Virus or trojan or spartan or something

[evilfantasy]

We have to get Norton running somehow. Can you reinstall it? Is it a paid version? What do you think about switching to a reliable free antivirus?

Boot into safe mode to delete this file.

First:

Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select Show hidden files and folders.
  
• Uncheck Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK

.
Next:

Starting your computer in safe mode

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  
• Ensure that the Safe Mode option is selected.
  
• Press Enter. The computer then begins to start in Safe mode.
  
• Login on your usual account.

.
----------

Now open My Computer from the desktop and locate the file in blue and delete it.

C:\WINDOWS\system32\hmxmnqlq.exe

While in safe mode now run the Cleanup! program we installed earlier.

Boot back into normal mode and run a new Hijackthis scan and post the log please.

[NJDAVE]

I was unable to delete the file, C:\WINDOWS\system32\hmxmnqlq.exe.  I did not see the file in the c:\windows\system32 folder in either safe mode or regular mode.  All the file viewing settings are as you directed.  The latest Hijackthis log certainly shows that as a running process however.

David





[recovering space - attachment deleted by admin]

[evilfantasy]

Delete Combofix from the desktop and download the new version then run it.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.[

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

.

Post the combofix log in the next reply.

[NJDAVE]

ComboFix stopped running with the following message,

Almost done . . This window will close in a short while
Please wait a few seconds for the report log to pop up
ComboFix's log shall be located at C:\ComboFix.txt
 
As of this message it's been about 30 minutes.


You had asked me about my Norton installation.  Yeah, it's a paid version, but I've never been too happy with it as it seems to bog the system down.  I still find it hard to believe that it's not actually running since it gives all the indications that everything is working fine.

I could try reinstalling Norton, but I'd also have no problem switching to another virus protection package.  I've heard that AVG is pretty good.  Are there any that you'd recommend, or stay away from?

Thanks,

David

[evilfantasy]

Look in C:\ComboFix.txt fo rthe log. If it isn't there then please run it a different way. (instructions coming)

I would recommend getting rid of Norton. When uninstalling it do it through add/remove programs and then run the Norton Removal Tool. There is a norton rep who posts at another forum where I moderate and he actually suggests running the removal tool twice. Norton is notorious for leaving stuff behind.

There are only 3 AVs I recommend AVG, Avast and Avira. All can be found HERE Avast has made some great improvements lately so it is the top of the list for me as of now.

Back to Combofix.

Let's try running Combofix in a different way.

• Make sure combofix is located on your desktop.
• Now STOP all your monitoring programs
  
• Click this link to see a list of security programs that should be disabled and how to disable them.
  
• Click on your START button and choose Run.  Then copy/paste the entire content of the following Codebox (Including the "" marks and the Symbols) into the run box.
                                   
  Code: [Select]
  "%userprofile%\desktop\ComboFix.exe" /KillAll[/B]

• Click OK and this will start combofix in a special way.
  
• When finished, it will produce a log.
• Please save that log to a Notepad File and include it in your next reply.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* ComboFix will automatically Restart your machine when the KillAll switch is used.

Combofix (CF) disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[NJDAVE]

ComboFix ran, but hung up again after the reboot.  It did create a log file that I have attached.



[recovering space - attachment deleted by admin]

[evilfantasy]

Something is stopping combofix from completing. That wasn't a full log.

Use this. It won't fix anything but we need the logs it creates.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt. 
  Please add the contents of main.txt and extra.txt in your next reply.

[NJDAVE]

I was afraid that ComboFix didn't fully complete the log.

The problems continued with dss which ran at first then stopped due to an error, the type where you can send an error report to Microsoft.  I sent nothing, and instead rebooted.  Hope that was OK. 

After the reboot dss ran to completion.  I've attached main.txt and extra.txt.



[recovering space - attachment deleted by admin]

[evilfantasy]

We need to get some antivirus installed that works. The C:\WINDOWS\system32\hmxmnqlq.exe is still there.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

Go HERE and download the Avast installer to the desktop. Don't install it yet.

Now go to add/remove programs and uninstall anything with Norton, Symantec and Live Update in the name.
Then run the Norton Removal Tool.

Now install Avast and do a full system scan with it. A guide to using Avast can be found HERE if needed.

Let me know if anything was found and removed.

[NJDAVE]

I've removed Norton and installed Avast.

I ran the Avast scan twice.

The first time I didn't have the create log file setting on so I don't have a record of what happened.  There were a bunch of results from the scan, 29 files.  Most were corrupt cab files or files that could not be accessed because they were being used by another process.  I moved all that I could to the Avast chest. 

In the chest there's now one file that Avast says is infected. I can't find a way to copy and paste the info, so I'll just have to type it here...

Original file name:
hpcp4005.cf_
Original folder:
C:\WINDOWS\SoftwareDistribution\Download\f2d27e07258460b327b7fdeb1922cc67\BIT3F.tmp

Avast does not identify the virus, and says the file cannot be restored.

Avast also stored 3 system files in the chest.  Kernel32.dll, winsock.dll and  wsock32.dll.  There's no reason given for these files being stored in the chest.

The second time I ran the Avast scan, the create log setting was on.  I've included that log.

David

[recovering space - attachment deleted by admin]

[evilfantasy]

Ok, post a fresh Hijackthis log now please.

[NJDAVE]

Hijackthis log is attached.

We've been working this thing for quite some time now.  Thanks again for your diligence in getting this resolved.

Davied

[recovering space - attachment deleted by admin]

[evilfantasy]

Go in and check for the C:\WINDOWS\system32\hmxmnqlq.exe

Don't go into safe mode first. If it is there delete it and then run another HJT scan and see if it is gone.

[NJDAVE]

The file, hmxmnqlq.exe isn't in that folder in either regular or safe mode.  A file search on the whole hard drive in both regular and safe mode comes up empty as well.

That's a pesky little bugger.

[evilfantasy]

I want to try this. I don't know if it will work but it can't hurt to try.

Double-click VundoFix.exe to run it.

• Click the Scan for Vundo button.
  
• Once it's done scanning, Right Click inside the listbox (white box) and click add more files
• Copy&Paste the entry below into the top box:
• C:\WINDOWS\system32\hmxmnqlq.exe

• Click Add Files and Click Close Window
• Click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Run HJT after it is complete and let me know if it is still there.