Tech Support Forum - View Single Post

sakahowdah · 07-25-2006, 08:48 AM

Yes, I voluntarily downloaded Easy Spyremover while doing a google search for that mssync20.sys thingy that gave me the blue screen as mentioned earlier. That was the only program that alerted me to the fact that I had Pest Trap and thos trojan dialers. Unfortunately it only did a scan and I needed to buy the program to remove them. I didn't buy it though.

Combo fix restarted windows after it was done doing it's thing. Once rebooted I got an error message from Windows Script Host that said "Can't find script engine "VBScript" for script "C:\sUBs\enter.vbs". Never saw that error message before and not sure if it's anything of consiquence.

Also, "Disk Cleanup0" opened on it's own while rebooting...Did it's thing and closed.

Anyway, here's the log from Combofix:
-----------------------------------------------------

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\SYSTEM32\AWTQQ.DLL
C:\WINDOWS\SYSTEM32\WINJGF32.DLL
C:\WINDOWS\SYSTEM32\QQTWA.INI
C:\WINDOWS\SYSTEM32\QQTWA.TMP

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

10:31:27.01
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-02 11:58:30 ( .D... ) "C:\Program Files\Sony"
2006-07-25 09:11:50 65556 ( A.... ) "C:\WINDOWS\system32\yrtbwomg.exe"
2006-07-24 13:21:46 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-23 11:32:10 17750 ( A.... ) "C:\WINDOWS\system32\jhlvvxse.exe"
2006-07-23 07:43:12 69632 ( A.... ) "C:\WINDOWS\g59559484.dll"
2006-07-23 05:55:10 69632 ( A.... ) "C:\WINDOWS\g53077953.dll"
2006-07-23 04:05:10 69632 ( A.... ) "C:\WINDOWS\g46476750.dll"
2006-07-23 02:17:08 69632 ( A.... ) "C:\WINDOWS\g39994609.dll"
2006-07-23 00:29:06 69632 ( A.... ) "C:\WINDOWS\g33513187.dll"
2006-07-22 22:43:04 69632 ( A.... ) "C:\WINDOWS\g27151812.dll"
2006-07-22 21:21:54 17750 ( A.... ) "C:\WINDOWS\system32\boxsyywd.exe"
2006-07-22 20:57:04 69632 ( A.... ) "C:\WINDOWS\g20790421.dll"
2006-07-22 19:11:02 69632 ( A.... ) "C:\WINDOWS\g14429000.dll"
2006-07-22 17:21:00 69632 ( A.... ) "C:\WINDOWS\g7827796.dll"
2006-07-22 14:23:56 69632 ( A.... ) "C:\WINDOWS\g3382218.dll"
2006-07-22 14:16:56 ( .D... ) "C:\Program Files\Easy SpyRemover"
2006-07-22 13:03:24 31232 ( A.... ) "C:\WINDOWS\system32\ixt0.dll"
2006-07-22 11:51:52 69632 ( A.... ) "C:\WINDOWS\g1705296.dll"
2006-07-22 09:21:28 17750 ( A.... ) "C:\WINDOWS\system32\qwmfuxcw.exe"
2006-07-22 09:10:08 ( .D... ) "C:\Program Files\Common Files\s?stem"
2006-07-22 07:01:04 ( .D... ) "C:\Documents and Settings\Owner\Application Data\System-Xf.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
2006-07-22 06:55:40 0 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-07-21 11:13:50 ( .D... ) "C:\Documents and Settings\Owner\Application Data\TeoSoft Settings"
2006-07-21 11:13:44 ( .D... ) "C:\Program Files\TeoSoft.com"
2006-07-21 10:18:46 0 ( A.... ) "C:\WINDOWS\system32\sys_dll.dll"
2006-07-21 09:22:24 ( .D... ) "C:\Program Files\Trojan Guarder Gold Version"
2006-07-20 14:23:34 ( .D... ) "C:\Program Files\RegCure"
2006-06-26 12:17:12 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-06-26 12:17:06 ( .D... ) "C:\Program Files\MSXML 4.0"
2006-05-04 17:00:54 774144 ( A.... ) "C:\Program Files\RngInterstitial.dll"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-25 09:11 65,556 C:\WINDOWS\system32\yrtbwomg.exe
2006-07-23 11:32 17,750 C:\WINDOWS\system32\jhlvvxse.exe
2006-07-23 07:43 69,632 C:\WINDOWS\g59559484.dll
2006-07-23 05:55 69,632 C:\WINDOWS\g53077953.dll
2006-07-23 04:05 69,632 C:\WINDOWS\g46476750.dll
2006-07-23 02:17 69,632 C:\WINDOWS\g39994609.dll
2006-07-23 00:29 69,632 C:\WINDOWS\g33513187.dll
2006-07-22 22:43 69,632 C:\WINDOWS\g27151812.dll
2006-07-22 21:21 17,750 C:\WINDOWS\system32\boxsyywd.exe
2006-07-22 20:57 69,632 C:\WINDOWS\g20790421.dll
2006-07-22 19:11 69,632 C:\WINDOWS\g14429000.dll
2006-07-22 17:20 69,632 C:\WINDOWS\g7827796.dll
2006-07-22 14:23 69,632 C:\WINDOWS\g3382218.dll
2006-07-22 11:51 69,632 C:\WINDOWS\g1705296.dll
2006-07-22 09:21 17,750 C:\WINDOWS\system32\qwmfuxcw.exe
2006-07-22 09:11 31,232 C:\WINDOWS\system32\ixt0.dll
2006-07-22 06:55 0 C:\WINDOWS\system32\VundoFix.exe
2006-07-21 10:07 0 C:\WINDOWS\system32\sys_dll.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"HP Component Manager"="C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"tray.exe"="\"C:\\DVD burner2\\tray.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"Error Nuker"="C:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe autostart"
"Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart"
"Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
@=hex(7b0):

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"issearch.exe"=""
"ishost.exe"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
@=hex(7b0):

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\1-Klick-Wartung.job
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Owner.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Windows Update.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: Tue 07/25/2006 10:36:03.42
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-25.102556.txt
ComboFix.2006-07-25.102806.txt
ComboFix.2006-07-25.102843.txt

07-25-2006, 08:48 AM	#7 (permalink)
sakahowdah Registered User Join Date: Jul 2006 Posts: 33 OS: XP	Yes, I voluntarily downloaded Easy Spyremover while doing a google search for that mssync20.sys thingy that gave me the blue screen as mentioned earlier. That was the only program that alerted me to the fact that I had Pest Trap and thos trojan dialers. Unfortunately it only did a scan and I needed to buy the program to remove them. I didn't buy it though. Combo fix restarted windows after it was done doing it's thing. Once rebooted I got an error message from Windows Script Host that said "Can't find script engine "VBScript" for script "C:\sUBs\enter.vbs". Never saw that error message before and not sure if it's anything of consiquence. Also, "Disk Cleanup0" opened on it's own while rebooting...Did it's thing and closed. Anyway, here's the log from Combofix: ----------------------------------------------------- (((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log ))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\SYSTEM32\AWTQQ.DLL C:\WINDOWS\SYSTEM32\WINJGF32.DLL C:\WINDOWS\SYSTEM32\QQTWA.INI C:\WINDOWS\SYSTEM32\QQTWA.TMP * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 10:31:27.01 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-12-02 11:58:30 ( .D... ) "C:\Program Files\Sony" 2006-07-25 09:11:50 65556 ( A.... ) "C:\WINDOWS\system32\yrtbwomg.exe" 2006-07-24 13:21:46 ( .D... ) "C:\Program Files\Spybot - Search & Destroy" 2006-07-23 11:32:10 17750 ( A.... ) "C:\WINDOWS\system32\jhlvvxse.exe" 2006-07-23 07:43:12 69632 ( A.... ) "C:\WINDOWS\g59559484.dll" 2006-07-23 05:55:10 69632 ( A.... ) "C:\WINDOWS\g53077953.dll" 2006-07-23 04:05:10 69632 ( A.... ) "C:\WINDOWS\g46476750.dll" 2006-07-23 02:17:08 69632 ( A.... ) "C:\WINDOWS\g39994609.dll" 2006-07-23 00:29:06 69632 ( A.... ) "C:\WINDOWS\g33513187.dll" 2006-07-22 22:43:04 69632 ( A.... ) "C:\WINDOWS\g27151812.dll" 2006-07-22 21:21:54 17750 ( A.... ) "C:\WINDOWS\system32\boxsyywd.exe" 2006-07-22 20:57:04 69632 ( A.... ) "C:\WINDOWS\g20790421.dll" 2006-07-22 19:11:02 69632 ( A.... ) "C:\WINDOWS\g14429000.dll" 2006-07-22 17:21:00 69632 ( A.... ) "C:\WINDOWS\g7827796.dll" 2006-07-22 14:23:56 69632 ( A.... ) "C:\WINDOWS\g3382218.dll" 2006-07-22 14:16:56 ( .D... ) "C:\Program Files\Easy SpyRemover" 2006-07-22 13:03:24 31232 ( A.... ) "C:\WINDOWS\system32\ixt0.dll" 2006-07-22 11:51:52 69632 ( A.... ) "C:\WINDOWS\g1705296.dll" 2006-07-22 09:21:28 17750 ( A.... ) "C:\WINDOWS\system32\qwmfuxcw.exe" 2006-07-22 09:10:08 ( .D... ) "C:\Program Files\Common Files\s?stem" 2006-07-22 07:01:04 ( .D... ) "C:\Documents and Settings\Owner\Application Data\System-Xf.{21EC2020-3AEA-1069-A2DD-08002B30309D}" 2006-07-22 06:55:40 0 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe" 2006-07-21 11:13:50 ( .D... ) "C:\Documents and Settings\Owner\Application Data\TeoSoft Settings" 2006-07-21 11:13:44 ( .D... ) "C:\Program Files\TeoSoft.com" 2006-07-21 10:18:46 0 ( A.... ) "C:\WINDOWS\system32\sys_dll.dll" 2006-07-21 09:22:24 ( .D... ) "C:\Program Files\Trojan Guarder Gold Version" 2006-07-20 14:23:34 ( .D... ) "C:\Program Files\RegCure" 2006-06-26 12:17:12 ( .D... ) "C:\Program Files\GameSpy Arcade" 2006-06-26 12:17:06 ( .D... ) "C:\Program Files\MSXML 4.0" 2006-05-04 17:00:54 774144 ( A.... ) "C:\Program Files\RngInterstitial.dll" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-25 09:11 65,556 C:\WINDOWS\system32\yrtbwomg.exe 2006-07-23 11:32 17,750 C:\WINDOWS\system32\jhlvvxse.exe 2006-07-23 07:43 69,632 C:\WINDOWS\g59559484.dll 2006-07-23 05:55 69,632 C:\WINDOWS\g53077953.dll 2006-07-23 04:05 69,632 C:\WINDOWS\g46476750.dll 2006-07-23 02:17 69,632 C:\WINDOWS\g39994609.dll 2006-07-23 00:29 69,632 C:\WINDOWS\g33513187.dll 2006-07-22 22:43 69,632 C:\WINDOWS\g27151812.dll 2006-07-22 21:21 17,750 C:\WINDOWS\system32\boxsyywd.exe 2006-07-22 20:57 69,632 C:\WINDOWS\g20790421.dll 2006-07-22 19:11 69,632 C:\WINDOWS\g14429000.dll 2006-07-22 17:20 69,632 C:\WINDOWS\g7827796.dll 2006-07-22 14:23 69,632 C:\WINDOWS\g3382218.dll 2006-07-22 11:51 69,632 C:\WINDOWS\g1705296.dll 2006-07-22 09:21 17,750 C:\WINDOWS\system32\qwmfuxcw.exe 2006-07-22 09:11 31,232 C:\WINDOWS\system32\ixt0.dll 2006-07-22 06:55 0 C:\WINDOWS\system32\VundoFix.exe 2006-07-21 10:07 0 C:\WINDOWS\system32\sys_dll.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe" "HP Component Manager"="C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "tray.exe"="\"C:\\DVD burner2\\tray.exe\"" "AGRSMMSG"="AGRSMMSG.exe" "Error Nuker"="C:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe autostart" "Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart" "Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\"" "RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex] "flags"=dword:00000008 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] @=hex(7b0): [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "issearch.exe"="" "ishost.exe"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices] @=hex(7b0): [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}" Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\1-Click Maintenance.job C:\WINDOWS\tasks\1-Klick-Wartung.job C:\WINDOWS\tasks\Disk Cleanup.job C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Owner.job C:\WINDOWS\tasks\RegCure.job C:\WINDOWS\tasks\Symantec NetDetect.job C:\WINDOWS\tasks\Windows Update.job C:\WINDOWS\tasks\XoftSpy.job Completion time: Tue 07/25/2006 10:36:03.42 ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt ComboFix.2006-07-25.102556.txt ComboFix.2006-07-25.102806.txt ComboFix.2006-07-25.102843.txt