I have ran spy-bot, ad-aware, cccleaner, cw shredder, bitdefender, and alot of other free tools and can not get rid of this. Please look at the photo I've attached. I also have a HJT log I can post later. I boot into safe mode and delete the files in the picture and they slowly re-appear.

Sorry the image did not show up here is the link.

http://img357.imageshack.us/my.php?image=virus1nc.jpg

Have you tried merely opening up an Internet Explorer browser window, then go to tools, internet options, then hit the delete cookies button. Follow that up with a delete files and make sure you check the box to delete all offline content. Then go back and see if the temp folder still has all that mess.

Post back with how it turns out.

yes I have tried that numerous times...

What exactly is your concern? Temp files are created for every application you run, documents, spreadsheets, etc. and every webpage you visit. I don't see anything unusual...especially considering the number of icons you have in your System Tray. Deleting the temp files is a good idea, as eventually, you will have thousands of them just taking up space in your profile.

Soylent Green is PEOPLE!!!

These temp files are trying to access the internet. Symantec is now blocking them when they try to go out on the internet. I can not find what is causing these .exe's to populate in that temp folder. I know it is nothing that I have installed. I have been involved in computers since 1997 and I've never seem anything like this.

you just have bots, clean everything out again (cookies/temp internet cache/recent/windows temp/system restore/etc). In addition clear the contents of your prefetch folder in windows as well as system restore. You should also install and run hijackthis ro manually clean up your registry in hkey local mahcine/software/microsoft/windows/current version/run*

They bat and exe's are probably being created by a bot in system32 that generates randomly named spybots which can be a pain.

If this doesnt help, you can create a new profile and use it to see if it still occurs. if it doesnt follow you and you still cannot clear up the original profile, use the new one and delete the od one (after moving your data files)

There's a lot to be said for showing all file extensions and hidden files.

You can look inside the batch files with a text editor without doing any harm. There might be a clue there somewhere.

DerekW

This is what I've found out so far. Those .exe's are trying to access the internet every hour at 14 minutes past the hour. The batch files are nothing more than redirects for the .exe's here is an example:

@echo off
:try
del C:\Documents and Settings\Robert\Local Settings\Temp\32401.exe
if exist C:\Documents and Settings\Robert\Local Settings\Temp\32401.exe goto try
del C:\DOCUME~1\Robert\LOCALS~1\Temp\8A1.bat

I downloaded and ran the RootkitReveal program from sysinternals.com this program revealed the following:

C:\34.exe 12/29/2005 7:14 PM 3.43 KB Hidden from Windows API.
C:\Documents and Settings\Robert\Local Settings\Temp\B92.tmp 12/29/2005 7:14 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\KLSH078R\gdnUS2176[1].exe 12/29/2005 7:14 PM 13.53 KB Hidden from Windows API.
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\RJQRSEFP\tp[1].htm 12/29/2005 7:14 PM 112 bytes Hidden from Windows API.
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\TW57JJIX\aconnect[1] 12/29/2005 7:14 PM 229 bytes Hidden from Windows API.
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\TW57JJIX\CAC96X05.HTM 12/29/2005 7:14 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Content.IE5\TW57JJIX\fr[1].htm 12/29/2005 7:14 PM 274 bytes Hidden from Windows API.
C:\nop.exe 12/29/2005 7:14 PM 1.00 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\12429.EXE-0528DC76.pf 12/29/2005 7:14 PM 20.88 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\34.EXE-0AFAB13F.pf 12/29/2005 7:14 PM 8.67 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\NOP.EXE-193A9C84.pf 12/29/2005 7:14 PM 2.04 KB Hidden from Windows API.

I have deleted all instances that were found above. Symantec found something called Dialer.DialPlatform on my computer and I removed it. But I'm still getting those pesky .exe's and batch files.

Anyone have any more ideas? Also thanks for all the reponses so far!

Until someone who is expert at interpreting HJT logs comes along, have you tried putting it in here?:
HJT DETECTIVE

and/or here?:
IAMNOTAGEEK ANALIZER

and/or here?:
GERMAN ANALYZER

Finally, I only have half an idea what I'm talking about but mention of Rootkit makes me worry about whether you've been using Sony CD's with MediaMax DRM copy protection software? I gather that makes it easy for hackers to hide stuff from you.

DerekW

have you tried creating a new profile as mentioned above to see if the bots infect it as well?

Update!!!

I have finally gotten everything cleaned off.

I no longer have those .exe populating the temp folder. All my scans are coming back clean.

Thanks for all your help.

Good news - thx for popping back to let us know.

DerekW

Also I have not used any Sony CD's just FYI!