Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Solution Center

Free IT eBook

Howtos

Site Search

Message Find

RSS Feeds

Install Guides

Data Recovery

About

Home
Reply to Message Icon Go to Main Page Icon

POS .tmp files HELP!

Original Message
Name: loulapops
Date: January 22, 2008 at 06:40:33 Pacific
Subject: POS .tmp files HELP!
OS: Windows XP Home Edition
CPU/Ram: x86 Family 6 Problem 6 St
Model/Manufacturer: Packard Bell NEC
Comment:
I have 2003 POS .tmp files in my documents section of the computer. I know there must be some kind of virus but unlike other people i have no Red X in place of my C Drive.
I've downloaded hijackthis so I have my log if it helps?
Could somebody please help me, I don't know what to do...


Report Offensive Message For Removal


Response Number 1
Name: RTAdams89
Date: January 22, 2008 at 07:39:43 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
Try downloading VundoFix and see if that takes care of the problem. Vundo seems to be related all of the pos.tmp files.

Download: http://personal.ryantadams.com/2008...

-Ryan Adams
http://RyanTAdams.com


Report Offensive Follow Up For Removal

Response Number 2
Name: jabuck
Date: January 22, 2008 at 16:36:45 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
Please download Atribune's VundoFix.exe from the followinf site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


Report Offensive Follow Up For Removal

Response Number 3
Name: loulapops
Date: January 24, 2008 at 14:42:59 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
thankyou for all your help! i was doing well until i walked
away whilst combofix was doing it's scan! when i came back
i had a blank screen so i switched off and began again. this
time when i am trying to use combofix it says the file is
corrupt? where do i go from here?

Report Offensive Follow Up For Removal

Response Number 4
Name: jabuck
Date: January 24, 2008 at 18:44:45 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
Go to Start > Run, and type in:

sc stop BITS

Then press ok.

Try to run the combofix now.


Report Offensive Follow Up For Removal

Response Number 5
Name: loula
Date: January 26, 2008 at 04:52:42 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
i've managed to get my logs :)

Report Offensive Follow Up For Removal


Response Number 6
Name: loula
Date: January 26, 2008 at 04:54:27 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
okay these are my hijackthis & combofix logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57:35, on 24/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft
Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini:
load=C:\WINDOWS\System32\rqomn.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-
BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-
4C02-4ABF-8ECC-5164760863C6} - C:\Program
Files\Common Files\Microsoft Shared\Windows
Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E8007E37-13F2-432D-B314-
19C246A7C907} - C:\WINDOWS\System32\rqomn.dll (file
missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent]
rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: []
C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program
Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = C:\Program
Files\HP DeskJet 710C Series\ereg\Remind32.exe
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-
a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-
2D05CB959537} (MSN Photo Upload Tool) - <a
href="http://gfx2.hotmail.com/mail/w2/pr02/resources/
MSNPUpld.cab"
target="_blank">http://gfx2.hotmail.com/mail/w2/pr0...

O16 - DPF: {FA81E151-CFE7-4B18-8B9E-
8B96E62BAC11} (DownloadManager) -
https://shop.ftmd.sonynetservices.com/GB/en/inc/applet
s/DownloadManager.cab
O23 - Service: ServiceLayer - Nokia. - C:\Program
Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Managment Controler (SMSCGISVC)
- Unknown owner - C:\WINDOWS\system\smscg.exe

--
End of file - 3013 bytes


and this is the combofix log:

ComboFix 08-01-23.1B - Louise 2008-01-25
13:52:22.4 - NTFSx86
Microsoft Windows XP Home Edition
5.1.2600.1.1252.1.1033.18.219 [GMT 0:00]
Running from: C:\Documents and Settings\Louise\My
Documents\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE
THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nmoqr.ini
C:\WINDOWS\system32\nmoqr.ini2
C:\WINDOWS\system32\rqomn.dll
C:\WINDOWS\system32\rqomn.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to
2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 14:50 . 2008-01-25 14:50 334,848 --
a------ C:\WINDOWS\system32\rqomn.dll
2008-01-24 22:05 . 2000-08-31 08:00 51,200 --
a------ C:\WINDOWS\Nircmd.exe
2008-01-24 21:37 . 2008-01-24 21:51 <DIR> d--
------ C:\VundoFix Backups
2008-01-22 14:16 . 2008-01-22 14:16 <DIR> d--
------ C:\Program Files\Trend Micro
2008-01-22 13:53 . 2008-01-24 21:33 35,328 --
a------ C:\WINDOWS\hpfsched .exe
2008-01-22 13:36 . 2008-01-22 13:37 154 --a----
-- C:\WINDOWS\wininit.ini
2008-01-10 17:44 . 2008-01-10 17:44 100,352 -r-
hs---- C:\WINDOWS\system\smscg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 14:50 --------- d-----w
C:\Program Files\Microsoft Works
2008-01-22 13:56 --------- d-----w
C:\Program Files\MSN Messenger
2008-01-20 18:18 --------- d-----w
C:\Program Files\Nokia
2008-01-20 18:17 --------- d-----w
C:\Program Files\Common Files\PCSuite
.
[code]


----a-w            28,738 2008-01-25 14:50:45  
C:\Program Files\Common Files\Microsoft Shared\Works 
Shared\WkUFind .exe
----a-w            69,632 2008-01-25 14:50:33  
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd .exe
----a-w            24,576 2008-01-25 14:50:38  
C:\Program Files\Microsoft Works\wkfud .exe
----a-w           331,830 2008-01-25 14:50:46  
C:\Program Files\Microsoft Works\WksSb .exe
----a-w         5,674,352 2008-01-22 13:53:32  
C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w            35,328 2008-01-24 21:33:52  
C:\WINDOWS\hpfsched .exe
----a-w           303,104 2008-01-24 21:33:44  
C:\WINDOWS\OPTIONS\OEMReset .exe
[/code]


((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{1C14EA4C-166D-4BA5-A768-0ACE58F3A626}]
2008-01-25 14:50 334848 --a------
C:\WINDOWS\System32\rqomn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN
Messenger\msnmsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-09-
25 04:25 111104 C:\WINDOWS\system32\irprops.cpl]
"Share-to-Web Namespace Daemon"="C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
[2008-01-25 13:49 409088]
"WorksFUD"="C:\Program Files\Microsoft
Works\wkfud.exe" [2008-01-25 14:50 364032]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft
Works\WksSb.exe" [2008-01-25 14:50 696832]
"Microsoft Works Update Detection"="C:\Program
Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe" [2008-01-25 13:50 373248]
"hpfsched"="C:\WINDOWS\hpfsched.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur
rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE"
[2002-08-29 12:00 13312]

C:\Documents and Settings\Louise\Start
Menu\Programs\Startup\
Reminder-hpc41001.lnk - C:\Program Files\HP DeskJet
710C Series\ereg\Remind32.exe [1998-02-13 12:15:00
68096]

C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program
Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe [2001-08-07 23:06:54 24633]

[HKEY_CURRENT_USER\software\microsoft\windows
nt\currentversion\windows]
"load"=C:\WINDOWS\System32\rqomn.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control
\lsa]
Authentication Packages REG_MULTI_SZ msv1_0
C:\WINDOWS\System32\rqomn

R2
HPFECP13;HPFECP13;C:\WINDOWS\System32\drivers\HPF
ECP13.SYS [1998-09-25 08:55]
R2 SMSCGISVC;System Managment
Controler;"C:\WINDOWS\system\smscg.exe" [2008-01-
10 17:44]

.
***********************************************************
***************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, target="_blank">http://www.gmer.net
Rootkit scan 2008-01-25 14:50:36
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

***********************************************************
***************
.
--------------------- DLLs Loaded Under Running
Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\WINDOWS\System32\rqomn.dll
.
Completion time: 2008-01-25 14:54:17 - machine was
rebooted [Louise]
ComboFix-quarantined-files.txt 2008-01-25 14:54:00


Report Offensive Follow Up For Removal

Response Number 7
Name: jabuck
Date: January 26, 2008 at 12:59:48 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\System32\rqomn.dll
C:\WINDOWS\system\smscg.exe

RenV::
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind .exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd .exe
C:\Program Files\Microsoft Works\wkfud .exe
C:\Program Files\Microsoft Works\WksSb .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\WINDOWS\hpfsched .exe
C:\WINDOWS\OPTIONS\OEMReset .exe

Driver::
SMSCGISVC

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{1C14EA4C-166D-4BA5-A768-0ACE58F3A626}]
[HKEY_CURRENT_USER\software\microsoft\windows
nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control
\lsa]
Authentication Packages REG_MULTI_SZ msv1_0

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Hijack This log and anew Combofix log please.


Report Offensive Follow Up For Removal

Response Number 8
Name: loula
Date: January 29, 2008 at 10:18:50 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:11:04, on 29/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\Program Files\HP DeskJet 710C
Series\ereg\Remind32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Windows Live Sign-in Helper - {9030D464-
4C02-4ABF-8ECC-5164760863C6} - C:\Program
Files\Common Files\Microsoft Shared\Windows
Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent]
rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program
Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = C:\Program
Files\HP DeskJet 710C Series\ereg\Remind32.exe
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-
a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-
2D05CB959537} (MSN Photo Upload Tool) -
http://gfx2.hotmail.com/mail/w2/pr0...
pld.cab
O16 - DPF: {FA81E151-CFE7-4B18-8B9E-
8B96E62BAC11} (DownloadManager) -
https://shop.ftmd.sonynetservices.com/GB/en/inc/applet
s/DownloadManager.cab
O23 - Service: ServiceLayer - Nokia. - C:\Program
Files\Common Files\PCSuite\Services\ServiceLayer.exe
--
End of file - 2658 bytes





And the combofix log:


ComboFix 08-01-23.1B - Louise 2008-01-29
18:02:56.5 - NTFSx86
Microsoft Windows XP Home Edition
5.1.2600.1.1252.1.1033.18.224 [GMT 0:00]
Running from: C:\Documents and Settings\Louise\My
Documents\ComboFix.exe
Command switches used :: C:\Documents and
Settings\Louise\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE
THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\System32\rqomn.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind .exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd .exe
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd.exe
C:\Program Files\Microsoft Works\wkfud.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\hpfsched.exe
C:\WINDOWS\system\smscg.exe
C:\WINDOWS\system32\nmoqr.ini
C:\WINDOWS\system32\nmoqr.ini2
C:\WINDOWS\system32\rqomn.dll
C:\WINDOWS\system32\rqomn.exe
[code] 


C:\Program Files\Common Files\Microsoft Shared\Works 
Shared\WkUFind .exe ---> QooBox
C:\Program Files\Hewlett-Packard\HP Share-to-
Web\hpgs2wnd .exe ---> QooBox
[/code]
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SMSCGISVC
-------\SMSCGISVC

((((((((((((((((((((((((( Files Created from 2007-12-28 to
2008-01-29 )))))))))))))))))))))))))))))))
.
2008-01-24 22:05 . 2000-08-31 08:00 51,200 --a----
-- C:\WINDOWS\Nircmd.exe
2008-01-24 21:37 . 2008-01-24 21:51 <DIR> d------
-- C:\VundoFix Backups
2008-01-22 14:16 . 2008-01-22 14:16 <DIR> d------
-- C:\Program Files\Trend Micro
2008-01-22 13:36 . 2008-01-22 13:37 154 --a------
C:\WINDOWS\wininit.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 18:04 --------- d-----w C:\Program
Files\MSN Messenger
2008-01-29 18:04 --------- d-----w C:\Program
Files\Microsoft Works
2008-01-20 18:18 --------- d-----w C:\Program
Files\Nokia
2008-01-20 18:17 --------- d-----w C:\Program
Files\Common Files\PCSuite
.
((((((((((((((((((((((((((((( snapshot@2008-01-25_14.53.40.79
)))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 22:06:22 237,568 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-29 18:01:54 237,568 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-24 22:06:22 8,192 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-29 18:01:55 8,192 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-24 22:06:22 237,568 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-29 18:01:55 237,568 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-24 22:06:22 8,192 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-29 18:01:55 8,192 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-24 22:06:22 3,493,888 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-29 18:01:55 3,493,888 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-24 22:06:23 12,288 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-29 18:01:55 12,288 ----a-w
C:\WINDOWS\erdnt\Hiv-
backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-24 21:33:44 303,104 ----a-w
C:\WINDOWS\OPTIONS\OEMReset.exe
- 2008-01-24 22:31:39 16,384 ----a-w
C:\WINDOWS\system32\config\systemprofile\Cookies\in
dex.dat
+ 2008-01-25 14:49:28 16,384 ----a-w
C:\WINDOWS\system32\config\systemprofile\Cookies\in
dex.dat
- 2008-01-24 22:31:39 32,768 ----a-w
C:\WINDOWS\system32\config\systemprofile\Local
Settings\History\History.IE5\index.dat
+ 2008-01-25 14:49:28 32,768 ----a-w
C:\WINDOWS\system32\config\systemprofile\Local
Settings\History\History.IE5\index.dat
- 2008-01-24 22:31:39 32,768 ----a-w
C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-25 14:49:28 32,768 ----a-w
C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-25 13:52:11 262,144 ----a-w
C:\WINDOWS\system32\config\systemprofile\NTUSER.DA
T
+ 2008-01-29 18:02:20 262,144 ----a-w
C:\WINDOWS\system32\config\systemprofile\NTUSER.DA
T
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN
Messenger\msnmsgr.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-09-
25 04:25 111104 C:\WINDOWS\system32\irprops.cpl]
"Share-to-Web Namespace Daemon"="C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
[ ]
"WorksFUD"="C:\Program Files\Microsoft
Works\wkfud.exe" [ ]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft
Works\WksSb.exe" [ ]
"Microsoft Works Update Detection"="C:\Program
Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe" [ ]
"hpfsched"="C:\WINDOWS\hpfsched.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur
rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE"
[2002-08-29 12:00 13312]
C:\Documents and Settings\Louise\Start
Menu\Programs\Startup\
Reminder-hpc41001.lnk - C:\Program Files\HP DeskJet
710C Series\ereg\Remind32.exe [1998-02-13 12:15:00
68096]
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program
Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe [2001-08-07 23:06:54 24633]
R2
HPFECP13;HPFECP13;C:\WINDOWS\System32\drivers\HPF
ECP13.SYS [1998-09-25 08:55]
.
***********************************************************
***************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 18:07:53
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
***********************************************************
***************
.
Completion time: 2008-01-29 18:10:00 - machine was
rebooted
ComboFix-quarantined-files.txt 2008-01-29 18:09:46
ComboFix2.txt 2008-01-25 14:54:17


I can't thankyou enough!



Report Offensive Follow Up For Removal

Response Number 9
Name: jabuck
Date: January 29, 2008 at 16:20:47 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
Was your C: drive icon replaced with a red X?

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.


Report Offensive Follow Up For Removal

Response Number 10
Name: loula
Date: January 30, 2008 at 11:43:54 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
My C Drive was not replaced with a Red X no, i don't think
the virus had got that far. Am I still ok to go ahead with the
next step?

Report Offensive Follow Up For Removal

Response Number 11
Name: jabuck
Date: January 30, 2008 at 14:38:19 Pacific
Subject: POS .tmp files HELP!
Reply: (edit)
Yes, please continue.

Report Offensive Follow Up For Removal



Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: POS .tmp files HELP!

Comments:
         

 
  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 


Data Recovery Software



My PC has been hijacked!

Lexmark 2600 Printer Issues

btk1w1 infected start here post

Unwanted message remians on screen

Slow boot time

The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE

All content ©1996-2007 Computing.Net, LLC