Tech Support Forum - View Single Post

sakahowdah · 07-26-2006, 08:16 AM

Combofix log successful however; I got the following message while running it:

"Could not locate automation class named "WScript.Shell"
Code 80020009
Source WScript.CreatObject

Also I located the sUBs log and have attached that as well.
-----------------------------------------------------------------

Start Time= Wed 07/26/2006 10

35.14
Running from: C:\Documents and Settings\Owner\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-02 11:58:30 ( .D... ) "C:\Program Files\Sony"
2006-07-25 14:24:18 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-24 13:21:46 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-23 14:35:14 11430 ( A.... ) "C:\delfiles.bat"
2006-07-22 14:16:56 ( .D... ) "C:\Program Files\Easy SpyRemover"
2006-07-22 07:01:04 ( .D... ) "C:\Documents and Settings\Owner\Application Data\System-Xf.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
2006-07-22 06:55:40 0 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-07-21 11:13:50 ( .D... ) "C:\Documents and Settings\Owner\Application Data\TeoSoft Settings"
2006-07-21 11:13:44 ( .D... ) "C:\Program Files\TeoSoft.com"
2006-07-21 09:22:24 ( .D... ) "C:\Program Files\Trojan Guarder Gold Version"
2006-07-20 14:23:34 ( .D... ) "C:\Program Files\RegCure"
2006-06-26 12:17:12 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-06-26 12:17:06 ( .D... ) "C:\Program Files\MSXML 4.0"
2006-05-04 17:00:54 774144 ( A.... ) "C:\Program Files\RngInterstitial.dll"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-25 13:46 4,096 C:\WINDOWS\system32\reboot.exe
2006-07-25 13:46 16,384 C:\WINDOWS\system32\restart.exe
2006-07-25 13:46 11,430 C:\delfiles.bat
2006-07-22 06:55 0 C:\WINDOWS\system32\VundoFix.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"HP Component Manager"="C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"tray.exe"="\"C:\\DVD burner2\\tray.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"Error Nuker"="C:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe autostart"
"Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart"
"Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
@=hex(7b0):

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
@=hex(7b0):

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\1-Klick-Wartung.job
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Owner.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Windows Update.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: Wed 07/26/2006 10:10:09.64
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-25.102556.txt
ComboFix.2006-07-25.102806.txt
ComboFix.2006-07-25.102843.txt
ComboFix.2006-07-26.100634.txt
-------------------------------------------------------------

C:\WINDOWS\system32\yrtbwomg.exe .......... present
C:\WINDOWS\system32\yrtbwomg.exe .......... deleted
C:\WINDOWS\system32\jhlvvxse.exe .......... present
C:\WINDOWS\system32\jhlvvxse.exe .......... deleted
C:\WINDOWS\g59559484.dll .......... present
C:\WINDOWS\g59559484.dll .......... deleted
C:\WINDOWS\g53077953.dll .......... present
C:\WINDOWS\g53077953.dll .......... deleted
C:\WINDOWS\g46476750.dll .......... present
C:\WINDOWS\g46476750.dll .......... deleted
C:\WINDOWS\g39994609.dll .......... present
C:\WINDOWS\g39994609.dll .......... deleted
C:\WINDOWS\g33513187.dll .......... present
C:\WINDOWS\g33513187.dll .......... deleted
C:\WINDOWS\g27151812.dll .......... present
C:\WINDOWS\g27151812.dll .......... deleted
C:\WINDOWS\system32\boxsyywd.exe .......... present
C:\WINDOWS\system32\boxsyywd.exe .......... deleted
C:\WINDOWS\g20790421.dll .......... present
C:\WINDOWS\g20790421.dll .......... deleted
C:\WINDOWS\g14429000.dll .......... present
C:\WINDOWS\g14429000.dll .......... deleted
C:\WINDOWS\g7827796.dll .......... present
C:\WINDOWS\g7827796.dll .......... deleted
C:\WINDOWS\g3382218.dll .......... present
C:\WINDOWS\g3382218.dll .......... deleted
C:\WINDOWS\system32\ixt0.dll .......... present
C:\WINDOWS\g1705296.dll .......... present
C:\WINDOWS\g1705296.dll .......... deleted
C:\WINDOWS\system32\qwmfuxcw.exe .......... present
C:\WINDOWS\system32\qwmfuxcw.exe .......... deleted
C:\Program Files\Common Files\sstem~1 .......... present
C:\Program Files\Common Files\sstem~1 .......... deleted

07-26-2006, 08:16 AM	#16 (permalink)
sakahowdah Registered User Join Date: Jul 2006 Posts: 33 OS: XP	Combofix log successful however; I got the following message while running it: "Could not locate automation class named "WScript.Shell" Code 80020009 Source WScript.CreatObject Also I located the sUBs log and have attached that as well. ----------------------------------------------------------------- Start Time= Wed 07/26/2006 1035.14 Running from: C:\Documents and Settings\Owner\Desktop QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-12-02 11:58:30 ( .D... ) "C:\Program Files\Sony" 2006-07-25 14:24:18 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0" 2006-07-24 13:21:46 ( .D... ) "C:\Program Files\Spybot - Search & Destroy" 2006-07-23 14:35:14 11430 ( A.... ) "C:\delfiles.bat" 2006-07-22 14:16:56 ( .D... ) "C:\Program Files\Easy SpyRemover" 2006-07-22 07:01:04 ( .D... ) "C:\Documents and Settings\Owner\Application Data\System-Xf.{21EC2020-3AEA-1069-A2DD-08002B30309D}" 2006-07-22 06:55:40 0 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe" 2006-07-21 11:13:50 ( .D... ) "C:\Documents and Settings\Owner\Application Data\TeoSoft Settings" 2006-07-21 11:13:44 ( .D... ) "C:\Program Files\TeoSoft.com" 2006-07-21 09:22:24 ( .D... ) "C:\Program Files\Trojan Guarder Gold Version" 2006-07-20 14:23:34 ( .D... ) "C:\Program Files\RegCure" 2006-06-26 12:17:12 ( .D... ) "C:\Program Files\GameSpy Arcade" 2006-06-26 12:17:06 ( .D... ) "C:\Program Files\MSXML 4.0" 2006-05-04 17:00:54 774144 ( A.... ) "C:\Program Files\RngInterstitial.dll" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-25 13:46 4,096 C:\WINDOWS\system32\reboot.exe 2006-07-25 13:46 16,384 C:\WINDOWS\system32\restart.exe 2006-07-25 13:46 11,430 C:\delfiles.bat 2006-07-22 06:55 0 C:\WINDOWS\system32\VundoFix.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe" "HP Component Manager"="C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "tray.exe"="\"C:\\DVD burner2\\tray.exe\"" "AGRSMMSG"="AGRSMMSG.exe" "Error Nuker"="C:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe autostart" "Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart" "Easy SpyRemover"="C:\\Program Files\\Easy SpyRemover\\EasySpyRemover.exe /smart" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\"" "RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] @=hex(7b0): [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices] @=hex(7b0): [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\1-Click Maintenance.job C:\WINDOWS\tasks\1-Klick-Wartung.job C:\WINDOWS\tasks\Disk Cleanup.job C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Owner.job C:\WINDOWS\tasks\RegCure.job C:\WINDOWS\tasks\Symantec NetDetect.job C:\WINDOWS\tasks\Windows Update.job C:\WINDOWS\tasks\XoftSpy.job Completion time: Wed 07/26/2006 10:10:09.64 ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt ComboFix.2006-07-25.102556.txt ComboFix.2006-07-25.102806.txt ComboFix.2006-07-25.102843.txt ComboFix.2006-07-26.100634.txt ------------------------------------------------------------- C:\WINDOWS\system32\yrtbwomg.exe .......... present C:\WINDOWS\system32\yrtbwomg.exe .......... deleted C:\WINDOWS\system32\jhlvvxse.exe .......... present C:\WINDOWS\system32\jhlvvxse.exe .......... deleted C:\WINDOWS\g59559484.dll .......... present C:\WINDOWS\g59559484.dll .......... deleted C:\WINDOWS\g53077953.dll .......... present C:\WINDOWS\g53077953.dll .......... deleted C:\WINDOWS\g46476750.dll .......... present C:\WINDOWS\g46476750.dll .......... deleted C:\WINDOWS\g39994609.dll .......... present C:\WINDOWS\g39994609.dll .......... deleted C:\WINDOWS\g33513187.dll .......... present C:\WINDOWS\g33513187.dll .......... deleted C:\WINDOWS\g27151812.dll .......... present C:\WINDOWS\g27151812.dll .......... deleted C:\WINDOWS\system32\boxsyywd.exe .......... present C:\WINDOWS\system32\boxsyywd.exe .......... deleted C:\WINDOWS\g20790421.dll .......... present C:\WINDOWS\g20790421.dll .......... deleted C:\WINDOWS\g14429000.dll .......... present C:\WINDOWS\g14429000.dll .......... deleted C:\WINDOWS\g7827796.dll .......... present C:\WINDOWS\g7827796.dll .......... deleted C:\WINDOWS\g3382218.dll .......... present C:\WINDOWS\g3382218.dll .......... deleted C:\WINDOWS\system32\ixt0.dll .......... present C:\WINDOWS\g1705296.dll .......... present C:\WINDOWS\g1705296.dll .......... deleted C:\WINDOWS\system32\qwmfuxcw.exe .......... present C:\WINDOWS\system32\qwmfuxcw.exe .......... deleted C:\Program Files\Common Files\sstem~1 .......... present C:\Program Files\Common Files\sstem~1 .......... deleted