POS .tmp files HELP!

Computing.Net > Forums > Security and Virus > POS .tmp files HELP!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

POS .tmp files HELP!

Name: loulapops
Date: January 22, 2008 at 06:40:33 Pacific
OS: Windows XP Home Edition
CPU/Ram: x86 Family 6 Problem 6 St
Product: Packard Bell NEC

Comment:

I have 2003 POS .tmp files in my documents section of the computer. I know there must be some kind of virus but unlike other people i have no Red X in place of my C Drive.
I've downloaded hijackthis so I have my log if it helps?
Could somebody please help me, I don't know what to do...

Sponsored Link

Ads by Google

Response Number 1

Name: RTAdams89
Date: January 22, 2008 at 07:39:43 Pacific

Reply:

Try downloading VundoFix and see if that takes care of the problem. Vundo seems to be related all of the pos.tmp files.
Download: http://personal.ryantadams.com/2008...
-Ryan Adams
http://RyanTAdams.com

Response Number 2

Name: jabuck
Date: January 22, 2008 at 16:36:45 Pacific

Reply:

Please download Atribune's VundoFix.exe from the followinf site to your desktop:
Vundofix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click "yes".
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click "ok".
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Response Number 3

Name: loulapops
Date: January 24, 2008 at 14:42:59 Pacific

Reply:

thankyou for all your help! i was doing well until i walked
away whilst combofix was doing it's scan! when i came back
i had a blank screen so i switched off and began again. this
time when i am trying to use combofix it says the file is
corrupt? where do i go from here?

Response Number 4

Name: jabuck
Date: January 24, 2008 at 18:44:45 Pacific

Reply:

Go to Start > Run, and type in:
sc stop BITS
Then press ok.
Try to run the combofix now.

Response Number 5

Name: loula
Date: January 26, 2008 at 04:52:42 Pacific

Reply:

i've managed to get my logs :)

deskjet 710C win98 vi tmp file too large del command switches bash unexpected end of file syntax error: unexpected end of file file services windows 2008 Srvinstw.exe 2008 c windows wininit.ini autostart file .tmp files deleting	GLC1034.TMP kaspersky av scanner quickbooks pos database location tmp file morse code c++ c++ end of file exe code works calendar file Facebook Photo Uploader 5 Control PhotoUploader55.ocx rootkit.tdss
See More

Response Number 6

Name: loula
Date: January 26, 2008 at 04:54:27 Pacific

Reply:

okay these are my hijackthis & combofix logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57:35, on 24/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft
Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F3 - REG:win.ini:
load=C:\WINDOWS\System32\rqomn.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-
BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-
4C02-4ABF-8ECC-5164760863C6} - C:\Program
Files\Common Files\Microsoft Shared\Windows
Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E8007E37-13F2-432D-B314-
19C246A7C907} - C:\WINDOWS\System32\rqomn.dll (file
missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent]
rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: []
C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program
Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.exe (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = C:\Program
Files\HP DeskJet 710C Series\ereg\Remind32.exe
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-
a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-
2D05CB959537} (MSN Photo Upload Tool) - <a
href="http://gfx2.hotmail.com/mail/w2/pr02/resources/
MSNPUpld.cab"
target="_blank">http://gfx2.hotmail.com/mail/w2/pr0...

O16 - DPF: {FA81E151-CFE7-4B18-8B9E-
8B96E62BAC11} (DownloadManager) -
https://shop.ftmd.sonynetservices.com/GB/en/inc/applet
s/DownloadManager.cab
O23 - Service: ServiceLayer - Nokia. - C:\Program
Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Managment Controler (SMSCGISVC)
- Unknown owner - C:\WINDOWS\system\smscg.exe
--
End of file - 3013 bytes

and this is the combofix log:
ComboFix 08-01-23.1B - Louise 2008-01-25
13:52:22.4 - NTFSx86
Microsoft Windows XP Home Edition
5.1.2600.1.1252.1.1033.18.219 [GMT 0:00]
Running from: C:\Documents and Settings\Louise\My
Documents\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE
THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\nmoqr.ini
C:\WINDOWS\system32\nmoqr.ini2
C:\WINDOWS\system32\rqomn.dll
C:\WINDOWS\system32\rqomn.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-25 to
2008-01-25 )))))))))))))))))))))))))))))))
.
2008-01-25 14:50 . 2008-01-25 14:50 334,848 --
a------ C:\WINDOWS\system32\rqomn.dll
2008-01-24 22:05 . 2000-08-31 08:00 51,200 --
a------ C:\WINDOWS\Nircmd.exe
2008-01-24 21:37 . 2008-01-24 21:51 <DIR> d--
------ C:\VundoFix Backups
2008-01-22 14:16 . 2008-01-22 14:16 <DIR> d--
------ C:\Program Files\Trend Micro
2008-01-22 13:53 . 2008-01-24 21:33 35,328 --
a------ C:\WINDOWS\hpfsched .exe
2008-01-22 13:36 . 2008-01-22 13:37 154 --a----
-- C:\WINDOWS\wininit.ini
2008-01-10 17:44 . 2008-01-10 17:44 100,352 -r-
hs---- C:\WINDOWS\system\smscg.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 14:50 --------- d-----w
C:\Program Files\Microsoft Works
2008-01-22 13:56 --------- d-----w
C:\Program Files\MSN Messenger
2008-01-20 18:18 --------- d-----w
C:\Program Files\Nokia
2008-01-20 18:17 --------- d-----w
C:\Program Files\Common Files\PCSuite
.
[code]
----a-w            28,738 2008-01-25 14:50:45  
C:\Program Files\Common Files\Microsoft Shared\Works 
Shared\WkUFind .exe
----a-w            69,632 2008-01-25 14:50:33  
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd .exe
----a-w            24,576 2008-01-25 14:50:38  
C:\Program Files\Microsoft Works\wkfud .exe
----a-w           331,830 2008-01-25 14:50:46  
C:\Program Files\Microsoft Works\WksSb .exe
----a-w         5,674,352 2008-01-22 13:53:32  
C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w            35,328 2008-01-24 21:33:52  
C:\WINDOWS\hpfsched .exe
----a-w           303,104 2008-01-24 21:33:44  
C:\WINDOWS\OPTIONS\OEMReset .exe
[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{1C14EA4C-166D-4BA5-A768-0ACE58F3A626}]
2008-01-25 14:50 334848 --a------
C:\WINDOWS\System32\rqomn.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN
Messenger\msnmsgr.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-09-
25 04:25 111104 C:\WINDOWS\system32\irprops.cpl]
"Share-to-Web Namespace Daemon"="C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
[2008-01-25 13:49 409088]
"WorksFUD"="C:\Program Files\Microsoft
Works\wkfud.exe" [2008-01-25 14:50 364032]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft
Works\WksSb.exe" [2008-01-25 14:50 696832]
"Microsoft Works Update Detection"="C:\Program
Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe" [2008-01-25 13:50 373248]
"hpfsched"="C:\WINDOWS\hpfsched.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur
rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.exe"
[2002-08-29 12:00 13312]
C:\Documents and Settings\Louise\Start
Menu\Programs\Startup\
Reminder-hpc41001.lnk - C:\Program Files\HP DeskJet
710C Series\ereg\Remind32.exe [1998-02-13 12:15:00
68096]
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program
Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe [2001-08-07 23:06:54 24633]
[HKEY_CURRENT_USER\software\microsoft\windows
nt\currentversion\windows]
"load"=C:\WINDOWS\System32\rqomn.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control
\lsa]
Authentication Packages REG_MULTI_SZ msv1_0
C:\WINDOWS\System32\rqomn
R2
HPFECP13;HPFECP13;C:\WINDOWS\System32\drivers\HPF
ECP13.SYS [1998-09-25 08:55]
R2 SMSCGISVC;System Managment
Controler;"C:\WINDOWS\system\smscg.exe" [2008-01-
10 17:44]
.
***********************************************************
***************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, target="_blank">http://www.gmer.net
Rootkit scan 2008-01-25 14:50:36
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
***********************************************************
***************
.
--------------------- DLLs Loaded Under Running
Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.exe [6.00.2800.1106]
-> C:\WINDOWS\System32\rqomn.dll
.
Completion time: 2008-01-25 14:54:17 - machine was
rebooted [Louise]
ComboFix-quarantined-files.txt 2008-01-25 14:54:00

Response Number 7

Name: jabuck
Date: January 26, 2008 at 12:59:48 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\System32\rqomn.dll
C:\WINDOWS\system\smscg.exe
RenV::
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind .exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd .exe
C:\Program Files\Microsoft Works\wkfud .exe
C:\Program Files\Microsoft Works\WksSb .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\WINDOWS\hpfsched .exe
C:\WINDOWS\OPTIONS\OEMReset .exe

Driver::
SMSCGISVC
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{1C14EA4C-166D-4BA5-A768-0ACE58F3A626}]
[HKEY_CURRENT_USER\software\microsoft\windows
nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control
\lsa]
Authentication Packages REG_MULTI_SZ msv1_0
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Hijack This log and anew Combofix log please.

Response Number 8

Name: loula
Date: January 29, 2008 at 10:18:50 Pacific

Reply:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:11:04, on 29/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\Program Files\HP DeskJet 710C
Series\ereg\Remind32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Windows Live Sign-in Helper - {9030D464-
4C02-4ABF-8ECC-5164760863C6} - C:\Program
Files\Common Files\Microsoft Shared\Windows
Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent]
rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program
Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.exe (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = C:\Program
Files\HP DeskJet 710C Series\ereg\Remind32.exe
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-
a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-
2D05CB959537} (MSN Photo Upload Tool) -
http://gfx2.hotmail.com/mail/w2/pr0...
pld.cab
O16 - DPF: {FA81E151-CFE7-4B18-8B9E-
8B96E62BAC11} (DownloadManager) -
https://shop.ftmd.sonynetservices.com/GB/en/inc/applet
s/DownloadManager.cab
O23 - Service: ServiceLayer - Nokia. - C:\Program
Files\Common Files\PCSuite\Services\ServiceLayer.exe
--
End of file - 2658 bytes

And the combofix log:

ComboFix 08-01-23.1B - Louise 2008-01-29
18:02:56.5 - NTFSx86
Microsoft Windows XP Home Edition
5.1.2600.1.1252.1.1033.18.224 [GMT 0:00]
Running from: C:\Documents and Settings\Louise\My
Documents\ComboFix.exe
Command switches used :: C:\Documents and
Settings\Louise\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE
THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\System32\rqomn.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind .exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd .exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\Microsoft Works\wkfud.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\hpfsched.exe
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\system32\nmoqr.ini
C:\WINDOWS\system32\nmoqr.ini2
C:\WINDOWS\system32\rqomn.dll
C:\WINDOWS\system32\rqomn.exe
[code]
C:\Program Files\Common Files\Microsoft Shared\Works 
Shared\WkUFind .exe ---> QooBox
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd .exe ---> QooBox
[/code]
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SMSCGISVC
-------\SMSCGISVC
((((((((((((((((((((((((( Files Created from 2007-12-28 to
2008-01-29 )))))))))))))))))))))))))))))))
.
2008-01-24 22:05 . 2000-08-31 08:00 51,200 --a----
-- C:\WINDOWS\Nircmd.exe
2008-01-24 21:37 . 2008-01-24 21:51 <DIR> d------
-- C:\VundoFix Backups
2008-01-22 14:16 . 2008-01-22 14:16 <DIR> d------
-- C:\Program Files\Trend Micro
2008-01-22 13:36 . 2008-01-22 13:37 154 --a------
C:\WINDOWS\wininit.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 18:04 --------- d-----w C:\Program
Files\MSN Messenger
2008-01-29 18:04 --------- d-----w C:\Program
Files\Microsoft Works
2008-01-20 18:18 --------- d-----w C:\Program
Files\Nokia
2008-01-20 18:17 --------- d-----w C:\Program
Files\Common Files\PCSuite
.
((((((((((((((((((((((((((((( snapshot@2008-01-25_14.53.40.79
)))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 22:06:22 237,568 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-29 18:01:54 237,568 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-24 22:06:22 8,192 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-29 18:01:55 8,192 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-24 22:06:22 237,568 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-29 18:01:55 237,568 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-24 22:06:22 8,192 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-29 18:01:55 8,192 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-24 22:06:22 3,493,888 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-29 18:01:55 3,493,888 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-24 22:06:23 12,288 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-29 18:01:55 12,288 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-24 21:33:44 303,104 ----a-w
C:\WINDOWS\OPTIONS\OEMReset.exe
- 2008-01-24 22:31:39 16,384 ----a-w
C:\WINDOWS\system32\config\systemprofile\Cookies\in
dex.dat
+ 2008-01-25 14:49:28 16,384 ----a-w
C:\WINDOWS\system32\config\systemprofile\Cookies\in
dex.dat
- 2008-01-24 22:31:39 32,768 ----a-w
C:\WINDOWS\system32\config\systemprofile\Local
Settings\History\History.IE5\index.dat
+ 2008-01-25 14:49:28 32,768 ----a-w
C:\WINDOWS\system32\config\systemprofile\Local
Settings\History\History.IE5\index.dat
- 2008-01-24 22:31:39 32,768 ----a-w
C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-25 14:49:28 32,768 ----a-w
C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-25 13:52:11 262,144 ----a-w
C:\WINDOWS\system32\config\systemprofile\NTUSER.DA
T
+ 2008-01-29 18:02:20 262,144 ----a-w
C:\WINDOWS\system32\config\systemprofile\NTUSER.DA
T
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN
Messenger\msnmsgr.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-09-
25 04:25 111104 C:\WINDOWS\system32\irprops.cpl]
"Share-to-Web Namespace Daemon"="C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
[ ]
"WorksFUD"="C:\Program Files\Microsoft
Works\wkfud.exe" [ ]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft
Works\WksSb.exe" [ ]
"Microsoft Works Update Detection"="C:\Program
Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe" [ ]
"hpfsched"="C:\WINDOWS\hpfsched.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur
rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.exe"
[2002-08-29 12:00 13312]
C:\Documents and Settings\Louise\Start
Menu\Programs\Startup\
Reminder-hpc41001.lnk - C:\Program Files\HP DeskJet
710C Series\ereg\Remind32.exe [1998-02-13 12:15:00
68096]
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program
Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe [2001-08-07 23:06:54 24633]
R2
HPFECP13;HPFECP13;C:\WINDOWS\System32\drivers\HPF
ECP13.SYS [1998-09-25 08:55]
.
***********************************************************
***************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 18:07:53
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
***********************************************************
***************
.
Completion time: 2008-01-29 18:10:00 - machine was
rebooted
ComboFix-quarantined-files.txt 2008-01-29 18:09:46
ComboFix2.txt 2008-01-25 14:54:17

I can't thankyou enough!

Response Number 9

Name: jabuck
Date: January 29, 2008 at 16:20:47 Pacific

Reply:

Was your C: drive icon replaced with a red X?
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Response Number 10

Name: loula
Date: January 30, 2008 at 11:43:54 Pacific

Reply:

My C Drive was not replaced with a Red X no, i don't think
the virus had got that far. Am I still ok to go ahead with the
next step?

Response Number 11

Name: jabuck
Date: January 30, 2008 at 14:38:19 Pacific

Reply:

Yes, please continue.

Sponsored Link

Ads by Google

IE opens when I am browsi...

XP Virus opens apps many ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: POS .tmp files HELP!

POS.tmp files, slow computer HELP!

Summary

www.computing.net/answers/security/postmp-files-slow-computer-help/22225.html

HELP! Red X, pos.tmp files, Runs

Summary

www.computing.net/answers/security/help-red-x-postmp-files-runs-/22495.html

Help Pos.tmp files virus

Summary

www.computing.net/answers/security/help-postmp-files-virus/22523.html

From the Geek Dictionary
PCI - Peripheral Component Interconnect, an older but still very common specifica...

Ask a Question!

Weekly Poll
Do you think Comcast should have bought NBC?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
Viewing HTML in Outlook 2007

Ehome and media center services

How to remove stubborn nightb~1.scr file

win 98

Symantec Endpoint Protection and Fake AV

All Awaiting Reply

Tom's News
Verizon: iPhone is Digitally Clueless Beauty Queen

Nintendo DS Flash Cards are Legal Says Judge

Go Retro: Dragon's Lair Confirmed for iPhone

Sony's PSPgo May Get External UMD Reader

Report: Teen Internet Addicts Likely to Self-Harm

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE