Win Firewall switched off on start up

[A.Translator]

[windows xp SP2 home]

Yesterday I was stupid enough to double click on an email attachment.
Immediately a window popped up warning me de Windows Firewall was switched off.

I switched the firewall back on
I ran an anti-virus scan
I ran Windows Defender
I ran HitmanPro which uses a large number of anti-virus and anti-spyware
programmes.

A few minor things were detected and removed.
However, the firewall still gets switched off when I restart the pc.

In c:\ I found two suspicious (?) files, one called "install.dat" with:

[install]
wt=1
extdata=ppcctoqi^^aedinvjmnm
dl=-1
stat=1
expdate=30-12-1899
expdate2=30-12-1899
act=0
regcksm=0
guid=9C170064-4F5B-4139-8137-D1AE363720C2

and one called "start.dat" with this content:

@echo off
del c:\windows\downlo~1\gb*.*
del c:\windows\downlo~1\*.g??
del c:\windows\downlo~1\g*.*

Are these two the culprits?
Can I remove them?

Is there anything else I should be looking for?

Help is much appreciated.

 

[A.Translator]

A.Translator schreef op 19-12-2007

[windows xp SP2 home]

Edit: I deleted the two dat files but the problem persists.

Yesterday I was stupid enough to double click on an email attachment.
Immediately a window popped up warning me de Windows Firewall was switched
off.

I switched the firewall back on
I ran an anti-virus scan
I ran Windows Defender
I ran HitmanPro which uses a large number of anti-virus and anti-spyware
programmes.

A few minor things were detected and removed.
However, the firewall still gets switched off when I restart the pc.

In c:\ I found two suspicious (?) files, one called "install.dat" with:

[install]
wt=1
extdata=ppcctoqi^^aedinvjmnm
dl=-1
stat=1
expdate=30-12-1899
expdate2=30-12-1899
act=0
regcksm=0
guid=9C170064-4F5B-4139-8137-D1AE363720C2

and one called "start.dat" with this content:

@echo off
del c:\windows\downlo~1\gb*.*
del c:\windows\downlo~1\*.g??
del c:\windows\downlo~1\g*.*

Are these two the culprits?
Can I remove them?

 

[Elmo]

A.Translator schreef op 19-12-2007

[windows xp SP2 home]

Edit: I deleted the two dat files but the problem persists.

Yesterday I was stupid enough to double click on an email attachment.
Immediately a window popped up warning me de Windows Firewall was
switched off.

I switched the firewall back on
I ran an anti-virus scan
I ran Windows Defender
I ran HitmanPro which uses a large number of anti-virus and
anti-spyware programmes.

A few minor things were detected and removed.
However, the firewall still gets switched off when I restart the pc.

In c:\ I found two suspicious (?) files, one called "install.dat" with:

[install]
wt=1
extdata=ppcctoqi^^aedinvjmnm
dl=-1
stat=1
expdate=30-12-1899
expdate2=30-12-1899
act=0
regcksm=0
guid=9C170064-4F5B-4139-8137-D1AE363720C2

and one called "start.dat" with this content:

@echo off
del c:\windows\downlo~1\gb*.*
del c:\windows\downlo~1\*.g??
del c:\windows\downlo~1\g*.*

Are these two the culprits?
Can I remove them?

Is there anything else I should be looking for?

Help is much appreciated.

Avast! alerted me to a virus in your first post.. I didn't look at it,
just let Avast! remove it from my machine.

Try one of these Virus Removal Tools; your current a/v may have been
compromised:

Avast! One tool for any current virus
http://www.avast.com/eng/avast-virus-cleaner.html

Symantec Virus Removal Tools
http://www.symantec.com/business/security_response/removaltools.jsp

F-Secure Virus Removal Tools
http://www.f-secure.com/download-purchase/tools.shtml

Kaspersky Virus Removal Tools
http://www.kaspersky.com/removaltools

 

[A.Translator]

Elmo schreef op 19-12-2007

Avast! alerted me to a virus in your first post..

A virus in my posting to this group?!
That would be very weird as I am using another pc.

Thanks.

 

[PA Bear]

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[A.Translator]

PA Bear schreef op 19-12-2007

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

I had to do several thorough scans to find that the culprit was abuse of
ltask.exe . At the moment everything seems fine, but I keep a close eye on
things.

 

[PA Bear]

PA Bear schreef op 19-12-2007

I had to do several thorough scans to find that the culprit was abuse of
ltask.exe . At the moment everything seems fine, but I keep a close eye on
things.

Suit yourself. I'd still recommend post a HijackThis log to an appropriate
forum for review by someone experienced in such matters.

[To keep track of things, it helps immensely if you include all of previous
message(s) in your replies to the newsgroup. Thank you.]

 

[Elmo]

Elmo schreef op 19-12-2007

A virus in my posting to this group?!
That would be very weird as I am using another pc.

Thanks.

Avast! panics when it sees script.. that might be what happened. Like I
said, I just deleted the post so I can't look at what actually happened.
I believe it was the "[install]" (etc.) that set it off:

 

[A.Translator]

Elmo schreef op 19-12-2007

Avast! panics when it sees script.. that might be what happened. Like I
said, I just deleted the post so I can't look at what actually happened. I
believe it was the "[install]" (etc.) that set it off:

Well, better safe than sorry!

 

[A.Translator]

PA Bear schreef op 19-12-2007

Suit yourself. I'd still recommend post a HijackThis log to an appropriate
forum for review by someone experienced in such matters.

I have only just learnt of the existence of such forums and will send a log.
Thank you.

[To keep track of things, it helps immensely if you include all of previous
message(s) in your replies to the newsgroup. Thank you.]

I agree, but a lot of people don't. In some groups you are told off for quoting
anything at all (because of people following the groups on webbased forums). I
have always used a newsreader and try to find a middle way by quoting only what
I think is relevant.