F-Secure, Kaspersky, and ESET.

That looks good. Do you have any problems right now?

With Regards,
The Panda

#8 ldcoburn

ldcoburn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 06 January 2009 - 07:19 PM

Everything seems to be running better/faster than ever! Thank you so very much for all your help!

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 PM

Posted 07 January 2009 - 11:44 AM

Great. Let's clear out the system restore and you are good to go.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users