209 replies to this topic

[Gator]

Was using the firewall inside the Trend Internet Security suite and since I can not get to open I have no idea if the firewall is active or not. Looked at the windows\temp folder and there are now 4 .exe files. They are winexveer.exe winhbbxid.exe winirjk.exe winjrtt.exe would be strange if they now showed up in a scan as being in place of the "c:\\Windows\\temp\\winveus.exe and winlrgjh.exe shown in your last post

[LDTate]

click Start> Control Panel > open Security Center. If there's no Firewall ON, turn Windows Firewall ON.

[Gator]

It told me that the Trend Internet Security firewall was on and that virus protection is on.

[LDTate]

Make Sure Internet Explorer is NOT open when trying this) Launch HijackThis, click the 'Open'Misc Tools'Section -> 'Open hosts file manager'. Delete every line (select each line and click 'Delete line(s)') except the very first top lines beginning with # and: 127.0.0.1 localhost Once finished, click the 'Open in Notepad' button. It should look like this: QUOTE # Copyright © 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost If it doesn't, or it was already like it, then please tell us

[Gator]

Did as you requested except stopped when clicked on open hosts file manager and the only listed file was 127.0.0.1 localhost. Strange thing is that the text just above the file listing states "c:\Windows\system32\drivers\etc\hosts(2 lines,A) as the location for the file.

[LDTate]

This is where it's located: (NOTE: This file has no extension). You can open it with Notepad. Windows XP C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

[LDTate]

Lets try something. Shutdown the pc and disconnect / unplug your internet connection. Reboot and see if you can delete those temp files and also see if you get any message that X is trying to connect to the internet.

[Gator]

Looked at it in notepad and found the same as before. The only thing I found funny was that it was telling me 2 lines when only one was showing. Any more instructions tonight. Am going to have to stop in a few mins and get ready for a 3 am rise.

[LDTate]

I'm sure the was a blank line is why. Tomorrow try my suggestion above.

[Gator]

Ok will be about 5:30 tomorrow. Thanks for the help today.

[LDTate]

Ok will be about 5:30 tomorrow.

Thanks for the help today.

Maybe another helper we see something we missed

[Gator]

Disconnected the internet connection. Rebooted computer Went right to the temp folder and there were no .exe files there. Monitored for over 5 mins and no appearance of generated files. No message to indicate that there was attempt by any program to access internet. Checked prefetch folder and all of the previous .exe file names were referenced there as pf files. Reconnected internet and monitored temp folder. No .exe files appeared in aprox 5 mins. Shut computer down and it did not shut down without displaying a dialog box stating that dwwin.exe failed to initialize. Then the sprtcmd.exe ending program box appeared. Rebooted computer and went to temp folder. There were 2 .dat, 2 .txt and 1 .settings file. After about 30 sec one of the .dat files dissappeared. I aprox 30 more seconds the computer accessed the internet as indicated by the pattern of lights on the modem and two .exe files appeared in the temp folder.

Edited by Gator, 10 November 2008 - 04:59 PM.

[LDTate]

Checked prefetch folder and all of the previous .exe file names were referenced there as pf files.

Wow.

If you run ATF cleaner it should remove all the prefetch files and temp files.
If temp files are still there after reboot, delete them.

When you reboot windows will rebuild the prefetch.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

[Gator]

Include some info in last post just as your were posting. It was that when the computer shut down in the previous steps, a dialog box appeared stating that dwwin.exe failed to initalize, then sprtcmd.exe ending program dialog box appeared. Downloaded and ran ATF Cleaner Rebooted computer and monitored prefetch folder and the temp folder. There were only couple of files in the prefetch one having to do with atf cleaner. There were 2 .dat,2.txt and one .settings in the temp folder.Then the machine accessed the internet and two additional prefetch files appearedin the prefetch folder. I went to the temp folder and two .exe files appeared the names in both folders were the same except for the extensions.

[LDTate]

Be sure to use the correct file name if it's different from this

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

c:\Windows\temp\winveus.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.


If Jotti is too busy you can try these.

http://www.kaspersky...anforvirus.html


http://www.virustota.../en/indexf.html