POS TMP. problem

Original Message

Name: lucy10
Date: February 16, 2008 at 15:14:12 Pacific
Subject: POS TMP. problem
OS: Windows XP
CPU/Ram: Intel Celeron/ 248 MB

Comment:

I'm have a lot of pos.tmp files in the folder, My Documents and my C: drive and I can't get rid of them.
Can someone help me?

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: February 16, 2008 at 16:13:51 Pacific
Subject: POS TMP. problem

Reply: (edit)

Go to the this link:
Disable Realtime Protection
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download Atribune's VundoFix.exe from the following site to your desktop:
Vundofix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click "yes".
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click "ok".
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Report Offensive Follow Up For Removal

Response Number 2

Name: lucy10
Date: February 16, 2008 at 16:59:12 Pacific
Subject: POS TMP. problem

Reply: (edit)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\HAURI\ViRobot Desktop 5.5\AccessControl\HFACSvc.exe
C:\Program Files\HAURI\ViRobot Desktop 5.5\hpcsvc.exe
C:\Program Files\HAURI\Common\hsvcmod.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HAURI\ViRobot Desktop 5.5\PCFirewall\vrfwsvc.exe
C:\Program Files\HAURI\Common\Base\vrmonsvc.exe
C:\Documents and Settings\All Users\Application Data\EXPL0RER.EXE
C:\Program Files\HAURI\Common\Base\Vrmonnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\HAURI\ViRobot Desktop 5.5\PCFirewall\vrfwsock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Application Data\SVCH0ST.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\anotify.exe
C:\Documents and Settings\lllll\Desktop\HiJackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19D74B48-EDD5-4C95-87B5-7D72C6A083E2} - C:\WINDOWS\system32\somhppjh.dll (file missing)
O2 - BHO: {47770716-2e1d-514a-00e4-3d1874d80962} - {26908d47-81d3-4e00-a415-d1e261707774} - C:\WINDOWS\system32\cklydvik.dll (file missing)
O2 - BHO: (no name) - {3C9EEDAD-80FF-43F0-961C-E0210FF9327A} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: (no name) - {3FCF0C23-74DC-4BEA-BC56-2B48A3B8F9A6} - (no file)
O2 - BHO: (no name) - {45D27744-EFA7-CC72-F54E-EA2B2EE68C93} - C:\WINDOWS\system32\slmtmbmk.dll (file missing)
O2 - BHO: (no name) - {52E787F7-1D83-4BA1-AF3C-97479345D9C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {6D729F43-D702-41FC-A58C-38C914589273} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {87071FA7-6020-4B34-B85D-87B6F1DB6C3C} - (no file)
O2 - BHO: (no name) - {8DEE3325-BD77-4FC7-BF86-89909E310220} - (no file)
O2 - BHO: (no name) - {9BA04454-5949-49F2-8E0C-EF2F269663D4} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {B0A8F4AC-4B98-433E-AF0E-F0958430EDC2} - (no file)
O2 - BHO: (no name) - {BED2FCDE-C457-470D-9221-7327EFDA851E} - (no file)
O2 - BHO: 0 - {D9F9944F-460D-4546-E5BD-EF20740FEE95} - C:\Program Files\MSN\lagusijax.dll (file missing)
O2 - BHO: IEHelpObj Class - {EC45E3FE-C16D-4F24-9238-D1B49AD74815} - C:\Program Files\HAURI\ViRobot Desktop 5.5\Service\hWebMan.dll
O2 - BHO: (no name) - {f394cb47-68e7-4389-b5eb-5be14c6d024a} - C:\WINDOWS\system32\yfixhwg.dll (file missing)
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HEProtect] C:\Program Files\HAURI\ViRobot Desktop 5.5\AntiSpam\HSockPE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IeServerhelp] C:\Documents and Settings\All Users\Application Data\EXPL0RER.EXE
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\HAURI\Common\Base\Vrmonnt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [c83ce041] rundll32.exe "C:\WINDOWS\system32\pxxrjuml.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [DF] C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\GNUFKPIK.exe.exe.exe.exe.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ¸®¼A¡ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_s...
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ViRobot for WinNT(tm) Folder Protect (HFACSVC) - hauri - C:\Program Files\HAURI\ViRobot Desktop 5.5\AccessControl\HFACSvc.exe
O23 - Service: ViRobot Communication Service (hpcsvc) - HAURI - C:\Program Files\HAURI\ViRobot Desktop 5.5\hpcsvc.exe
O23 - Service: Hauri Common Service (hsvcmod) - Unknown owner - C:\Program Files\HAURI\Common\hsvcmod.exe
O23 - Service: Hauri Firewall (vrfwsvc) - Hauri inc. - C:\Program Files\HAURI\ViRobot Desktop 5.5\PCFirewall\vrfwsvc.exe
O23 - Service: ViRobot Desktop Monitoring (vrmonsvc) - HAURI - C:\Program Files\HAURI\Common\Base\vrmonsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\propryhdecowu.html
--
End of file - 6851 bytes
I didn't get a logfile for the Combofix.
But after i used it, all the pos.tmp files got deleted!
Thank you.

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: February 16, 2008 at 17:31:26 Pacific
Subject: POS TMP. problem

Reply: (edit)

You have more than one virus and there are many more files to the vundo malware than just those pos files so we need a combofix log to pick them off of your computer. So please run combofix again and try to get a log file posted.
And you have at least one other virus.
Please download FindAWF from the following link:
http://noahdfear.geekstogo.com/FindAWF.exe

Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Report Offensive Follow Up For Removal

Response Number 4

Name: lucy10
Date: February 17, 2008 at 14:54:17 Pacific
Subject: POS TMP. problem

Reply: (edit)

logfile from combofix:

ComboFix 08-02-17.2 - lllll 2008-02-17 17:44:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.68 [GMT -5:00]
Running from: C:\Documents and Settings\lllll\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\check_LSA7.txt
C:\Program Files\Temporary
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191359948.old
C:\Program Files\WinBudget\bin\crap.1192476496.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\system32\arwrukic.dll
C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\gpvcrmxa.dll
C:\WINDOWS\system32\hjjlm.bak1
C:\WINDOWS\system32\hjjlm.bak2
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\jjjlm.bak1
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\ktuetxuk.dll
C:\WINDOWS\system32\lcthjcjo.dll
C:\WINDOWS\system32\leukblvw.dll
C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lnnmp.bak1
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ofjdavau.dll
C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pnrfilbt.dll
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.bak2
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.bak2
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\urktsvhy.dll
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\wqsuxluy.dll
C:\WINDOWS\system32\xbbwiaqm.dll
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.
2008-02-17 16:14 . 2008-02-17 16:14 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-02-17 15:30 . 2008-02-17 15:30 <DIR> d-------- C:\Program Files\MSBuild
2008-02-17 15:19 . 2008-02-17 15:19 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-17 15:18 . 2008-02-17 15:18 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-17 15:15 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-17 15:04 . 2008-02-17 15:04 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-17 09:55 . 2008-02-17 09:55 <DIR> d-------- C:\Program Files\Audacity
2008-02-16 19:58 . 2008-02-16 19:58 <DIR> d-------- C:\Program Files\Viewpoint
2008-02-16 17:47 . 2008-02-16 19:35 <DIR> d-------- C:\Documents and Settings\lllll\.housecall6.6
2008-02-15 22:04 . 2008-02-16 16:40 1,074 ---hs---- C:\WINDOWS\system32\lmujrxxp.ini
2008-02-15 21:34 . 2008-02-16 17:18 <DIR> d-------- C:\VundoFix Backups
2008-02-15 21:32 . 2008-02-15 22:04 954 ---hs---- C:\WINDOWS\system32\waalgonj.ini
2008-02-15 21:27 . 2008-02-17 08:19 <DIR> d-------- C:\Program Files\7-Zip
2008-02-12 20:44 . 2008-02-15 21:31 834 ---hs---- C:\WINDOWS\system32\htfjmdhg.ini
2008-02-11 16:52 . 2008-02-12 16:52 654 ---hs---- C:\WINDOWS\system32\pctjqxow.ini
2008-02-11 06:59 . 2008-02-11 15:36 534 ---hs---- C:\WINDOWS\system32\leqadwol.ini
2008-02-10 11:18 . 2008-02-11 06:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-10 10:17 . 2008-02-11 06:48 414 ---hs---- C:\WINDOWS\system32\nvgtyepv.ini
2008-02-09 18:07 . 2008-02-09 23:02 1,254 ---hs---- C:\WINDOWS\system32\lieuccfb.ini
2008-02-09 12:16 . 2008-02-09 18:02 1,194 ---hs---- C:\WINDOWS\system32\qbtdsusn.ini
2008-02-08 17:56 . 2008-02-08 17:56 <DIR> d-------- C:\Program Files\InterActual
2008-02-08 16:46 . 2008-02-09 12:10 1,074 ---hs---- C:\WINDOWS\system32\uasrpuqt.ini
2008-02-08 15:13 . 2008-02-08 15:13 894 ---hs---- C:\WINDOWS\system32\kcypkmku.ini
2008-02-07 15:11 . 2008-02-08 15:10 834 ---hs---- C:\WINDOWS\system32\hknamwlk.ini
2008-02-06 15:12 . 2008-02-07 15:02 714 ---hs---- C:\WINDOWS\system32\ururmxnc.ini
2008-02-05 15:04 . 2008-02-06 15:06 594 ---hs---- C:\WINDOWS\system32\xeiqvkxd.ini
2008-02-04 20:20 . 2008-02-05 15:02 414 ---hs---- C:\WINDOWS\system32\illcmmqe.ini
2008-02-03 17:27 . 2008-02-04 20:04 1,314 ---hs---- C:\WINDOWS\system32\cygsivgc.ini
2008-02-02 21:44 . 2008-02-16 17:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HAURI
2008-02-02 09:56 . 2008-02-03 10:10 1,014 --ahs---- C:\WINDOWS\system32\ofvlipmm.ini
2008-02-01 23:14 . 2008-02-02 09:45 774 --ahs---- C:\WINDOWS\system32\fnthbvfo.ini
2008-01-31 23:14 . 2008-02-01 20:54 654 --ahs---- C:\WINDOWS\system32\trxrsohc.ini
2008-01-30 23:17 . 2008-01-31 19:00 474 --ahs---- C:\WINDOWS\system32\lmktdnvm.ini
2008-01-29 22:52 . 2008-01-30 22:52 1,434 --ahs---- C:\WINDOWS\system32\jwmktato.ini
2008-01-29 22:43 . 2008-02-17 14:50 <DIR> d-------- C:\Documents and Settings\Lucy\Programs
2008-01-29 22:35 . 2008-01-29 22:35 <DIR> d-------- C:\spoolerlogs
2008-01-29 14:30 . 2008-01-29 22:47 1,194 --ahs---- C:\WINDOWS\system32\dxsbnarn.ini
2008-01-29 11:09 . 2008-01-29 11:09 1,074 --ahs---- C:\WINDOWS\system32\ssowhjhp.ini
2008-01-28 13:54 . 2008-01-29 11:04 1,014 --ahs---- C:\WINDOWS\system32\uvqwtuxl.ini
2008-01-27 16:13 . 2008-01-28 10:03 774 --ahs---- C:\WINDOWS\system32\opnvnjpi.ini
2008-01-27 10:51 . 2008-01-27 15:59 594 --ahs---- C:\WINDOWS\system32\qdbybrdn.ini
2008-01-26 21:48 . 2008-01-26 21:48 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-26 16:41 . 2008-01-27 10:43 474 --ahs---- C:\WINDOWS\system32\iejrheag.ini
2008-01-25 20:22 . 2008-01-25 20:22 294 --ahs---- C:\WINDOWS\system32\dysxirbx.ini
2008-01-24 18:53 . 2008-01-24 18:53 294 --ahs---- C:\WINDOWS\system32\oghtrysm.ini
2008-01-23 21:17 . 2008-01-24 16:05 526 --ahs---- C:\WINDOWS\system32\ynmwdyjy.ini
2008-01-23 18:57 . 2008-01-23 18:57 294 --ahs---- C:\WINDOWS\system32\hvjkqlpj.ini
2008-01-22 19:27 . 2008-01-22 19:27 294 --ahs---- C:\WINDOWS\system32\livsjltl.ini
2008-01-21 09:52 . 2008-01-21 09:52 294 --ahs---- C:\WINDOWS\system32\akndxmlk.ini
2008-01-20 10:50 . 2008-01-20 10:50 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-20 09:55 . 2008-01-20 09:55 <DIR> d-------- C:\Documents and Settings\lllll\Application Data\Hnc
2008-01-20 09:53 . 2008-01-20 09:53 1,014 --ahs---- C:\WINDOWS\system32\famqlddv.ini
2008-01-19 15:33 . 2008-01-20 08:29 954 --ahs---- C:\WINDOWS\system32\btovqtrh.ini
2008-01-18 17:40 . 2008-01-19 12:16 834 --ahs---- C:\WINDOWS\system32\ddnyfcyh.ini
2008-01-18 06:45 . 2008-01-18 17:40 654 --ahs---- C:\WINDOWS\system32\vaygknju.ini
2008-01-17 16:45 . 2008-01-18 06:01 474 --ahs---- C:\WINDOWS\system32\gulwbqjn.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 13:19 --------- d-----w C:\Program Files\Common Files\Motive
2008-02-17 13:19 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-17 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-17 02:10 --------- d-----w C:\Program Files\Verizon
2008-02-17 01:00 --------- d-----w C:\Program Files\AIM6
2008-02-17 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-17 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-16 23:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\bak
2008-02-16 02:27 --------- d-----w C:\Documents and Settings\lllll\Application Data\HAURI
2008-02-10 16:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 04:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 04:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-05 23:38 --------- d-----w C:\Documents and Settings\lllll\Application Data\Jamdat
2008-01-05 22:56 --------- d-----w C:\Program Files\TryMedia
2007-12-29 02:38 --------- d-----w C:\Program Files\ReflexiveArcade
2007-12-29 00:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-31 17:39 28,160 ----a-w C:\Documents and Settings\All Users\Application Data\m.exe
2007-08-31 17:31 18,432 --sh--r C:\Documents and Settings\All Users\Application Data\SVCH0ST.EXE
2007-08-31 17:24 125,440 --sh--r C:\Documents and Settings\All Users\Application Data\EXPL0RER.EXE
2007-08-31 17:39 40,960 --sh--w C:\WINDOWS\AFEF4706E4C5.dll
2007-08-31 17:39 65,024 --sh--w C:\WINDOWS\AFEF4706E4C5.exe
2005-07-29 20:24 472 --sha-r C:\WINDOWS\cGM\w3g.vbs
2007-10-11 22:40 6,473 --sha-w C:\WINDOWS\system32\dgjlm.bak1
2007-10-14 14:44 691,044 --sha-w C:\WINDOWS\system32\dgjlm.bak2
2007-10-07 14:35 6,473 --sha-w C:\WINDOWS\system32\nqtss.bak1
2007-10-10 00:26 6,543 --sha-w C:\WINDOWS\system32\nqtss.ini2
2007-10-25 11:00 6,473 --sha-w C:\WINDOWS\system32\onnmp.bak1
2007-11-13 20:02 6,473 --sha-w C:\WINDOWS\system32\onnmp.bak2
2007-10-29 20:06 6,473 --sha-w C:\WINDOWS\system32\qstwa.bak1
2007-10-18 19:10 6,473 --sha-w C:\WINDOWS\system32\rqtwa.bak1
2007-10-24 20:19 419,569 --sha-w C:\WINDOWS\system32\rqtwa.bak2
2007-10-03 15:07 230,912 --sh--r C:\WINDOWS\sеcurity\wоwexec.exe
2007-10-04 20:38 70,144 --sh--r C:\WINDOWS\Мicrosoft\rundll32.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19D74B48-EDD5-4C95-87B5-7D72C6A083E2}]
C:\WINDOWS\system32\somhppjh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26908d47-81d3-4e00-a415-d1e261707774}]
C:\WINDOWS\system32\cklydvik.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C9EEDAD-80FF-43F0-961C-E0210FF9327A}]
C:\WINDOWS\system32\vtsqq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45D27744-EFA7-CC72-F54E-EA2B2EE68C93}]
C:\WINDOWS\system32\slmtmbmk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BA04454-5949-49F2-8E0C-EF2F269663D4}]
C:\WINDOWS\system32\jkhfe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9F9944F-460D-4546-E5BD-EF20740FEE95}]
C:\Program Files\MSN\lagusijax.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC45E3FE-C16D-4F24-9238-D1B49AD74815}]
2007-05-15 09:00 135168 --a------ C:\Program Files\HAURI\ViRobot Desktop 5.5\Service\hWebMan.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f394cb47-68e7-4389-b5eb-5be14c6d024a}]
C:\WINDOWS\system32\yfixhwg.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-10-02 16:11 27664]
"Aim6"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2007-10-02 16:11 27664]
"HEProtect"="C:\Program Files\HAURI\ViRobot Desktop 5.5\AntiSpam\HSockPE.exe" [2007-01-04 05:00 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-10-02 16:11 27664]
"IeServerhelp"="C:\Documents and Settings\All Users\Application Data\EXPL0RER.EXE" [2007-08-31 12:24 125440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"c83ce041"="C:\WINDOWS\system32\pxxrjuml.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-08-17 13:30:47 127488]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"DF"= C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\GNUFKPIK.exe.exe.exe.exe.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= C:\Program Files\MSN\propryhdecowu.html
FriendlyName=
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1BDBB504-0390-4821-AB7F-F8F38103DAE8}"= C:\WINDOWS\AFEF4706E4C5.dll [2007-08-31 12:39 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
C:\WINDOWS\system32\HncUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig7.0]
--a------ 2003-07-14 21:57 19520 C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 21:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-03 21:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-03 21:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 18:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-01-11 14:08 577536 C:\WINDOWS\soundman.exe
R2 hpcsvc;ViRobot Communication Service;C:\Program Files\HAURI\ViRobot Desktop 5.5\hpcsvc.exe [2007-06-26 04:00]
R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;C:\WINDOWS\system32\drivers\VRFWNTD5.sys [2007-04-24 08:00]
R3 VRsecos;VRsecos;C:\WINDOWS\system32\drivers\VRsecos.sys [2007-05-10 10:00]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{beffebc8-b33c-11dc-b266-00155875ca91}]
\Shell\AutoRun\command - F:\ielp.exe
\Shell\explore\Command - F:\ielp.exe
\Shell\open\Command - F:\ielp.exe
*Newly Created Service* - BITS
*Newly Created Service* - CLR_OPTIMIZATION_V2.0.50727_32
*Newly Created Service* - FONTCACHE3.0.0.0
*Newly Created Service* - IDSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 05:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 14:00:02 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 15:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 16:00:03 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 17:00:01 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 18:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 19:00:01 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 20:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 21:00:01 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 22:00:03 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-16 23:00:07 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 06:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 00:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 01:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 02:00:01 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 03:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 04:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 07:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 08:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 10:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 11:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-11 12:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-01-19 13:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\O35PCQI2.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 17:47:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-17 17:48:36
ComboFix-quarantined-files.txt 2008-02-17 22:48:14
awf.txt file:

Find AWF report by noahdfear ?006
Version 1.40
The current date is: 02/17/2008 Sun
The current time is: 17:50:49.59

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\MESSEN~1\BAK
08/04/2004 00:06 1,667,584 msmsgs.exe
1 File(s) 1,667,584 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/03/2004 23:56 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\DOCUME~1\ALLUSE~1\APPLIC~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\EPSON\INKMON~1\BAK
02/16/2008 18:34 258,048 InkMonitor.exe
1 File(s) 258,048 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 02:06 40,048 Reader_sl.exe
1 File(s) 40,048 bytes
Directory of C:\PROGRA~1\HAURI\COMMON\BASE\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HAURI\VIROBO~1.5\ANTISPAM\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
07/12/2007 03:00 132,496 jusched.exe
1 File(s) 132,496 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
27664 2007-10-02 "C:\Program Files\Messenger\msmsgs.exe"
1667584 2004-08-04 "C:\Program Files\Messenger\bak\msmsgs.exe"
15360 2004-08-03 "C:\WINDOWS\system32\ctfmon.exe"
15360 2004-08-03 "C:\WINDOWS\system32\bak\ctfmon.exe"
27664 2007-10-02 "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"
258048 2008-02-16 "C:\Program Files\EPSON\Ink Monitor\bak\InkMonitor.exe"
39792 2008-01-11 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
40048 2007-05-11 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
27664 2007-10-02 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 2007-07-12 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

end of report

Report Offensive Follow Up For Removal

Response Number 5

Name: jabuck
Date: February 17, 2008 at 16:35:12 Pacific
Subject: POS TMP. problem

Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\lmujrxxp.ini
C:\WINDOWS\system32\waalgonj.ini
C:\WINDOWS\system32\htfjmdhg.ini
C:\WINDOWS\system32\pctjqxow.ini
C:\WINDOWS\system32\leqadwol.ini
C:\WINDOWS\system32\nvgtyepv.ini
C:\WINDOWS\system32\lieuccfb.ini
C:\WINDOWS\system32\qbtdsusn.ini
C:\WINDOWS\system32\uasrpuqt.ini
C:\WINDOWS\system32\kcypkmku.ini
C:\WINDOWS\system32\hknamwlk.ini
C:\WINDOWS\system32\ururmxnc.ini
C:\WINDOWS\system32\xeiqvkxd.ini
C:\WINDOWS\system32\illcmmqe.ini
C:\WINDOWS\system32\cygsivgc.ini
C:\WINDOWS\system32\ofvlipmm.ini
C:\WINDOWS\system32\fnthbvfo.ini
C:\WINDOWS\system32\trxrsohc.ini
C:\WINDOWS\system32\lmktdnvm.ini
C:\WINDOWS\system32\jwmktato.ini
C:\WINDOWS\system32\dxsbnarn.ini
C:\WINDOWS\system32\ssowhjhp.ini
C:\WINDOWS\system32\uvqwtuxl.ini
C:\WINDOWS\system32\opnvnjpi.ini
C:\WINDOWS\system32\qdbybrdn.ini
C:\WINDOWS\system32\iejrheag.ini
C:\WINDOWS\system32\dysxirbx.ini
C:\WINDOWS\system32\oghtrysm.ini
C:\WINDOWS\system32\ynmwdyjy.ini
C:\WINDOWS\system32\hvjkqlpj.ini
C:\WINDOWS\system32\livsjltl.ini
C:\WINDOWS\system32\akndxmlk.ini
C:\WINDOWS\system32\famqlddv.ini
C:\WINDOWS\system32\btovqtrh.ini
C:\WINDOWS\system32\ddnyfcyh.ini
C:\WINDOWS\system32\vaygknju.ini
C:\WINDOWS\system32\gulwbqjn.ini
C:\Documents and Settings\All Users\Application Data\m.exe
C:\Documents and Settings\All Users\Application Data\SVCH0ST.EXE
C:\Documents and Settings\All Users\Application Data\EXPL0RER.EXE
C:\WINDOWS\AFEF4706E4C5.dll
C:\WINDOWS\AFEF4706E4C5.exe
C:\WINDOWS\cGM\w3g.vbs
C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\somhppjh.dll
C:\WINDOWS\system32\cklydvik.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\slmtmbmk.dll
C:\WINDOWS\system32\jkhfe.dll
C:\Program Files\MSN\lagusijax.dll
C:\WINDOWS\system32\yfixhwg.dll
C:\WINDOWS\system32\pxxrjuml.dll

Driver::

Folder:
C:\Program Files\7-Zip
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\TryMedia
C:\Program Files\Viewpoint
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19D74B48-EDD5-4C95-87B5-7D72C6A083E2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26908d47-81d3-4e00-a415-d1e261707774}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C9EEDAD-80FF-43F0-961C-E0210FF9327A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45D27744-EFA7-CC72-F54E-EA2B2EE68C93}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BA04454-5949-49F2-8E0C-EF2F269663D4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9F9944F-460D-4546-E5BD-EF20740FEE95}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f394cb47-68e7-4389-b5eb-5be14c6d024a}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c83ce041"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log.

Report Offensive Follow Up For Removal


Red C: X/pos.tmp files/fake? warn. Red X and POS Tmp files, Runs slow pos.tmp files, red x on c:/ Virus Galore! Vundo and pos.tmp POS.TMP Virus!	POS .tmp files HELP! Red X and pos.tmp files pos.tmp and more pos.tmp, red x on C:, plus proxy... pos.tmp files showing up on c:

Response Number 6

Name: lucy10
Date: February 17, 2008 at 20:09:02 Pacific
Subject: POS TMP. problem

Reply: (edit)

ComboFix 08-02-17.2 - lllll 2008-02-17 23:04:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.28 [GMT -5:00]
Running from: C:\Documents and Settings\lllll\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\lllll\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\Documents and Settings\All Users\Application Data\EXPL0RER.EXE
C:\Documents and Settings\All Users\Application Data\m.exe
C:\Documents and Settings\All Users\Application Data\SVCH0ST.EXE
C:\Program Files\MSN\lagusijax.dll
C:\WINDOWS\AFEF4706E4C5.dll
C:\WINDOWS\AFEF4706E4C5.exe
C:\WINDOWS\cGM\w3g.vbs
C:\WINDOWS\system32\akndxmlk.ini
C:\WINDOWS\system32\btovqtrh.ini
C:\WINDOWS\system32\cklydvik.dll
C:\WINDOWS\system32\cygsivgc.ini
C:\WINDOWS\system32\ddnyfcyh.ini
C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dxsbnarn.ini
C:\WINDOWS\system32\dysxirbx.ini
C:\WINDOWS\system32\famqlddv.ini
C:\WINDOWS\system32\fnthbvfo.ini
C:\WINDOWS\system32\gulwbqjn.ini
C:\WINDOWS\system32\hknamwlk.ini
C:\WINDOWS\system32\htfjmdhg.ini
C:\WINDOWS\system32\hvjkqlpj.ini
C:\WINDOWS\system32\iejrheag.ini
C:\WINDOWS\system32\illcmmqe.ini
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jwmktato.ini
C:\WINDOWS\system32\kcypkmku.ini
C:\WINDOWS\system32\leqadwol.ini
C:\WINDOWS\system32\lieuccfb.ini
C:\WINDOWS\system32\livsjltl.ini
C:\WINDOWS\system32\lmktdnvm.ini
C:\WINDOWS\system32\lmujrxxp.ini
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\nvgtyepv.ini
C:\WINDOWS\system32\ofvlipmm.ini
C:\WINDOWS\system32\oghtrysm.ini
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\opnvnjpi.ini
C:\WINDOWS\system32\pctjqxow.ini
C:\WINDOWS\system32\pxxrjuml.dll
C:\WINDOWS\system32\qbtdsusn.ini
C:\WINDOWS\system32\qdbybrdn.ini
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\slmtmbmk.dll
C:\WINDOWS\system32\somhppjh.dll
C:\WINDOWS\system32\ssowhjhp.ini
C:\WINDOWS\system32\trxrsohc.ini
C:\WINDOWS\system32\uasrpuqt.ini
C:\WINDOWS\system32\ururmxnc.ini
C:\WINDOWS\system32\uvqwtuxl.ini
C:\WINDOWS\system32\vaygknju.ini
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\waalgonj.ini
C:\WINDOWS\system32\xeiqvkxd.ini
C:\WINDOWS\system32\yfixhwg.dll
C:\WINDOWS\system32\ynmwdyjy.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\EXPL0RER.EXE
C:\Documents and Settings\All Users\Application Data\m.exe
C:\Documents and Settings\All Users\Application Data\SVCH0ST.EXE
C:\WINDOWS\AFEF4706E4C5.dll
C:\WINDOWS\AFEF4706E4C5.exe
C:\WINDOWS\cGM\w3g.vbs
C:\WINDOWS\system32\akndxmlk.ini
C:\WINDOWS\system32\btovqtrh.ini
C:\WINDOWS\system32\cygsivgc.ini
C:\WINDOWS\system32\ddnyfcyh.ini
C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dxsbnarn.ini
C:\WINDOWS\system32\dysxirbx.ini
C:\WINDOWS\system32\famqlddv.ini
C:\WINDOWS\system32\fnthbvfo.ini
C:\WINDOWS\system32\gulwbqjn.ini
C:\WINDOWS\system32\hknamwlk.ini
C:\WINDOWS\system32\htfjmdhg.ini
C:\WINDOWS\system32\hvjkqlpj.ini
C:\WINDOWS\system32\iejrheag.ini
C:\WINDOWS\system32\illcmmqe.ini
C:\WINDOWS\system32\jwmktato.ini
C:\WINDOWS\system32\kcypkmku.ini
C:\WINDOWS\system32\leqadwol.ini
C:\WINDOWS\system32\lieuccfb.ini
C:\WINDOWS\system32\livsjltl.ini
C:\WINDOWS\system32\lmktdnvm.ini
C:\WINDOWS\system32\lmujrxxp.ini
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\nvgtyepv.ini
C:\WINDOWS\system32\ofvlipmm.ini
C:\WINDOWS\system32\oghtrysm.ini
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\opnvnjpi.ini
C:\WINDOWS\system32\pctjqxow.ini
C:\WINDOWS\system32\qbtdsusn.ini
C:\WINDOWS\system32\qdbybrdn.ini
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\ssowhjhp.ini
C:\WINDOWS\system32\trxrsohc.ini
C:\WINDOWS\system32\uasrpuqt.ini
C:\WINDOWS\system32\ururmxnc.ini
C:\WINDOWS\system32\uvqwtuxl.ini
C:\WINDOWS\system32\vaygknju.ini
C:\WINDOWS\system32\waalgonj.ini
C:\WINDOWS\system32\xeiqvkxd.ini
C:\WINDOWS\system32\ynmwdyjy.ini
.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.
2008-02-17 21:59 . 2008-02-17 21:59 <DIR> d-------- C:\Program Files\Wondershare
2008-02-17 21:59 . 2007-12-13 18:28 5,504 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-02-17 21:30 . 2005-02-02 10:02 86,016 --a------ C:\WINDOWS\system32\ws_EncoderRenderer.ax
2008-02-17 21:30 . 2004-11-25 11:41 77,824 --a------ C:\WINDOWS\system32\wavdest.ax
2008-02-17 21:30 . 2005-01-12 19:28 1,024 --a------ C:\WINDOWS\system32\StarBurn.key
2008-02-17 16:14 . 2008-02-17 16:14 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-02-17 15:30 . 2008-02-17 15:30 <DIR> d-------- C:\Program Files\MSBuild
2008-02-17 15:19 . 2008-02-17 15:19 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-17 15:18 . 2008-02-17 15:18 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-17 15:15 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-17 15:04 . 2008-02-17 15:04 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-17 09:55 . 2008-02-17 09:55 <DIR> d-------- C:\Program Files\Audacity
2008-02-16 17:47 . 2008-02-16 19:35 <DIR> d-------- C:\Documents and Settings\lllll\.housecall6.6
2008-02-10 11:18 . 2008-02-11 06:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-08 17:56 . 2008-02-08 17:56 <DIR> d-------- C:\Program Files\InterActual
2008-02-02 21:44 . 2008-02-16 17:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HAURI
2008-01-29 22:43 . 2008-02-17 14:50 <DIR> d-------- C:\Documents and Settings\Lucy\Programs
2008-01-29 22:35 . 2008-01-29 22:35 <DIR> d-------- C:\spoolerlogs
2008-01-26 21:48 . 2008-01-26 21:48 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-20 10:50 . 2008-01-20 10:50 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-20 09:55 . 2008-01-20 09:55 <DIR> d-------- C:\Documents and Settings\lllll\Application Data\Hnc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 03:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy2
2008-02-18 03:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-18 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-17 13:19 --------- d-----w C:\Program Files\Common Files\Motive
2008-02-17 13:19 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-17 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-17 01:00 --------- d-----w C:\Program Files\AIM6
2008-02-17 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-16 23:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\bak
2008-02-16 02:27 --------- d-----w C:\Documents and Settings\lllll\Application Data\HAURI
2008-02-10 16:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 04:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 04:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-05 23:38 --------- d-----w C:\Documents and Settings\lllll\Application Data\Jamdat
2008-01-05 22:56 --------- d-----w C:\Program Files\TryMedia
2007-12-29 02:38 --------- d-----w C:\Program Files\ReflexiveArcade
2007-12-29 00:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-03 15:07 230,912 --sh--r C:\WINDOWS\sеcurity\wоwexec.exe
2007-10-04 20:38 70,144 --sh--r C:\WINDOWS\Мicrosoft\rundll32.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC45E3FE-C16D-4F24-9238-D1B49AD74815}]
2007-05-15 09:00 135168 --a------ C:\Program Files\HAURI\ViRobot Desktop 5.5\Service\hWebMan.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-10-02 16:11 27664]
"Aim6"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2007-10-02 16:11 27664]
"HEProtect"="C:\Program Files\HAURI\ViRobot Desktop 5.5\AntiSpam\HSockPE.exe" [2007-01-04 05:00 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-10-02 16:11 27664]
"IeServerhelp"="C:\Documents and Settings\All Users\Application Data\EXPL0RER.EXE" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-08-17 13:30:47 127488]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"DF"= C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\C:\Documents and Settings\All Users\Favorites\GNUFKPIK.exe.exe.exe.exe.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= C:\Program Files\MSN\propryhdecowu.html
FriendlyName=
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1BDBB504-0390-4821-AB7F-F8F38103DAE8}"= C:\WINDOWS\AFEF4706E4C5.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
C:\WINDOWS\system32\HncUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig7.0]
--a------ 2003-07-14 21:57 19520 C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 21:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-03 21:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-03 21:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 18:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-01-11 14:08 577536 C:\WINDOWS\soundman.exe
R2 hpcsvc;ViRobot Communication Service;C:\Program Files\HAURI\ViRobot Desktop 5.5\hpcsvc.exe [2007-06-26 04:00]
R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;C:\WINDOWS\system32\drivers\VRFWNTD5.sys [2007-04-24 08:00]
R3 VRsecos;VRsecos;C:\WINDOWS\system32\drivers\VRsecos.sys [2007-05-10 10:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{beffebc8-b33c-11dc-b266-00155875ca91}]
\Shell\AutoRun\command - F:\ielp.exe
\Shell\explore\Command - F:\ielp.exe
\Shell\open\Command - F:\ielp.exe
*Newly Created Service* - BITS
*Newly Created Service* - CLR_OPTIMIZATION_V2.0.50727_32
*Newly Created Service* - FONTCACHE3.0.0.0
*Newly Created Service* - IDSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 05:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 14:00:02 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 15:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 16:00:03 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 17:00:01 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 18:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 19:00:01 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 20:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 21:00:01 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 22:00:03 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-17 23:00:01 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 06:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-18 00:00:02 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-18 01:00:01 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-18 02:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-18 03:00:02 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-18 04:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 07:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 08:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 10:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-15 11:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-02-11 12:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\O35PCQI2.exe
"2008-01-19 13:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\O35PCQI2.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 23:06:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-17 23:07:13
ComboFix-quarantined-files.txt 2008-02-18 04:06:53
ComboFix2.txt 2008-02-17 22:48:37

Report Offensive Follow Up For Removal

Response Number 7

Name: jabuck
Date: February 18, 2008 at 06:33:49 Pacific
Subject: POS TMP. problem

Reply: (edit)

Please go to Virus Total and upload the following file for analysis:
C:\WINDOWS\sеcurity\wоwexec.exe

C:\WINDOWS\Мicrosoft\rundll32.exe

Post the results in your reply.

Report Offensive Follow Up For Removal

Response Number 8

Name: lucy10
Date: February 18, 2008 at 13:49:08 Pacific
Subject: POS TMP. problem

Reply: (edit)

first file: http://www.virustotal.com/analisis/...

second file:
http://www.virustotal.com/analisis/...

Report Offensive Follow Up For Removal

Response Number 9

Name: jabuck
Date: February 18, 2008 at 19:53:51 Pacific
Subject: POS TMP. problem

Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\sеcurity\wоwexec.exe
C:\WINDOWS\Мicrosoft\rundll32.exe
C:\WINDOWS\system32\O35PCQI2.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.jo
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\AFEF4706E4C5.dll
C:\Documents and Settings\All Users\Application Data\EXPL0RER.EXE

Driver::
Folder::
C:\Program Files\TryMedia

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1BDBB504-0390-4821-AB7F-F8F38103DAE8}"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{beffebc8-b33c-11dc-b266-00155875ca91}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IeServerhelp"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"DF"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
Post a new Combofix log.

Report Offensive Follow Up For Removal

Response Number 10

Name: lucy10
Date: February 19, 2008 at 21:36:02 Pacific
Subject: POS TMP. problem

Reply: (edit)

KSCAN:
---------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 20, 2008 12:00:11 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/02/2008
Kaspersky Anti-Virus database records: 573443
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 25593
Number of viruses found: 12
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 01:28:30
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\lllll\.housecall6.6\Quarantine\b147.exe.bac_a03276 Infected: Trojan.Win32.Agent.bnd skipped
C:\Documents and Settings\lllll\.housecall6.6\Quarantine\O35PCQI2.exe.bac_a03276 Infected: Backdoor.Win32.Agent.ark skipped
C:\Documents and Settings\lllll\.housecall6.6\Quarantine\propryhdecowu.html.bac_a03276 Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Documents and Settings\lllll\.housecall6.6\Quarantine\T.exe.bac_a03276 Infected: Trojan-PSW.Win32.OnLineGames.cnd skipped
C:\Documents and Settings\lllll\.housecall6.6\Quarantine\windows.bac_a03276 Infected: Trojan.Win32.Zapchast.dt skipped
C:\Documents and Settings\lllll\.housecall6.6\Quarantine\yfixhwg.dll.bac_a03276 Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\Documents and Settings\lllll\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\lllll\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\lllll\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\cert8.db Object is locked skipped
C:\Documents and Settings\lllll\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\history.dat Object is locked skipped
C:\Documents and Settings\lllll\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\key3.db Object is locked skipped
C:\Documents and Settings\lllll\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\parent.lock Object is locked skipped
C:\Documents and Settings\lllll\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\search.sqlite Object is locked skipped
C:\Documents and Settings\lllll\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\lllll\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\AOL OCP\AIM\Storage\data\lucysadorkable\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\AOL OCP\AIM\Storage\data\ohsolucyducy\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\Cache\842ADB70d01 Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Application Data\Mozilla\Firefox\Profiles\octuh1gf.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Temp\fla134.tmp Object is locked skipped
C:\Documents and Settings\lllll\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lllll\ntuser.dat Object is locked skipped
C:\Documents and Settings\lllll\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\Program Files\Messenger\msmsgs.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\SVCH0ST.EXE.vir Infected: Trojan.Win32.Delf.acy skipped
C:\QooBox\Quarantine\C\WINDOWS\AFEF4706E4C5.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.cnd skipped
C:\QooBox\Quarantine\C\WINDOWS\AFEF4706E4C5.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.cnd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\arwrukic.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gpvcrmxa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ktuetxuk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lcthjcjo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\leukblvw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ofjdavau.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pnrfilbt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\urktsvhy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wqsuxluy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xbbwiaqm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\sеcurity\wоwexec.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gg skipped
C:\QooBox\Quarantine\C\WINDOWS\Мicrosoft\rundll32.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{774A7834-A816-4404-B190-D0827CF08AA3}\RP121\A0051638.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gg skipped
C:\System Volume Information\_restore{774A7834-A816-4404-B190-D0827CF08AA3}\RP121\A0051639.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\System Volume Information\_restore{774A7834-A816-4404-B190-D0827CF08AA3}\RP121\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
COMBOFIX:
ComboFix 08-02-17.2 - lllll 2008-02-20 0:04:42.5 - NTFSx86
Running from: C:\Documents and Settings\lllll\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.
2008-02-19 21:06 . 2008-02-19 21:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-19 21:06 . 2008-02-19 21:06 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-19 21:06 . 2008-02-19 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-17 23:23 . 2008-02-17 23:23 <DIR> d-------- C:\Program Files\PowerPoint to Video
2008-02-17 21:59 . 2008-02-17 21:59 <DIR> d-------- C:\Program Files\Wondershare
2008-02-17 21:59 . 2007-12-13 18:28 5,504 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-02-17 21:30 . 2005-02-02 10:02 86,016 --a------ C:\WINDOWS\system32\ws_EncoderRenderer.ax
2008-02-17 21:30 . 2004-11-25 11:41 77,824 --a------ C:\WINDOWS\system32\wavdest.ax
2008-02-17 21:30 . 2005-01-12 19:28 1,024 --a------ C:\WINDOWS\system32\StarBurn.key
2008-02-17 16:14 . 2008-02-17 16:14 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-02-17 15:30 . 2008-02-17 15:30 <DIR> d-------- C:\Program Files\MSBuild
2008-02-17 15:19 . 2008-02-17 15:19 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-17 15:18 . 2008-02-17 15:18 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-17 15:15 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-17 09:55 . 2008-02-17 09:55 <DIR> d-------- C:\Program Files\Audacity
2008-02-16 17:47 . 2008-02-16 19:35 <DIR> d-------- C:\Documents and Settings\lllll\.housecall6.6
2008-02-10 11:18 . 2008-02-11 06:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-08 17:56 . 2008-02-08 17:56 <DIR> d-------- C:\Program Files\InterActual
2008-02-02 21:44 . 2008-02-16 17:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HAURI
2008-01-29 22:43 . 2008-02-17 14:50 <DIR> d-------- C:\Documents and Settings\Lucy\Programs
2008-01-29 22:35 . 2008-01-29 22:35 <DIR> d-------- C:\spoolerlogs
2008-01-26 21:48 . 2008-01-26 21:48 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-20 10:50 . 2008-01-20 10:50 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-20 09:55 . 2008-01-20 09:55 <DIR> d-------- C:\Documents and Settings\lllll\Application Data\Hnc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 02:03 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-20 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-18 03:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-18 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-17 13:19 --------- d-----w C:\Program Files\Common Files\Motive
2008-02-17 01:00 --------- d-----w C:\Program Files\AIM6
2008-02-17 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-16 23:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\bak
2008-02-16 02:27 --------- d-----w C:\Documents and Settings\lllll\Application Data\HAURI
2008-02-10 16:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 04:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 04:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-05 23:38 --------- d-----w C:\Documents and Settings\lllll\Application Data\Jamdat
2007-12-29 02:38 --------- d-----w C:\Program Files\ReflexiveArcade
2007-12-29 00:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC45E3FE-C16D-4F24-9238-D1B49AD74815}]
2007-05-15 09:00 135168 --a------ C:\Program Files\HAURI\ViRobot Desktop 5.5\Service\hWebMan.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-10-02 16:11 27664]
"Aim6"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2007-10-02 16:11 27664]
"HEProtect"="C:\Program Files\HAURI\ViRobot Desktop 5.5\AntiSpam\HSockPE.exe" [2007-01-04 05:00 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-10-02 16:11 27664]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HostManager"="C:\Program Files\Common Files\AOL\1203472947\ee\AOLSoftware.exe" [2006-04-13 15:36 50792]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Run IPH"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2005-11-22 18:30 128616]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-08-17 13:30:47 127488]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= C:\Program Files\MSN\propryhdecowu.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
C:\WINDOWS\system32\HncUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig7.0]
--a------ 2003-07-14 21:57 19520 C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 21:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-03 21:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-03 21:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 18:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-01-11 14:08 577536 C:\WINDOWS\soundman.exe
R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;C:\WINDOWS\system32\drivers\VRFWNTD5.sys [2007-04-24 08:00]
R3 VRsecos;VRsecos;C:\WINDOWS\system32\drivers\VRsecos.sys [2007-05-10 10:00]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 18:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\O35PCQI2.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 00:07:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-20 0:09:46
ComboFix-quarantined-files.txt 2008-02-20 05:09:15
ComboFix2.txt 2008-02-20 00:29:39
ComboFix3.txt 2008-02-18 04:07:14
ComboFix4.txt 2008-02-17 22:48:37

Report Offensive Follow Up For Removal

Response Number 11

Name: jabuck
Date: February 20, 2008 at 06:12:48 Pacific
Subject: POS TMP. problem

Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\QooBox

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option:
Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Copy/paste the following list of bolded files to be restored:

"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\EPSON\Ink Monitor\bak\InkMonitor.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Report Offensive Follow Up For Removal

Response Number 12

Name: lucy10
Date: February 20, 2008 at 18:55:12 Pacific
Subject: POS TMP. problem

Reply: (edit)

Find AWF report by noahdfear ?006
Version 1.40
Option 2 run successfully
The current date is: 2008-02-20
The current time is: 21:44:57.92

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\MESSEN~1\BAK
2004-08-04 00:06 1,667,584 msmsgs.exe
1 File(s) 1,667,584 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
2004-08-03 23:56 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\DOCUME~1\ALLUSE~1\APPLIC~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\EPSON\INKMON~1\BAK
2008-02-16 18:34 258,048 InkMonitor.exe
1 File(s) 258,048 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
2007-05-11 02:06 40,048 Reader_sl.exe
1 File(s) 40,048 bytes
Directory of C:\PROGRA~1\HAURI\COMMON\BASE\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HAURI\VIROBO~1.5\ANTISPAM\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
2007-07-12 03:00 132,496 jusched.exe
1 File(s) 132,496 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
1667584 2004-08-04 "C:\Program Files\Messenger\msmsgs.exe"
1667584 2004-08-04 "C:\Program Files\Messenger\bak\msmsgs.exe"
15360 2004-08-03 "C:\WINDOWS\system32\ctfmon.exe"
15360 2004-08-03 "C:\WINDOWS\system32\bak\ctfmon.exe"
258048 2008-02-16 "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"
258048 2008-02-16 "C:\Program Files\EPSON\Ink Monitor\bak\InkMonitor.exe"
40048 2007-05-11 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 2007-05-11 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
132496 2007-07-12 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 2007-07-12 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

end of report

Report Offensive Follow Up For Removal

Response Number 13

Name: jabuck
Date: February 20, 2008 at 20:55:46 Pacific
Subject: POS TMP. problem

Reply: (edit)

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Copy /paste the following list of bolded folders to be removed:

C:\Program Files\Messenger\bak
C:\WINDOWS\system32\bak
C:\DOCUME~1\ALLUSE~1\APPLIC~1\BAK
C:\Program Files\EPSON\Ink Monitor\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\PROGRA~1\HAURI\COMMON\BASE\BAK
C:\PROGRA~1\HAURI\VIROBO~1.5\ANTISPAM\BAK

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Report Offensive Follow Up For Removal

Response Number 14

Name: lucy10
Date: February 22, 2008 at 14:43:48 Pacific
Subject: POS TMP. problem

Reply: (edit)

Find AWF report by noahdfear ?006
Version 1.40
Option 3 run successfully
The current date is: 02/22/2008
The current time is: 17:42:58.12

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\MESSEN~1\BAK
08/04/2004 12:06 AM 1,667,584 msmsgs.exe
1 File(s) 1,667,584 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
1667584 2004-08-04 "C:\Program Files\Messenger\msmsgs.exe"
1667584 2004-08-04 "C:\Program Files\Messenger\bak\msmsgs.exe"

end of report

Report Offensive Follow Up For Removal

Response Number 15

Name: jabuck
Date: February 22, 2008 at 20:17:16 Pacific
Subject: POS TMP. problem

Reply: (edit)

Navigate to and delete this folder if found:
C:\Program Files\Messenger\bak
Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Report Offensive Follow Up For Removal

Response Number 16

Name: lucy10
Date: February 23, 2008 at 18:26:56 Pacific
Subject: POS TMP. problem

Reply: (edit)

Find AWF report by noahdfear ?006
Version 1.40
The current date is: 02/23/2008
The current time is: 21:26:38.32

bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report

Report Offensive Follow Up For Removal

Response Number 17

Name: jabuck
Date: February 23, 2008 at 19:12:56 Pacific
Subject: POS TMP. problem

Reply: (edit)

Looks good. How is the computer operating?

Report Offensive Follow Up For Removal

Response Number 18

Name: lucy10
Date: February 24, 2008 at 10:02:49 Pacific
Subject: POS TMP. problem

Reply: (edit)

It's working fine.
Thank you so much!!!

Report Offensive Follow Up For Removal

Response Number 19

Name: jabuck
Date: February 24, 2008 at 16:33:16 Pacific
Subject: POS TMP. problem

Reply: (edit)

Glad we could help.

Report Offensive Follow Up For Removal