Help...with Hijack This log.

Your OS & IE versions are way out of date and represent a major security risk. After we fix your current problems, you must address this. We will talk about that later.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\RunServices: [Nortons Syncmon] fpqkvqhmfegp.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\windows\system32\fpqkvqhmfegp.exe or c:\windows\fpqkvqhmfegp.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Just complete everything in my message and post the follow up HJT log. Make sure you tell me how things are working now. You may not find the file because HJT could have deleted it. To double check you could use Windows Search (as indicate below) to look for it.

Searching for Hidden Files on WinXP

 

Okay! The reason you are not finding the filename is because it is renaming itself. Currently it is:


C:\WINDOWS\System32\itdrgltgnxjp.exe <--- kill this process

O4 - HKLM\..\Run: [Nortons Syncmon] itdrgltgnxjp.exe <---- have HJT fix
O4 - HKLM\..\RunServices: [Nortons Syncmon] itdrgltgnxjp.exe <---- have HJT fix


You will need to take the same steps as last time but just use this filename. If you do not find it, look for another randomly named process and O4 lines to have taken its place. Fix them. The post a new log. DO NOT REBOOT or power down after posting your next log. That way if you did not get it fixed and it has renamed again, my directions for the log you post will remain. Powering down or rebooting will allow it to rename.

 

I'm not sure what you mean! Can you explain better? What is the exact error message? When do you get it and does it still happen?

You log is clean! Are you having any other malware problems. If not, you really have to start working thru the below immediately. The first step in the below is getting Windows Updates which you need!

How to Protect yourself from malware!

 

I'm still not sure I understand you correctly. Just answer the below:

1) Are you at the present time still having problems (yes or no)? If yes, give the exact error message if you have error messages.

2) Does the fpqkvqhmfegp.exe file still appear in your c:\windows\system32 folder (yes or no)?

If the answer to 2 was yes, this was the file I asked you to delete in message #2 but you said you could not find it. Are you sure you enabled viewing of hidden and system files etc.

3) What program is telling you that the file still exists? Please tell me exactly word for word the program tells you.


Please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

So delete the C:\WINDOWS\system32\fqxqdjksbjdc.exe file like I originally requested in an earlier message.

Also do the following:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

You may need to delete the file and add the registry patch in after booting in safe mode. It may also be necessary to run the registry patch first, reboot in safe mode, and then delete the file.

 

Okay! So is the fpqkvqhmfegp.exe file gone now?

Are you having any other malware problems?

 

Well you got rid of the previous file name but it came back exactly as before with a new file name.

C:\WINDOWS\System32\qnsmbjbqenrf.exe
O4 - HKLM\..\Run: [Nortons Syncmon] qnsmbjbqenrf.exe
O4 - HKLM\..\RunServices: [Nortons Syncmon] qnsmbjbqenrf.exe

You either have something else on your PC that is reinfection you or it is from some place you are surfing. I think we need to get your Windows Updates first before we go any further. Also I have to ask is your NOD32 antivirus up to date with current versions and virus definitions?

Let's not goto Windows XP SP2 yet. It is not a good idea to update to SP2 while a PC is infected, so try the below to get WinXP SP1a

http://www.softwarepatch.com/windows/winxpsp1.html

Download the file and install it? After doing this, post a new HJT log. Also answer my question about NOD32. Also what filenames is your firewall complaining about.

 

The link for download SP1a is in my last message!

You also need to answer my question about NOD32.

Also answer my question about yor firewall complaining.