Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Date Error?


  • Please log in to reply
52 replies to this topic

#1 Max ODrive

Max ODrive

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 April 2009 - 09:12 AM

My daughter has managed to acquire some type of malware which behaves much like Vundo... however, since I'm a bit rusty on my skillz, I can't be exactly sure.

Description of symptoms:

Will not connect to the home network any longer, either wireless or wired. When LiveMessenger fails to connect, troubleshooting shows an invalid IP address...when I run IPCONFIG, it states there's an internal error.

AVG Anti-Virus modules will not run.

Spybot S&D will not run

Downloaded Malware Antibytes but the program will not install. The process is in Task Manager, but is "hung" and will not initiate.

Downloaded Combofix from a link in this forum. When executed, it drops to the DOS box, then comes up with Date Error. The date presented is the current, correct date, yet it states to Check Your Settings.

Ran The Comedian which gave me a valid ERUNT, but would not set a restore point.

And, last but not least, HJT will not install.

Um.. help?

BC AdBot (Login to Remove)

 


#2 Max ODrive

Max ODrive
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 April 2009 - 09:36 AM

Ok.. found the rename trick for MBAM... had to even go ren the exe in Program Files/Malware Antibytes folder but its currently running... we'll see.. If it works, someone may want to make a sticky out of that lil trick..

#3 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 April 2009 - 09:41 AM

Hi,

I'll assist you. Post the log from MBAM when you get it. :thumbsup:

Also: please do NOT run ComboFix anymore. This is a dangerous tool, if you don't know what you're doing. So please only run it when a HJT Team Member advises it. :flowers:

#4 Max ODrive

Max ODrive
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  

Posted 22 April 2009 - 09:54 AM

Will do on both of those.. (After 20 years in this game, I know to definitely RTFM before I step too far into something as powerful as Combofix.. lol)

BTW.. MBAM has found 28 infections so far on a quick scan.. I'm hoping it'll straighten enough out so I can connect that computer back to the network.. this swapping stuff back and forth on a jumpdrive is a pain..

#5 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 April 2009 - 10:30 AM

Hi,

I'll inform a mod about the ComboFix thing. Maybe you believe him when he sais ComboFix is far too dangerous (and no, you don't know enough of ComboFix, unless you had a training in it. You hadn't, because you're a normal member here.)

Well, now please do a new full scan with MBAM.
Post the logfile in your next answer.

#6 Max ODrive

Max ODrive
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 April 2009 - 11:35 AM

Oh.. I trust you.. one thing I always do when I go to a forum is read, read, read.. so I know the scripting capabilities in Combofix would enable me to nuke the world if I don't have good guidance..

Ok.. MBAM logs: Quick scan first

And, no.. it still won't connect to the network.. wired or wireless..

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/21/2009 2:53:12 AM
mbam-log-2009-04-21 (02-52-58).txt

Scan type: Quick Scan
Objects scanned: 103184
Time elapsed: 19 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 11
Registry Values Infected: 6
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nizoguya.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\lasefoye.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\duzirasa.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\ravayifu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kurerupa.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e69927fb-dc92-4a97-be5c-aa25b388d63b} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e69927fb-dc92-4a97-be5c-aa25b388d63b} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e69927fb-dc92-4a97-be5c-aa25b388d63b} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0bfc69c (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmd38cf500 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tomakobaze (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\smile (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\ravayifu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kurerupa.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\kurerupa.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\VResLab (Rogue.AntiVirusLab) -> No action taken.

Files Infected:
C:\WINDOWS\system32\nizoguya.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ayugozin.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\ravayifu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\duzirasa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\lasefoye.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kurerupa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\gurabimi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\jefaduku.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Valued Customer\Local Settings\Temp\e.exe (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Valued Customer\Local Settings\Temporary Internet Files\Content.IE5\8NZHJOD2\load[1].php (Trojan.Vundo.H) -> No action taken.
C:\Program Files\VResLab\VResLab.exe (Rogue.AntiVirusLab) -> No action taken.
C:\Program Files\VResLab\VResLabWarning.dll (Rogue.AntiVirusLab) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Valued Customer\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> No action taken.


Full scan after quick scan:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/21/2009 2:41:24 AM
mbam-log-2009-04-21 (02-41-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 180182
Time elapsed: 42 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0bfc69c (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmd38cf500 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tomakobaze (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 Max ODrive

Max ODrive
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  

Posted 22 April 2009 - 11:36 AM

Full Scan:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/21/2009 2:41:24 AM
mbam-log-2009-04-21 (02-41-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 180182
Time elapsed: 42 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0bfc69c (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmd38cf500 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tomakobaze (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 April 2009 - 11:37 AM

Hi,

Did you delete everything with MBAM? If not, do it.

#9 Max ODrive

Max ODrive
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 April 2009 - 11:40 AM

Yep.. dl'ed mbam-rules and updated mbam .. rerunning full scan now.. EXE's work again..

#10 Max ODrive

Max ODrive
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 April 2009 - 11:44 AM

Log killed...

(been riding forums a while too... lol)

Edited by Max ODrive, 22 April 2009 - 12:15 PM.


#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 April 2009 - 11:45 AM

I didn't ask for a HJT log. Because you've posted it, I have to inform a mod now.

Please DON'T make any changes to the posts here now... Wait untill a mod replies.

#12 Max ODrive

Max ODrive
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  

Posted 22 April 2009 - 11:49 AM

I didn't ask for a HJT log. Because you've posted it, I have to inform a mod now.

Please DON'T make any changes to the posts here now... Wait untill a mod replies.


Didn't realize that would pose a problem for you.... my deepest appreciation for your help and I will wait for a mod.

Thanks again...
~M

#13 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:09:17 AM

Posted 22 April 2009 - 12:09 PM

Want the log deleted and saved for possible use later? So that you can continue here?

EDIT: Yes unfortunately only trained malware helpers are permitted to work HijackThis logs and only within a specific forum. Posting a HJT Log stops the process anywhere outside that forum.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#14 Max ODrive

Max ODrive
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 April 2009 - 12:16 PM

Ok.. whats next, boss?

#15 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 April 2009 - 12:17 PM

The question to you is: Do you want to go on here (and delete the log), or go to the HJT section?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users