Win Firewall switched off on start up

  • Thread starter Thread starter A.Translator
  • Start date Start date
A

A.Translator

[windows xp SP2 home]

Yesterday I was stupid enough to double click on an email attachment.
Immediately a window popped up warning me de Windows Firewall was switched off.

I switched the firewall back on
I ran an anti-virus scan
I ran Windows Defender
I ran HitmanPro which uses a large number of anti-virus and anti-spyware
programmes.

A few minor things were detected and removed.
However, the firewall still gets switched off when I restart the pc.

In c:\ I found two suspicious (?) files, one called "install.dat" with:

[install]
wt=1
extdata=ppcctoqi^^aedinvjmnm
dl=-1
stat=1
expdate=30-12-1899
expdate2=30-12-1899
act=0
regcksm=0
guid=9C170064-4F5B-4139-8137-D1AE363720C2

and one called "start.dat" with this content:

@echo off
del c:\windows\downlo~1\gb*.*
del c:\windows\downlo~1\*.g??
del c:\windows\downlo~1\g*.*

Are these two the culprits?
Can I remove them?

Is there anything else I should be looking for?

Help is much appreciated.

--
Groet,
Adriana
[ gooi de vuilnis weg als je me wilt mailen ]
www.spinsister.nl
 
A.Translator schreef op 19-12-2007
> [windows xp SP2 home]

Edit: I deleted the two dat files but the problem persists.

> Yesterday I was stupid enough to double click on an email attachment.
> Immediately a window popped up warning me de Windows Firewall was switched
> off.

> I switched the firewall back on
> I ran an anti-virus scan
> I ran Windows Defender
> I ran HitmanPro which uses a large number of anti-virus and anti-spyware
> programmes.

> A few minor things were detected and removed.
> However, the firewall still gets switched off when I restart the pc.

> In c:\ I found two suspicious (?) files, one called "install.dat" with:

> [install]
> wt=1
> extdata=ppcctoqi^^aedinvjmnm
> dl=-1
> stat=1
> expdate=30-12-1899
> expdate2=30-12-1899
> act=0
> regcksm=0
> guid=9C170064-4F5B-4139-8137-D1AE363720C2

> and one called "start.dat" with this content:

> @echo off
> del c:\windows\downlo~1\gb*.*
> del c:\windows\downlo~1\*.g??
> del c:\windows\downlo~1\g*.*

> Are these two the culprits?
> Can I remove them?

> Is there anything else I should be looking for?

> Help is much appreciated.

--
Groet,
Adriana
[ gooi de vuilnis weg als je me wilt mailen ]
www.spinsister.nl
 
A.Translator wrote:
> A.Translator schreef op 19-12-2007
>> [windows xp SP2 home]
>
> Edit: I deleted the two dat files but the problem persists.
>
>> Yesterday I was stupid enough to double click on an email attachment.
>> Immediately a window popped up warning me de Windows Firewall was
>> switched off.
>
>> I switched the firewall back on
>> I ran an anti-virus scan
>> I ran Windows Defender
>> I ran HitmanPro which uses a large number of anti-virus and
>> anti-spyware programmes.
>
>> A few minor things were detected and removed.
>> However, the firewall still gets switched off when I restart the pc.
>
>> In c:\ I found two suspicious (?) files, one called "install.dat" with:
>
>> [install]
>> wt=1
>> extdata=ppcctoqi^^aedinvjmnm
>> dl=-1
>> stat=1
>> expdate=30-12-1899
>> expdate2=30-12-1899
>> act=0
>> regcksm=0
>> guid=9C170064-4F5B-4139-8137-D1AE363720C2
>
>> and one called "start.dat" with this content:
>
>> @echo off
>> del c:\windows\downlo~1\gb*.*
>> del c:\windows\downlo~1\*.g??
>> del c:\windows\downlo~1\g*.*
>
>> Are these two the culprits?
>> Can I remove them?
>
>> Is there anything else I should be looking for?
>
>> Help is much appreciated.

Avast! alerted me to a virus in your first post.. I didn't look at it,
just let Avast! remove it from my machine.

Try one of these Virus Removal Tools your current a/v may have been
compromised:

Avast! One tool for any current virus
http://www.avast.com/eng/avast-virus-cleaner.html

Symantec Virus Removal Tools
http://www.symantec.com/business/security_response/removaltools.jsp

F-Secure Virus Removal Tools
http://www.f-secure.com/download-purchase/tools.shtml

Kaspersky Virus Removal Tools
http://www.kaspersky.com/removaltools

--
Joe =o)
 
Elmo schreef op 19-12-2007
> Avast! alerted me to a virus in your first post..

A virus in my posting to this group?!
That would be very weird as I am using another pc.

Thanks.

--
Groet,
Adriana
[ gooi de vuilnis weg als je me wilt mailen ]
www.spinsister.nl
 
Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L.ORG http://66.39.69.143/

A.Translator wrote:
> [windows xp SP2 home]
>
> Yesterday I was stupid enough to double click on an email attachment.
> Immediately a window popped up warning me de Windows Firewall was switched
> off.
> I switched the firewall back on
> I ran an anti-virus scan
> I ran Windows Defender
> I ran HitmanPro which uses a large number of anti-virus and anti-spyware
> programmes.
>
> A few minor things were detected and removed.
> However, the firewall still gets switched off when I restart the pc.
>
> In c:\ I found two suspicious (?) files, one called "install.dat" with:
>
> [install]
> wt=1
> extdata=ppcctoqi^^aedinvjmnm
> dl=-1
> stat=1
> expdate=30-12-1899
> expdate2=30-12-1899
> act=0
> regcksm=0
> guid=9C170064-4F5B-4139-8137-D1AE363720C2
>
> and one called "start.dat" with this content:
>
> @echo off
> del c:\windows\downlo~1\gb*.*
> del c:\windows\downlo~1\*.g??
> del c:\windows\downlo~1\g*.*
>
> Are these two the culprits?
> Can I remove them?
>
> Is there anything else I should be looking for?
>
> Help is much appreciated.
 
Re: Win Firewall switched off on start up solved

PA Bear schreef op 19-12-2007
> Run a /thorough/ check for hijackware, including posting your hijackthis log
> to an appropriate forum.

I had to do several thorough scans to find that the culprit was abuse of
ltask.exe . At the moment everything seems fine, but I keep a close eye on
things.

--
Groet,
Adriana
[ gooi de vuilnis weg als je me wilt mailen ]
www.spinsister.nl
 
Re: Win Firewall switched off on start up solved

A.Translator wrote:
> PA Bear schreef op 19-12-2007
>> Run a /thorough/ check for hijackware, including posting your hijackthis
>> log to an appropriate forum.
>
> I had to do several thorough scans to find that the culprit was abuse of
> ltask.exe . At the moment everything seems fine, but I keep a close eye on
> things.

Suit yourself. I'd still recommend post a HijackThis log to an appropriate
forum for review by someone experienced in such matters.

[To keep track of things, it helps immensely if you include all of previous
message(s) in your replies to the newsgroup. Thank you.]
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L.ORG http://66.39.69.143/
 
A.Translator wrote:
> Elmo schreef op 19-12-2007
>> Avast! alerted me to a virus in your first post..
>
> A virus in my posting to this group?!
> That would be very weird as I am using another pc.
>
> Thanks.

Avast! panics when it sees script.. that might be what happened. Like I
said, I just deleted the post so I can't look at what actually happened.
I believe it was the "[install]" (etc.) that set it off:

--
Joe =o)
 
Elmo schreef op 19-12-2007
> Avast! panics when it sees script.. that might be what happened. Like I
> said, I just deleted the post so I can't look at what actually happened. I
> believe it was the "[install]" (etc.) that set it off:

Well, better safe than sorry!

--
Groet,
Adriana
[ gooi de vuilnis weg als je me wilt mailen ]
www.spinsister.nl
 
Re: Win Firewall switched off on start up solved

PA Bear schreef op 19-12-2007
> Suit yourself. I'd still recommend post a HijackThis log to an appropriate
> forum for review by someone experienced in such matters.

I have only just learnt of the existence of such forums and will send a log.
Thank you.

> [To keep track of things, it helps immensely if you include all of previous
> message(s) in your replies to the newsgroup. Thank you.]

I agree, but a lot of people don't. In some groups you are told off for quoting
anything at all (because of people following the groups on webbased forums). I
have always used a newsreader and try to find a middle way by quoting only what
I think is relevant.

--
Groet,
Adriana
[ gooi de vuilnis weg als je me wilt mailen ]
www.spinsister.nl
 
Back
Top