hlktmp and Random Process - Returns after deletion

I am having some problems with a file that keeps regenerating from somewhere, and a randomly named process that keeps showing up. I'm not sure what this process may be doing, it doesn't trip any alerts on my firewall or virus scanner, but it keeps appearing. Here are the details:

The files are being created in Windows\Temp\, the first file is hlktmp (no file extension), the second is T30DebugLogFile.txt (0 byte file), and the third is an exe file that is created with a random name and is started as a process when the computer is rebooted. This last time it was called JIC451.exe, but it has been all kinds of file names with a 6 letter/number combination. The hlkfile is locked up by system process (not some rogue system.exe, the actual SYSTEM process). If I unlock it, it gets immediately deleted automatically. Also, if I see the process with the random name running, as soon as I kill the process, the .exe file is also immediately deleted. These files don't get locked up in safe mode, I can boot in safe mode and delete them all, but as soon as I boot back up in regular mode, they are regenerated.

The only real problem I have noticed that seems to affect my system is that the cursor may jump once per time the random process runs, but it doesn't appear that anyone has control over my system, as I have waited, or stopped moving when it jumped, and nothing else happens.

I have not been able to find out much information on the internet that tells conclusively what this file is, or in regards to a process that gets a new random name each time it is created. If anyone has any insight into this issue, I would greatly appreciate it. I can't see this being anyone's legitimate application, especially with the .exe getting a new random name each time.

I already went through the READ ME/DO ME, and they didn't find anything that seems to be related to this. I have rebooted several times, removed the files from safe mode, and the same thing happens every time. If I kill the process or unlock the hlktmp file, they won't come back for that session at least, but every time I reboot, they reappear.

Thanks for your help,
Jack

 

Second post with remaining log file - Jack

 

I think I may have found out where this came from, but I will do a little more checking out tomorrow.

First, after nothing turned up as malware, I thought it could be left over from my USB RF lock I used to have installed (those little key chains you could have, that would cause your comp to lock as soon as it was out of range of the USB receiver).

Now I think it might be the files that are required for a USB dongle that is shared in the office for an engineering program that we run (archaic I know to still have a dongle for licensing, even if it is USB!).

I will update you with my findings, hopefully this might help anyone else out who is tripping out over a similar problem, who might still be using a licensing dongle.

Jack

 

Welcome to MajorGeeks.com!


Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.