Jump to content
Wolf58

Red X and pos files remain (Vundo is evil, SAS is A+++)

Recommended Posts

After scanning with Superantispyware( Used the default settings the free version came with) and Vundofix all bad symptoms are gone.( Super antispyware Rocks!!) I am left with a load of pos files in My documents and a Red X icon for drive C in My Computer. Would these require further attention or have they been neutered with Vundofix and Superantispyware? Would a future update address this?

Thanks in advance for any help.

Best Regards

Share this post


Link to post
Share on other sites
After scanning with Superantispyware( Used the default settings the free version came with) and Vundofix all bad symptoms are gone.( Super antispyware Rocks!!) I am left with a load of pos files in My documents and a Red X icon for drive C in My Computer. Would these require further attention or have they been neutered with Vundofix and Superantispyware? Would a future update address this?

Thanks in advance for any help.

Best Regards

What files have been left? Can you zip them and send them to samples AT superantispyware.com?

Share this post


Link to post
Share on other sites

My suggestion would be to delete all the temporary files on your system that end in .TMP

Start a COMMAND console by going to START--RUN--- then type CMD

This will put you into a DOS box where you can then type the following

{one line at a time and then pressing the ENTER KEY after each one}

  • WARNING! This can be a very dangerous command - make sure you type it EXACTLY as shown
    If you're not comfortable with doing this then stop - don't do it this way.
    You can do a SEARCH on the whole C: drive and look for *.TMP and delete them that way.

CD\

ATTRIB -R -A -S -H /S *.TMP

DEL /S *.TMP

Then run a tool such as the ATF cleaner

ATF Cleaner

Then look at the root of your C: drive and see if you have any file named desktop.ini

If you do, then create a new folder named SUSPECT and move the desktop.ini file into that new folder.

If there are any files that end with a ICO extension then move them into that new folder as well

The ROOT of C: is just the very top, not all the folders as there are many folders with a desktop.ini file that do belong where they're at.

I would again re-run SAS and an up to date Antivirus scan as well to make sure nothing else was left behind.

Share this post


Link to post
Share on other sites

Thank you very much for your response to my problem. I am anxious to see if this kills the remains of the attack. Unfortunately work and family are not allowing me the time to do this today. I am not very familiar with DOS commands and will need to review some tutorials before I am comfortable with searching, deleting and moving items to a suspect file from a C prompt. I will post again when I have done as you instruct.

Would it be practical or less effective to do this from the desktop of my XP SP2? I would not care if it took extra time.

Also FYI, as of this morning no other symptoms have been observed. Although I use Firefox and not IE. ( I think that this thing has something to do with IE).

Since AM yesterday I have done 2 scans with SAS and 1 with McAfee. No detections with either.

Finally my sincere and grateful thanks for your response. This problem has been very stressful to me.

Best Regards

Share this post


Link to post
Share on other sites
My suggestion would be to delete all the temporary files on your system that end in .TMP

Start a COMMAND console by going to START--RUN--- then type CMD

This will put you into a DOS box where you can then type the following

{one line at a time and then pressing the ENTER KEY after each one}

    WARNING! This can be a very dangerous command - make sure you type it EXACTLY as shown
    If you're not comfortable with doing this then stop - don't do it this way.
    You can do a SEARCH on the whole C: drive and look for *.TMP and delete them that way.

CD\

ATTRIB -R -A -S -H /S *.TMP

DEL /S *.TMP

Then run a tool such as the ATF cleaner

ATF Cleaner

Then look at the root of your C: drive and see if you have any file named desktop.ini

If you do, then create a new folder named SUSPECT and move the desktop.ini file into that new folder.

If there are any files that end with a ICO extension then move them into that new folder as well

The ROOT of C: is just the very top, not all the folders as there are many folders with a desktop.ini file that do belong where they're at.

I would again re-run SAS and an up to date Antivirus scan as well to make sure nothing else was left behind.

I really wish you would not have asked him to delete them, I wanted to get the files to see what they were....

Share this post


Link to post
Share on other sites

To site Admin

The pos. TMP files are not gone yet. As I said I am nervous as a cat about even touching these things. I will say that I think SAS is the reason I have not had as much trouble as I have seen other people on different forums have. I confess to being out of my element when working with DOS. If you would like to assist me in detail on how to send the info. you would like I will gladly see what I can do. Also my e mail address is in my profile.

I will be upgrading to Pro as soon as I have this thing taken care of.

Best Regards and with many Thanks!

P.S. I also have a copy of the Vundofix log that shows a dlbox file which the SAS scan did not pick up.

Share this post


Link to post
Share on other sites
I really wish you would not have asked him to delete them, I wanted to get the files to see what they were....

Nick,

Have you received those pos*.tmp files yet? I am increasingly running across these things with systems infected with spam bots. Generally, the files are in the root of c:\ and/or in the users My Documents folder... they often number in the hundreds or thousands. I generally delete them on sight.

If you have not received them yet, I will make sure to send some up to you next time I get my hands on some.

Share this post


Link to post
Share on other sites
I really wish you would not have asked him to delete them, I wanted to get the files to see what they were....

Nick,

Have you received those pos*.tmp files yet? I am increasingly running across these things with systems infected with spam bots. Generally, the files are in the root of c:\ and/or in the users My Documents folder... they often number in the hundreds or thousands. I generally delete them on sight.

If you have not received them yet, I will make sure to send some up to you next time I get my hands on some.

I have not received them as of yet - yes, if you get them, send them to me and then PM me so I know to look for them.

Share this post


Link to post
Share on other sites
I have not received them as of yet - yes, if you get them, send them to me and then PM me so I know to look for them.

Zipped and mailed to the sample submission email address. I snagged them while at work cleaning out an infected system and at the time, I could only remember the sample email address to send them to. :)

I have not looked too close at the files myself and don't know what they do or why they are there. There are so many of them on an infected system that deleting them has become necessary.

I'd be curious to know if you find out (if it is possible to know by looking at them, that is).

Share this post


Link to post
Share on other sites
I have not received them as of yet - yes, if you get them, send them to me and then PM me so I know to look for them.

Zipped and mailed to the sample submission email address. I snagged them while at work cleaning out an infected system and at the time, I could only remember the sample email address to send them to. :)

I have not looked too close at the files myself and don't know what they do or why they are there. There are so many of them on an infected system that deleting them has become necessary.

I'd be curious to know if you find out (if it is possible to know by looking at them, that is).

I will look for the e-mail and make sure I received it!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×