Who can read a Combofix file?

[younglite]

I've never come across anything so difficult. I can usually take care of this thru Ad-aware, spybot, trendmicro, and combofix. But after using them all (even in safemode), I still have problems. Popups keep coming. Here's my results. Sorry, I can't interpret - can anyone see the culprit(s)?



"Darren" - 2003-06-27 0:35:08 - ComboFix 07-06-26.8 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))) )))))


C:\WINDOWS\system32\rqrqppo.dll
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\vtsqn.dll
C:\WINDOWS\system32\iifcaxy.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Darren.\iswiz.exe
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\180ax.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\mgrs.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\susp.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\monterreyn_olive.exe
C:\WINDOWS\system32\msdn_lib.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o05PrEz
C:\WINDOWS\system32\S0
C:\WINDOWS\system32\S0\cogyaga58441.exe
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S4\wen2.exe
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wtsisvsu32.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\wml.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2003-05-27 to 2003-06-27 )))))))))))))))))))))))))))))))


2003-06-27 00:38 16,323 --a------ C:\WINDOWS\system32\drivers\svchost.exe
2003-06-27 00:27 170 --a------ C:\combo.vbs
2003-06-26 16:54 128,576 --a------ C:\WINDOWS\system32\nfxydjkd.dll
2003-06-26 16:51 83,457 --a------ C:\WINDOWS\system32\msorcl32.exe
2003-06-26 15:38 172,544 --a------ C:\WINDOWS\system32\uqnihew.dll
2003-06-26 15:38 133,153 --a------ C:\DOCUME~1\Darren\tippo.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-06-26 21:39:03 59,480 ----a-w C:\WINDOWS\system32\tmp13E.tmp.dll
2007-06-26 20:55:26 38,126 ----a-w C:\WINDOWS\system32\comgnt.dll
2007-06-26 20:51:38 128,576 ----a-w C:\WINDOWS\system32\hrpsihdn.dll
2007-06-26 20:48:34 66,112 ----a-w C:\WINDOWS\system32\euxrqurm.dll
2007-06-26 20:38:50 22,784 ----a-w C:\WINDOWS\vxddsk.exe
2007-06-17 12:52:34 -------- d-----w C:\DOCUME~1\Darren\APPLIC~1\Lavasoft
2007-06-17 12:52:22 -------- d-----w C:\Program Files\Lavasoft
2007-06-15 19:43:08 53,248 ----a-w C:\WINDOWS\uni_eh43.exe
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-02-23 20:23:47 -------- d-----w C:\Program Files\MaXimus DVD v1.2
2007-02-23 20:23:25 249,856 ------w C:\WINDOWS\Setup1.exe
2007-02-23 20:23:24 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-02-11 23:40:46 -------- d-----w C:\DOCUME~1\Darren\APPLIC~1\Google
2007-02-11 23:40:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-02-11 23:40:33 -------- d-----w C:\Program Files\Google
2007-02-06 22:15:04 -------- d-----w C:\DOCUME~1\Darren\APPLIC~1\Microsoft Web Folders
2007-02-06 22:05:29 -------- d-----w C:\Program Files\Online Services
2007-02-06 1957 -------- d-----w C:\Program Files\S3
2007-02-06 1953 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-02-06 19:25:31 -------- d-----w C:\Program Files\VIA
2007-02-06 19:02:47 -------- d-----w C:\Program Files\802.11 Wireless LAN
2007-02-06 18:52:47 -------- d-----w C:\Program Files\microsoft frontpage
2007-02-06 18:52:26 0 --sha-r C:\MSDOS.SYS
2007-02-06 18:52:26 0 --sha-r C:\IO.SYS
2007-02-06 18:52:26 0 ----a-w C:\CONFIG.SYS
2007-02-06 18:52:26 0 ----a-w C:\AUTOEXEC.BAT
2007-02-06 18:51:26 -------- d--h--w C:\Program Files\WindowsUpdate
2007-02-06 18:50:42 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-02-06 18:50:35 -------- d-----w C:\Program Files\Movie Maker
2007-02-06 18:49:57 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-02-06 18:49:30 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-02-06 18:49:23 -------- d-----w C:\Program Files\Windows NT
2007-02-06 13:44:17 -------- d-----w C:\Program Files\Common Files\ODBC
2007-02-06 13:44:14 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2006-09-27 05:31:21 77,824 ----a-w C:\WINDOWS\system32\slmdmco.dll
2006-09-27 05:31:21 61,440 ----a-w C:\WINDOWS\system32\slmdmsr.exe
2006-09-27 05:31:21 221,184 ----a-w C:\WINDOWS\system32\slmdmsp.dll
2006-09-27 05:31:21 192,512 ----a-w C:\WINDOWS\system32\slmdmgx.dll
2006-07-24 06:38:26 49,152 ----a-w C:\WINDOWS\nircmd.exe
2006-03-31 06:38:48 3,960,896 ----a-r C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2006-03-22 08:23:26 10,524,672 ----a-r C:\WINDOWS\system32\RTLCPL.EXE
2006-03-01 08:22:04 577,536 ----a-r C:\WINDOWS\SOUNDMAN.EXE
2006-02-28 12:00:00 994,304 ----a-w C:\WINDOWS\system32\msgina.dll
2006-02-28 12:00:00 99,840 ----a-w C:\WINDOWS\system32\mprmsg.dll
2006-02-28 12:00:00 99,328 ----a-w C:\WINDOWS\system32\winscard.dll
2006-02-28 12:00:00 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll
2006-02-28 12:00:00 983,552 ----a-w C:\WINDOWS\system32\setupapi.dll
2006-02-28 12:00:00 98,304 ----a-w C:\WINDOWS\system32\verifier.exe
2006-02-28 12:00:00 98,304 ----a-w C:\WINDOWS\system32\slbiop.dll
2006-02-28 12:00:00 98,304 ----a-w C:\WINDOWS\system32\rtm.dll
2006-02-28 12:00:00 98,304 ----a-w C:\WINDOWS\system32\cscript.exe
2006-02-28 12:00:00 98,304 ----a-w C:\WINDOWS\system32\ahui.exe
2006-02-28 12:00:00 97,965 ----a-w C:\WINDOWS\system32\eventquery.vbs
2006-02-28 12:00:00 97,280 ----a-w C:\WINDOWS\system32\loadperf.dll
2006-02-28 12:00:00 96,768 ----a-w C:\WINDOWS\system32\srvsvc.dll
2006-02-28 12:00:00 96,768 ----a-w C:\WINDOWS\system32\psbase.dll
2006-02-28 12:00:00 96,768 ----a-w C:\WINDOWS\system32\dpcdll.dll
2006-02-28 12:00:00 96,256 ----a-w C:\WINDOWS\system32\drivers\scsiport.sys
2006-02-28 12:00:00 95,744 ----a-w C:\WINDOWS\system32\scardsvr.exe
2006-02-28 12:00:00 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
2006-02-28 12:00:00 95,360 ----a-w C:\WINDOWS\system32\drivers\atapi.sys
2006-02-28 12:00:00 949,248 ----a-w C:\WINDOWS\system32\msdtctm.dll
2006-02-28 12:00:00 94,784 ----a-w C:\WINDOWS\twain.dll
2006-02-28 12:00:00 94,282 ----a-w C:\WINDOWS\system32\msencode.dll
2006-02-28 12:00:00 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2006-02-28 12:00:00 937,984 ----a-w C:\WINDOWS\system32\winbrand.dll
2006-02-28 12:00:00 93,696 ----a-w C:\WINDOWS\system32\tscfgwmi.dll
2006-02-28 12:00:00 924,432 ----a-w C:\WINDOWS\system32\mfc40u.dll
2006-02-28 12:00:00 924,432 ----a-w C:\WINDOWS\system32\mfc40.dll
2006-02-28 12:00:00 92,672 ----a-w C:\WINDOWS\system32\wlnotify.dll
2006-02-28 12:00:00 92,672 ----a-w C:\WINDOWS\system32\dskquota.dll
2006-02-28 12:00:00 92,224 ----a-w C:\WINDOWS\system32\krnl386.exe
2006-02-28 12:00:00 92,168 ----a-w C:\WINDOWS\system32\rdpdd.dll
2006-02-28 12:00:00 92,032 ----a-w C:\WINDOWS\system32\drivers\ksecdd.sys
2006-02-28 12:00:00 91,776 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2006-02-28 12:00:00 91,648 ----a-w C:\WINDOWS\system32\xactsrv.dll
2006-02-28 12:00:00 91,136 ----a-w C:\WINDOWS\system32\ntprint.dll
2006-02-28 12:00:00 90,624 ----a-w C:\WINDOWS\system32\trkwks.dll
2006-02-28 12:00:00 90,624 ----a-w C:\WINDOWS\system32\mydocs.dll
2006-02-28 12:00:00 90,112 ----a-w C:\WINDOWS\system32\rsvpsp.dll
2006-02-28 12:00:00 90,112 ----a-w C:\WINDOWS\system32\mycomput.dll
2006-02-28 12:00:00 90,112 ----a-w C:\WINDOWS\system32\mtxoci.dll
2006-02-28 12:00:00 9,936 ----a-w C:\WINDOWS\system32\lzexpand.dll
2006-02-28 12:00:00 9,728 ----a-w C:\WINDOWS\system32\sprestrt.exe
2006-02-28 12:00:00 9,728 ----a-w C:\WINDOWS\system32\sfc.exe
2006-02-28 12:00:00 9,728 ----a-w C:\WINDOWS\system32\rsvpperf.dll
2006-02-28 12:00:00 9,728 ----a-w C:\WINDOWS\system32\reset.exe
2006-02-28 12:00:00 9,728 ----a-w C:\WINDOWS\system32\label.exe
2006-02-28 12:00:00 9,728 ----a-w C:\WINDOWS\system32\gpkrsrc.dll
2006-02-28 12:00:00 9,600 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2006-02-28 12:00:00 9,344 ----a-w C:\WINDOWS\system32\vga.dll
2006-02-28 12:00:00 9,344 ----a-w C:\WINDOWS\system32\framebuf.dll
2006-02-28 12:00:00 9,216 ----a-w C:\WINDOWS\system32\wshatm.dll
2006-02-28 12:00:00 9,216 ----a-w C:\WINDOWS\system32\winfax.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\tmp13E.tmp.dll [2007-06-26 16:39]
{32176EF8-F044-8592-4F12-F98DBC218EC8}=C:\WINDOWS\system32\hhekdpur.dll []
{38847C4B-1AB1-4A47-9026-9A6CF7B43D31}=C:\WINDOWS\system32\msdn_lib.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{905B1435-264E-4F36-863E-8F06E21B6399}=C:\Program Files\Messenger\hokemoq43855.dll [2007-06-14 06:54]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-02-06 14:42]
{c3a49200-452d-4551-84dc-c0dba18c7e62}=C:\WINDOWS\system32\comgnt.dll [2007-06-26 15:55]
{d4099cf4-7951-4a9f-9534-ea76b3ca07e5}=C:\WINDOWS\system32\uqnihew.dll [2003-06-26 15:38]
{DE256BC8-14DA-4234-B1B3-ED38DF9B1864}=C:\Program Files\Messenger\hokemoq83122.dll [2007-06-18 13:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 14:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-10-31 15:15 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 03:22 C:\WINDOWS\SOUNDMAN.EXE]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-14 04:26]
"Etcd"="C:\PROGRA~1\COMMON~1\ASEMBL~1\fast.exe " []
"Wje"="C:\Program Files\??stem\w?nword.exe" []
"autoload"="C:\WINDOWS\system32\drivers\svchost.ex e" [2007-06-26 15:55]
"autorun"="C:\Documents and Settings\Darren\svchost.exe" [2007-06-26 15:55]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\profsyrtylyg.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comgnt]
comgnt.dll


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E02310B4E666}
C:\WINDOWS\system32\tmrsrv32.exe

Contents of the 'Scheduled Tasks' folder
2007-06-26 05:00:30 C:\WINDOWS\tasks\At1.job
2007-06-25 14:00:30 C:\WINDOWS\tasks\At10.job
2007-06-26 15:01:11 C:\WINDOWS\tasks\At11.job
2007-06-26 16:00:30 C:\WINDOWS\tasks\At12.job
2007-06-26 17:00:30 C:\WINDOWS\tasks\At13.job
2007-06-26 18:01:14 C:\WINDOWS\tasks\At14.job
2007-06-26 19:00:30 C:\WINDOWS\tasks\At15.job
2007-06-26 20:00:30 C:\WINDOWS\tasks\At16.job
2007-06-26 21:00:00 C:\WINDOWS\tasks\At17.job
2007-06-25 22:00:30 C:\WINDOWS\tasks\At18.job
2007-06-25 23:00:30 C:\WINDOWS\tasks\At19.job
2007-06-26 06:00:30 C:\WINDOWS\tasks\At2.job
2007-06-26 00:00:30 C:\WINDOWS\tasks\At20.job
2007-06-26 01:00:30 C:\WINDOWS\tasks\At21.job
2007-06-26 02:00:30 C:\WINDOWS\tasks\At22.job
2007-06-26 03:00:30 C:\WINDOWS\tasks\At23.job
2007-06-26 04:00:30 C:\WINDOWS\tasks\At24.job
2007-06-26 07:00:30 C:\WINDOWS\tasks\At3.job
2007-06-26 08:00:30 C:\WINDOWS\tasks\At4.job
2007-06-26 09:00:30 C:\WINDOWS\tasks\At5.job
2007-06-26 10:00:30 C:\WINDOWS\tasks\At6.job
2007-06-26 11:00:30 C:\WINDOWS\tasks\At7.job
2007-06-26 12:00:30 C:\WINDOWS\tasks\At8.job
2007-06-26 13:00:30 C:\WINDOWS\tasks\At9.job

************************************************** ************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2003-06-27 00:38:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Completion time: 2003-06-27 0:38:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2003-06-27 00:38
C:\ComboFix2.txt ... 2003-06-27 00:18
C:\ComboFix3.txt ... 2003-06-26 23:56

--- E O F ---

[jholland1964]

Did you follow all the steps here? READ ME Before Posting A Request For Assistance!

If you have not done so yet, please do and post the requested logs. If you HAVE followed the steps...post the requested logs.
Judy

[younglite]

Sorry, Judy, I didn't see the instructions first. I guess that works for a lot of people, but unfortunately it incapacitated my computer when I downloaded Windows Defender. My wireless was knocked out in the middle of the download. I couldn't fix the network. Frozen - even after rebooting. Safe Mode wouldn't even boot up. The task manager was frozen. I had an "Admin login" added that I never added. Horrible. It's too far gone now, so I'll just reinstall XP on top of the old. Wish me luck.

[TurcoLoco]

Remember, ComboFix is still being update to my best knowledge and is NOT recommended to be used since there are 1 or 2 different malicious rootkit infectors that target ComboFix and bork the system if you run the fix on a system that got infected with the related rootkits!

So, refrain from using that type specialized tools unless one of the spyware gurus asked you to otherwise you could be taking a big risk!

[younglite]

Thanks, TL. I wasn't aware of that. I did reinstall Windows and installed all the latest security updates. I didn't lose any info (I backed it up thru DOS first). So far everything seems normal after 24 hours. I appreciate what you guys do to help others. All the best to you.