[sammyg]

Hey!! Great News!! I overcame my fear of updating my computer (as that was the last thing I did before all this nightmare happened), and updated my antivirus software. Upon rebooting, the Automatic Scan picked hn.exe (I did not search specifically for it) as a malware (InfoGrab, I think) product, deleted it, and now the computer is running just like new.
Explorer.exe and DrWatson Debugger don't crash on startup.
System Restore is back and running. (I promptly made a fresh restore point.)

Upon rebooting again, and running a full virus scan, Symantec picked up several more infected files, and quarantined them (I will post the details momentarily). Should I clean or delete these files?

Of course, this malware has been on my computer for 2 months now, and I would like to verify that there has been no permanent damage, or stolen information. I will continue to try and get HDD Diag (FDT) to run. Yes, it was Caldera DR-DOS that comes up. I will look over the instructions on how to use the commands.
http://www.drdos.com/dosdoc/usergeng/01ugch1.htm

Do you think I should get a HijackThisLog?


BTW, I did not post on any other forums; I simply googled hn.exe, and that forum was the first thing that comes up, and it points to hn.exe being malware. Sorry for the confusion.

Thank you,
-sammyg

[ketsueki13]

hn.exe is a backdoor trojan which can let someone access your information. You may want to start a thread in the Malware Removal forum.

[rainforest123]

s :
Congratulations.

No confusion.

Quote:

If you think this malware is the cause of your problem, read the 1st 2 stickies here http://forums.techguy.org/54-malware...jackthis-logs/ , then follow the instructions, to post a HJT log. Then, click on "report" on your entry and as a moderator to move your thread to the malware removal log. I am NOT suggesting that you do so. Only you can make that determination.

DO NOT start a new thread.
http://www.techguy.org/welcome.html

Quote:

ATTENTION:
We make every effort to keep Tech Support Guy a friendly place to find computer help. As such, we have a few important rules you MUST follow:

* You may not ask for help in performing any illegal activity, including: Kazaa, BearShare, WinMX, P2P file sharing, CD keys, and hacking.
* Please post your question only once! You can ask a Moderator to move your question later if necessary (see below).
* Do not post advertisements of any kind.
* Be polite and patient to everyone! You may not use foul language of any kind (not even if censored) and you may not post offensive messages or images.
* Click here to see the full list of rules.

[sammyg]

As noted before, hn.exe only ran for a second or two when explorer.exe closed on startup. I have a dialup connection, which is only intermittently connected, and was not connected for the short time that hn.exe appeared in my task manager... Is there any chance that data was accessed by a third party? Does hn.exe run in the background even after it disappears from task manager?

I am having some difficulty with my computer accessing my virus files... Will try and put them up in a few minutes.
Thanks
-sam

[sammyg]

The virus scan that picked out hn.exe


(Here is the big one...)

Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 5
Date: 5/3/2009
Time: 10:16:09 PM
User: N/A
Computer: ME
Description:


Threat Found!Threat: Infostealer.Gampass in File: C:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.



**************************************



Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 46
Date: 5/3/2009
Time: 10:21:48 PM
User: N/A
Computer: ME
Description:


Security Risk Found!Threat: Adware.Gen in File: c:\windows\system32\gtdownde_87.ocx by: Manual scan. Action: Clean failed : Quarantine failed. Action Description: The file was left unchanged.


*************************************



Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 51
Date: 5/3/2009
Time: 10:21:59 PM
User: N/A
Computer: ME
Description:


Security Risk Found!Threat: Adware.Gen in File: c:\windows\system32\gtdownde_87.ocx by: Manual scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.



**************************************


Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 5
Date: 5/3/2009
Time: 10:22:00 PM
User: N/A
Computer: ME
Description:


Threat Found!Threat: Adware.Gen in File: c:\WINDOWS\SYSTEM32\gtdownde_87.ocx by: Manual scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.


*************************************


Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 46
Date: 5/3/2009
Time: 10:26:13 PM
User: N/A
Computer: ME
Description:


Security Risk Found!Threat: Adware.Gen in File: C:\Documents and Settings\ME\Local Settings\Temp\VBRA032.ocx by: Manual Quarantine Scan scan. Action: Leave Alone succeeded. Action Description: The file was left unchanged.

*********************************
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 51
Date: 5/3/2009
Time: 10:26:20 PM
User: N/A
Computer: ME
Description:


Security Risk Found!Threat: Adware.Gen in File: C:\Documents and Settings\ME\Local Settings\Temp\VBRA032.ocx by: Manual Quarantine Scan scan. Action: Clean was partially successful.. Action Description: Clean was partially successful.

[sammyg]

This subsequent scan ran on the next reboot after removing hn.exe and picked up some more stuff



Scan type: Auto-Protect Scan
Event: Security Risk Found!
Threat: Infostealer.Gampass
File: C:\SYSTEM~1\_RESTO~1\RP7\A0002243.exe
Location: Unknown Storage
Computer: ME
User: ME\SYSTEM
Action taken: Reboot Required
Date found: Monday, May 04, 2009 12:13:04 AM

[sammyg]

A P.S. on those viruses... Symantec forced me in order to reboot to deal with the viruses, and it was these several viruses which are in the eventvwr logs (see pictures of Virus #2 scan post). What should I do with the quarantined infected files? Are they important to keep?

-sammyg

[rainforest123]

sammyg:
Thanks.

HOWEVER, I do not have a shield from Tech Guy. I am not authorized to comment on malware logs. Tech Guy Forum has very strict rules about this issue.

If you want your computer evaluated for malware, you really need to follow my previous advice.

The file in "recycler" is in your recycle bin.
Do NOT restore any files from your recycle bin, or you may re-infect your computer. Empty your recycle bin.

The file in "restore" in within a system restore point.
Do NOT use system restore, or you will re-infect your computer.

RF123

[sammyg]

Quote:

Originally Posted by rainforest123

The file in "recycler" is in your recycle bin.
Do NOT restore any files from your recycle bin, or you may re-infect your computer. Empty your recycle bin.

The file in "restore" in within a system restore point.
Do NOT use system restore, or you will re-infect your computer.

RF123

RF:
So, even after I've cleaned these viruses, I can still be in danger of reinfecting my computer?
-sam

[rainforest123]

You will need to delete all of your restore points and empty your recycle bin.

Quote:

I do not have a shield from Tech Guy. I am not authorized to comment on malware logs. Tech Guy Forum has very strict rules about this issue.

If you want your computer evaluated for malware, you really need to follow my previous advice.

[sammyg]

I was cleaning my computer files as I usually do, and I came across hn.exe in my Prefetch folder. Does that mean that I have not fully removed the virus? Could it have done damage or spread just from the Prefetch folder?
-sam

[rainforest123]

s g:
No.

http://en.wikipedia.org/wiki/Prefetcher

Run ATF Cleaner, www.atribune.org
Download ATF Cleaner to a location, such as your desktop.
ATF Cleaner does not need to be installed. It will run [ perform ] without being installed.
I use ATF Cleaner.

Select ONLY "prefetch" , for now.
Left click "empty selected".
When ATF Cleaner has notified you that it has accomplished the task, click "ok".
Then, exit ATF Cleaner.

RF123

[sammyg]

I use Ccleaner, which found the prefetch file. However, it only finds files after they have been idle for several days; hence the fact that it only just now found the file. Will atf cleaner interfere with ccleaner, or will it stay on the side?

[rainforest123]

I am unaware of any conflicts between CC & ATF Cleaner, sammyg.

I think CC provides cleaning that is in addition to the cleaning by CC.

RF123

[rainforest123]

s:
In a way, yes, in that CC cleans more areas than ATF Cleaner cleans.

Quote:

Originally Posted by sammyg

RF:
I did not catch your last message. Did you mean that CCleaner is more thorough than ATF?
-sam