Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > pos.tmp files showing up on c:

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

pos.tmp files showing up on c:

Reply to Message Icon

Name: atranchilla
Date: February 15, 2008 at 19:55:35 Pacific
OS: Windows XP Pro SP2
CPU/Ram: Pentium 2 dual core / 512
Product: Dell Dimension
Comment:

I am having some problems with pos.tmp files showing up on my computer on the c: drive. There seems to be other problems as well such as active desktop restore popping up etc. I have a Hijack this log ready to post if needed.


Any help would be greatly appreciated. Thank you!



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: February 16, 2008 at 04:48:25 Pacific
Reply:

Please discard your mentioned Hijack This log and do the following:

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Please download Atribune's VundoFix.exe from the following site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Now run a new Hijack This log and post the results

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


0

Response Number 2
Name: atranchilla
Date: February 16, 2008 at 06:12:02 Pacific
Reply:

Ok here are my logs:

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:32 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1F191921242020252] 1B15151D201C1C2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 6033 bytes

----------------


Combo Fix Log

ComboFix 08-02-16.2 - Administrator 2008-02-16 8:01:00.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.350 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 21:33 . 2008-02-15 21:33 <DIR> d-------- C:\VundoFix Backups
2008-02-15 15:03 . 2008-02-15 15:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 14:35 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-15 12:23 . 2008-02-15 12:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\EarthLink Toolbar
2008-02-15 11:38 . 2008-02-15 11:38 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-15 11:38 . 2008-02-15 11:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 11:23 . 2008-02-15 11:29 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-15 11:10 . 2008-02-15 11:06 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-15 11:10 . 2008-02-15 11:10 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-15 11:05 . 2008-02-15 11:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-15 11:05 . 2008-02-15 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-13 08:27 . 2008-02-13 08:27 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-12 08:12 . 2008-02-12 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-02-12 08:11 . 2008-02-12 08:12 <DIR> d-------- C:\Program Files\Dell Support Center
2008-02-12 08:11 . 2008-02-12 08:11 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-02-07 17:27 . 2008-02-07 17:27 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-02-07 11:01 . 2008-02-07 11:06 <DIR> d-------- C:\Program Files\RegCure
2008-02-07 10:59 . 2008-02-07 10:59 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-07 10:59 . 2008-02-07 10:59 <DIR> d-------- C:\Documents and Settings\Ben Franklin\Application Data\Yahoo!
2008-02-07 10:59 . 2008-02-07 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 10:55 . 2008-02-07 10:55 <DIR> d-------- C:\WINDOWS\cache
2008-02-05 22:55 . 2008-02-05 22:55 <DIR> d-------- C:\WINDOWS\system32\EBE5E5EDF0ECECF
2008-02-05 22:55 . 2007-12-14 06:40 120,832 --a------ C:\WINDOWS\system32\1B15151D201C1C2.exe
2008-02-05 15:45 . 2008-02-05 15:45 90,688 --a------ C:\WINDOWS\system32\lgwsicdv.dll
2008-02-05 08:33 . 2008-02-05 08:33 <DIR> d-------- C:\Documents and Settings\Ben Franklin\Application Data\EarthLink Toolbar
2008-02-04 17:29 . 2008-02-04 17:29 <DIR> d-------- C:\Program Files\EarthLink TotalAccess
2008-02-04 17:29 . 2008-02-04 17:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\EarthLink Toolbar
2008-02-04 15:35 . 2008-02-04 15:35 <DIR> d--hs---- C:\WINDOWS\QmVuIEZyYW5rbGlu
2008-02-04 15:35 . 2008-02-15 21:00 <DIR> d-------- C:\Temp
2008-01-30 09:06 . 2008-02-12 08:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-21 16:49 . 2008-01-28 15:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-21 16:49 . 2008-01-21 16:49 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 15:28 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-03-30 21:18 88,712 -c--a-w C:\Documents and Settings\Ben Franklin\Application Data\GDIPFONTCACHEV1.DAT
2005-08-02 22:46 187,904 --sha-r C:\WINDOWS\QmVuIEZyYW5rbGlu\asappsrv.dll
2005-08-02 22:58 293,888 --sha-r C:\WINDOWS\QmVuIEZyYW5rbGlu\command.exe
2005-07-29 22:24 472 --sha-r C:\WINDOWS\QmVuIEZyYW5rbGlu\kApRKHtVsqcOv35R.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 07:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 16:20 339968 C:\WINDOWS\stsystra.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-30 14:43 98304]
"1F191921242020252"="1B15151D201C1C2.exe" [2007-12-14 06:40 120832 C:\WINDOWS\system32\1B15151D201C1C2.exe]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-22 10:07 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04 83360]

S2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 03:18:29 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-07 17:01:52 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 08:02:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 8:02:20
ComboFix2.txt 2008-02-16 03:27:45
ComboFix3.txt 2008-02-16 03:04:52
.
2008-02-13 23:40:15 --- E O F ---

Thank you!!


0

Response Number 3
Name: jabuck
Date: February 16, 2008 at 15:40:40 Pacific
Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\unins000.exe
C:\WINDOWS\unins000.dat
C:\WINDOWS\system32\1B15151D201C1C2.exe
C:\WINDOWS\system32\lgwsicdv.dll
C:\WINDOWS\QmVuIEZyYW5rbGlu\asappsrv.dll
C:\WINDOWS\QmVuIEZyYW5rbGlu\command.exe
C:\WINDOWS\QmVuIEZyYW5rbGlu\kApRKHtVsqcOv35R.vbs

Folder::
C:\WINDOWS\system32\EBE5E5EDF0ECECF
C:\WINDOWS\QmVuIEZyYW5rbGlu


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Download "DelDomains" from the follow link:

DelDomains

and extract/unzip it to your desktop:
Now right click on Deldomains.inf 'Install'.
After right clicking on Deldomains.inf 'Install' it appeared nothing happened,this is normal.

Nexy, your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.

Next,post a new Combofix log and a new Hijack This log.


0

Sponsored Link
Ads by Google
Reply to Message Icon

Related Posts

See More



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: pos.tmp files showing up on c:
pos.tmp files, red x on c:/ www.computing.net/answers/security/postmp-files-red-x-on-c/22196.html

pos.tmp files on c drive and my doc www.computing.net/answers/security/postmp-files-on-c-drive-and-my-doc/22256.html

HELP! Red X, pos.tmp files, Runs www.computing.net/answers/security/help-red-x-postmp-files-runs-/22495.html