Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Solution Center

Free IT eBook

Howtos

Site Search

Message Find

RSS Feeds

Install Guides

Data Recovery

About

Home
Reply to Message Icon Go to Main Page Icon

Subject: Red X and POS Tmp files

Original Message
Name: Joshua Swain (by jswain)
Date: March 28, 2008 at 14:10:39 Pacific
Subject: Red X and POS Tmp files
OS: Windows XP SP2
CPU/Ram: P4 2.8 / 256
Model/Manufacturer: Dell Dimension 3000
Comment:
I am working on a friends computer and it looks like, from some of the other posts that are on this board, that it is infected by the Vundo virus.

I have read through a couple of the threads on this board about the virus and how to remove it, but most of it appears to be the ability to interpret the HiJackThis and ComboFix logs. I am not sure I have that level of skill.

Any help that you could provide would be greatly appreciated.


Report Offensive Message For Removal

Response Number 1
Name: Cuffy
Date: March 28, 2008 at 18:50:18 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Have you tried Trend Micro Housecall?
Just Google those three words and it will find it for you.
Run the free scan and keep us posted!

Report Offensive Follow Up For Removal

Response Number 2
Name: Adii
Date: March 28, 2008 at 23:59:13 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Download the "HijackThis" Installer from this link:

http://www.trendsecure.com/portal/e...


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Post Hijackthis Log in your next reply.

*Do Safe Computing*


Report Offensive Follow Up For Removal

Response Number 3
Name: Joshua Swain (by jswain)
Date: March 31, 2008 at 08:23:30 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:15 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jjeffery\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: (no name) - {773FC8D8-EFF6-4633-B0A3-E479B1757419} - C:\Program Files\Online Services\hoqeC:\WINDOWS\system32\vt8\tycodllz83122.exe.dll (file missing)
O2 - BHO: (no name) - {A69F20AD-FC69-4CDE-B2A7-19E8B9AAF891} - C:\WINDOWS\system32\awtqn.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BMff740e30] Rundll32.exe "C:\WINDOWS\system32\faglcriq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O20 - Winlogon Notify: gebcyaw - gebcyaw.dll (file missing)
O20 - Winlogon Notify: jkklllm - jkklllm.dll (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 4306 bytes


Report Offensive Follow Up For Removal

Response Number 4
Name: Adii
Date: March 31, 2008 at 21:50:09 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)

Uninstall RXToolBar from Add/remove Programes from Control pannel.


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: (no name) - {773FC8D8-EFF6-4633-B0A3-E479B1757419} - C:\Program Files\Online Services\hoqeC:\WINDOWS\system32\vt8\tycodllz83122.exe.dll (file missing)
O2 - BHO: (no name) - {A69F20AD-FC69-4CDE-B2A7-19E8B9AAF891} - C:\WINDOWS\system32\awtqn.dll (file missing)
O4 - HKLM\..\Run: [BMff740e30] Rundll32.exe "C:\WINDOWS\system32\faglcriq.dll",s
O20 - Winlogon Notify: gebcyaw - gebcyaw.dll (file missing)
O20 - Winlogon Notify: jkklllm - jkklllm.dll (file missing)


Then delete this file and directory (Do not be concerned if they do not exist)

C:\Program Files\RXToolBar
C:\WINDOWS\system32\vt8\tycodllz83122.exe.dll


THEN:


Download Combofix by sUBs and save to your desktop.

(If you have previously downloaded ComboFix,please delete that version now.)


download link HERE:
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...

Note
It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.

Post the entire contents of C:\ComboFix.txt into your next reply.

Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log.

*Do Safe Computing*


Report Offensive Follow Up For Removal

Response Number 5
Name: Joshua Swain (by jswain)
Date: April 1, 2008 at 08:54:07 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
ComboFix Log:
ComboFix 08-03-30.5 - jjeffery 2008-04-01 8:33:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.85 [GMT -7:00]
Running from: C:\Documents and Settings\jjeffery\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-04-01 08:38 . 2008-04-01 08:38 <DIR> d-------- C:\temp\tn3
2008-03-31 08:30 . 2008-03-31 08:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 16:24 . 2008-03-28 16:24 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-03-28 16:12 . 2008-03-28 16:21 <DIR> d-------- C:\VundoFix Backups
2008-03-28 15:54 . 2008-03-28 15:54 19,148,408 --a------ C:\WINDOWS\system32\MRT .exe
2008-03-28 15:13 . 2008-03-28 15:13 215 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-28 09:53 . 2008-03-28 16:41 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-03 14:35 . 2008-03-03 14:35 4,286 --a------ C:\WINDOWS\system32\Jamster.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 15:38 932 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-03-28 19:00 --------- d-----w C:\Program Files\TBONBin
2008-02-22 19:10 --------- d-----w C:\Program Files\Google
2008-02-22 18:42 --------- d-----w C:\Program Files\Sonic
2008-02-22 18:39 --------- d-----w C:\Program Files\QuickTime
2008-02-22 18:36 --------- d-----w C:\Program Files\Intuit
2008-02-22 18:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 17:46 --------- d-----w C:\Program Files\Creative
2008-02-22 17:37 --------- d-----w C:\Program Files\Audible
2007-02-12 20:33 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.
[code]


----a-w           866,584 2008-03-28 23:24:17  C:\Program Files\Windows Defender\MSASCui .exe
----a-w            15,360 2008-03-28 23:24:18  C:\WINDOWS\system32\ctfmon .exe
----a-w        19,148,408 2008-03-28 22:54:28  C:\WINDOWS\system32\MRT .exe
[/code]


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\hp\HP Software Update\HPWuSchd2.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\hp\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-03-01 03:55:18 972320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMff740e30]
C:\WINDOWS\system32\vsxyqhev.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\vtutu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
C:\Program Files\\NoDNS\\NoDNS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umufj]
C:\Documents and Settings\jjeffery\My Documents\s?stem\??oolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"C:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\FileZilla\\FileZilla.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_Yavin\\freedom.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_Yavin\\jre\\bin\\java.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_Yoda\\freedom.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_Yoda\\jre\\bin\\java.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_C3P0\\freedom.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_C3P0\\jre\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"C:\\Program Files\\Macromedia\\Contribute\\Contribute.exe"=

R1 sparroww;sparroww;C:\WINDOWS\system32\drivers\sparroww.sys [2008-01-09 15:24]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 15:41:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 08:38:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-01 8:44:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 15:44:10
ComboFix2.txt 2008-03-28 23:49:56
Pre-Run: 17,579,495,424 bytes free
Post-Run: 17,578,409,984 bytes free
.
2008-03-28 22:15:48 --- E O F ---

---------------
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:21 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 3652 bytes


Report Offensive Follow Up For Removal

Response Number 6
Name: Adii
Date: April 1, 2008 at 09:39:19 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Your logs looking much better! We need to delete one more file.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the lines below into it:


---------------------------
KillAll::

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\faglcriq.dll
---

Save this file as CFScript.txt, in the same location as ComboFix.exe
now drag CFScript file into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt" post it into next reply.


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

*Do Safe Computing*


Report Offensive Follow Up For Removal

Response Number 7
Name: Adii
Date: April 1, 2008 at 09:47:04 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

Download: http://www.majorgeeks.com/ATF_Clean...

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Also

Download and scan with SUPERAntiSpyware Free for Home Users

Download: http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

Also post a new HijackThis log

*Do Safe Computing*


Report Offensive Follow Up For Removal

Response Number 8
Name: Joshua Swain (by jswain)
Date: April 1, 2008 at 11:41:05 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
ComboFix Log:
ComboFix 08-03-30.5 - jjeffery 2008-04-01 10:10:17.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.107 [GMT -7:00]
Running from: C:\Documents and Settings\jjeffery\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jjeffery\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\faglcriq.dll
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-04-01 10:15 . 2008-04-01 10:15 <DIR> d-------- C:\temp\tn3
2008-03-31 08:30 . 2008-03-31 08:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 16:24 . 2008-03-28 16:24 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-03-28 16:12 . 2008-03-28 16:21 <DIR> d-------- C:\VundoFix Backups
2008-03-28 15:54 . 2008-03-28 15:54 19,148,408 --a------ C:\WINDOWS\system32\MRT .exe
2008-03-28 15:13 . 2008-03-28 15:13 215 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-28 09:53 . 2008-03-28 16:41 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-03 14:35 . 2008-03-03 14:35 4,286 --a------ C:\WINDOWS\system32\Jamster.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 17:14 932 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-03-28 19:00 --------- d-----w C:\Program Files\TBONBin
2008-02-22 19:10 --------- d-----w C:\Program Files\Google
2008-02-22 18:42 --------- d-----w C:\Program Files\Sonic
2008-02-22 18:39 --------- d-----w C:\Program Files\QuickTime
2008-02-22 18:36 --------- d-----w C:\Program Files\Intuit
2008-02-22 18:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-22 17:46 --------- d-----w C:\Program Files\Creative
2008-02-22 17:37 --------- d-----w C:\Program Files\Audible
2007-02-12 20:33 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.
[code]


----a-w           866,584 2008-03-28 23:24:17  C:\Program Files\Windows Defender\MSASCui .exe
----a-w            15,360 2008-03-28 23:24:18  C:\WINDOWS\system32\ctfmon .exe
----a-w        19,148,408 2008-03-28 22:54:28  C:\WINDOWS\system32\MRT .exe
[/code]


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\hp\HP Software Update\HPWuSchd2.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\hp\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-03-01 03:55:18 972320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMff740e30]
C:\WINDOWS\system32\vsxyqhev.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\vtutu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
C:\Program Files\\NoDNS\\NoDNS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umufj]
C:\Documents and Settings\jjeffery\My Documents\s?stem\??oolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"C:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\FileZilla\\FileZilla.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_Yavin\\freedom.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_Yavin\\jre\\bin\\java.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_Yoda\\freedom.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_Yoda\\jre\\bin\\java.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_C3P0\\freedom.exe"=
"C:\\Program Files\\Diverse Network Associates Inc\\Freedom_C3P0\\jre\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"C:\\Program Files\\Macromedia\\Contribute\\Contribute.exe"=

R1 sparroww;sparroww;C:\WINDOWS\system32\drivers\sparroww.sys [2008-01-09 15:24]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 17:18:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 10:15:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-01 10:20:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 17:20:36
ComboFix2.txt 2008-04-01 15:44:15
ComboFix3.txt 2008-03-28 23:49:56
Pre-Run: 17,547,108,352 bytes free
Post-Run: 17,540,517,888 bytes free
.
2008-03-28 22:15:48 --- E O F ---


---------------
SUPERAntiSpyware Scan Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/01/2008 at 11:20 AM

Application Version : 4.0.1154

Core Rules Database Version : 3428
Trace Rules Database Version: 1420

Scan type : Complete Scan
Total Scan Time : 00:51:39

Memory items scanned : 293
Memory threats detected : 0
Registry items scanned : 4618
Registry threats detected : 17
File items scanned : 91064
File threats detected : 74

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\InprocServer32
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\InprocServer32#ThreadingModel
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\KeyPhrasesFileName
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\ProgID
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\VersionIndependentProgID
C:\PROGRAM FILES\RXTOOLBAR\SFCONT.DLL

Adware.Tracking Cookie
C:\Documents and Settings\jjeffery\Cookies\jjeffery@clickbank[1].txt
C:\Documents and Settings\jjeffery\Cookies\jjeffery@zedo[1].txt
C:\Documents and Settings\jjeffery\Cookies\jjeffery@servlet[1].txt
C:\Documents and Settings\jjeffery\Cookies\jjeffery@statcounter[1].txt

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020687.EXE

Adware.Best Offers Network
C:\Program Files\TBONBin

Malware.LocusSoftware Inc/PCPrivacyTool
HKLM\Software\Purchased Products
HKLM\Software\Purchased Products\System Error Repair
HKLM\Software\Purchased Products\System Error Repair#domain
HKLM\Software\Purchased Products\System Error Repair#pname
HKLM\Software\Purchased Products\System Error Repair#cname

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Adware.VXGame-Trace
HKU\S-1-5-21-678841343-658175809-1262177093-1006\Software\kernelexe

Rogue.SysCleaner
HKU\S-1-5-21-678841343-658175809-1262177093-1006\Software\xInsiDERexe

Trojan.Vundo/Variant-Installer/A
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWS DEFENDER\MSASCUI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CTFMON.EXE.TMP.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP891\A0018071.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP925\A0020070.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP926\A0020396.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP927\A0020415.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP932\A0020482.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP934\A0020509.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP936\A0020528.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020638.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020639.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020671.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020672.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP941\A0020754.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP941\A0020769.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP941\A0020780.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP941\A0020781.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP941\A0020783.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP942\A0020841.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP943\A0021000.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP943\A0021001.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP943\A0021013.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP943\A0021061.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP943\A0021066.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP944\A0021158.EXE
C:\WINDOWS\SYSTEM32\MRT.EXE

Trojan.Unclassified/AffiliateBundle
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NNNKIGD.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OPNOMKK.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RQRPONN.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020691.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020692.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020693.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020695.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP942\A0020853.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP944\A0021140.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP944\A0021141.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP944\A0021146.DLL

Trojan.Vundo/Variant-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VTUTU.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP891\A0018069.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP925\A0020069.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP926\A0020393.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP927\A0020414.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP931\A0020455.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP932\A0020480.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP933\A0020499.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020634.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020663.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP943\A0021004.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP943\A0021014.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP943\A0021062.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP944\A0021117.EXE

Adware.NoDNS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020637.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020690.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP942\A0020851.DLL

Trojan.Downloader-Gen/BundleBase
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP938\A0020696.EXE

Trojan.Unclassified/Dropper-B
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP944\A0021124.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP944\A0021139.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP944\A0021154.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP944\A0021156.DLL
C:\WINDOWS\SYSTEM32\CABGFQUU.DLL
C:\WINDOWS\SYSTEM32\IKHJMCRW.DLL
C:\WINDOWS\SYSTEM32\JDPRUXKX.DLL
C:\WINDOWS\SYSTEM32\RLOATFXI.DLL
C:\WINDOWS\SYSTEM32\UTXQPOLJ.DLL
C:\WINDOWS\SYSTEM32\VFXFPQVA.DLL
C:\WINDOWS\SYSTEM32\XFXPPUAC.DLL


---------------
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:14 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 3978 bytes


Report Offensive Follow Up For Removal

Response Number 9
Name: Adii
Date: April 1, 2008 at 21:45:47 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Your system is looking much better now.
by the way how things are running onto your comuter now??

You can do your routine work again..!!

---

FEW THINGS TO DO FOR YOUR FURTHER PC PROTECTION.

In order to protect yourself against spyware, you should consider installing and running the following free programs:


How to prevent further spyware/virus infection:
http://spywaredetail.com/steps.htm
http://spywaredetail.com/tips.htm


Visit Microsoft's Windows Update Site Frequently:
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Ad-Aware 2007:
Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.


Install Spybot Search and Destroy:
Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software.


Install SpywareBlaster:
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.


Install SpywareGuard:
SpywareGuard provides a real-time protection solution against spyware.


Install IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


NOTE:Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

*Do Safe Computing*


Report Offensive Follow Up For Removal

Response Number 10
Name: Joshua Swain (by jswain)
Date: April 2, 2008 at 08:44:48 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Thank you for the help. The system is running much better. The only problem that appears to still be happening, is that when I open a web browser, either Firefox or Internet Explorer, other browser windows open automatically.

It is usually just one or two, but they are advertisements and other random web pages. Is there a way to find whatever is latched onto my browsers and get rid of the popups?

I will also look into the programs that you suggested and make sure to educate my friend on how to keep his computer safe.

Thanks,
Josh


Report Offensive Follow Up For Removal

Response Number 11
Name: Adii
Date: April 2, 2008 at 11:17:49 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Thats gud!
It usually happens coz browser hijacking by spywares/adwares. Let me check then i will tell you what to do.
I need your Fresh Hijackthis Log for this overview.!

*Do Safe Computing*


Report Offensive Follow Up For Removal

Response Number 12
Name: Joshua Swain (by jswain)
Date: April 2, 2008 at 16:02:54 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
I did scans with Avg, Ad Aware, and Super Antispyware until I didn't get any more results, then I ran the HijackThis. I am still getting the popups.

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:46 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BMff740e30] Rundll32.exe "C:\WINDOWS\system32\rfjgvryl.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 4938 bytes


Report Offensive Follow Up For Removal

Response Number 13
Name: Adii
Date: April 2, 2008 at 21:38:28 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
You still have suspect files into your system..!
Lets remove them!

Please run HijackThis again! and click "Scan." Place checks next to the following entries:


O4 - HKLM\..\Run: [BMff740e30] Rundll32.exe "C:\WINDOWS\system32\rfjgvryl.dll",s

Close all browsers and other windows except for HijackThis!, and click "Fix checked".


Show all hidden files and folders to remove following file.

Remove these files:
C:\WINDOWS\system32\rfjgvryl.dll

When you done then check and let me know hows running??

Post fresh Hijackthis Log .

*Do Safe Computing*


Report Offensive Follow Up For Removal

Response Number 14
Name: Joshua Swain (by jswain)
Date: April 3, 2008 at 13:47:02 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Adii,
O.k., I was finally able to remove the dll and then it stopped re-appearing in the registry. At this point everything seems to be gone, except one last popup. This popop is weird in that it only opens the first time the browser loads, either Firefox or IE, until the computer is re-booted. I put a process explorer on the machine, and the IE window that opens (iexplorer.exe) runs under svchost.exe instead of where it should be running from if I opened the browser directly. Any help you might be able to offer for this last problem would be greatly appreciated.

Latest HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:22 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 4593 bytes


Report Offensive Follow Up For Removal

Response Number 15
Name: Joshua Swain (by jswain)
Date: April 3, 2008 at 13:55:18 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Update: I surfed for a bit longer and the popups do continue, they are just not one right after another. They have some time inbetween them.

Report Offensive Follow Up For Removal

Response Number 16
Name: Adii
Date: April 3, 2008 at 21:13:11 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
Dont worry, Now you will not see more pop ups with your browser. Just Fix following entry.


Run HijackThis again! and click "Scan." Place checks next to the following entries:


O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".


Now restart your computer and browse the internet to see that wierd pop up.


Now tell me hows running??


Also Post your fresh Hijackthis log finally.

*Do Safe Computing*


Report Offensive Follow Up For Removal

Response Number 17
Name: Joshua Swain (by jswain)
Date: April 4, 2008 at 09:40:45 Pacific
Subject: Red X and POS Tmp files
Reply: (edit)
The popup continues. If it is any help I notice that the iexplorer.exe process always pops up under the same svchost.exe, which is running the services:
- DCOM Server Process Launcher
- Terminal Services

Latest HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:58 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 4793 bytes


Report Offensive Follow Up For Removal



Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Red X and POS Tmp files

Comments:
         

 
  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 


Data Recovery Software



Version Tracker Pro
Keep your software current and secure, effortlessly
Click Here for a Free Scan

Driver Agent
Automatically find the latest drivers for your computer.
 Click Here for a Free Scan

The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE

All content ©1996-2007 Computing.Net, LLC