Hi everyone, I have googled my problem but cant find everything, so am i the first one? there is a task constantly running on my processes, called tkew00.exe. There are plenty of them running, when I try and kill one, the list of them running multiplies all the time and my CPU is flat out (100%). when i do a search for tkew00* windows finds a file called tkew00.exe-235798.pf in a folder called c:\windows\prefetch. When i do an <explore from here> to this file , it takes me to a folder that lots of the above files with different numbers exist. I delete them, but the problem persists. Any ideas?

It is very possible that you have a new virus, but the more likely answer is that the file you are searching for has been randomly named by whatever infection you have. Viruses and malware tend to do this to avoid detection by conventional means. To check, please do the following. Please read through these instructions and print them out if needed. If you have any questions, please ask them before starting this procedure. Please do the steps in the order that they are listed for the best results. Also, although it may seem like the infection is cleaned after performing these steps, please stay with me until I let you know that your machine is "all-clear" for best results. Here is what I need you to do. First of all, download DDS from here and save it to your desktop. Next, download GMER from here. Be sure to click the button marked "Download EXE" to download GMER as a randomly named .exe file. This is needed as some rootkits look for and hide from GMER or prevent it from running. Once you have both of those downloaded, please disable any script blocking program you might have and run DDS.scr. When it is done, DDS will open two (2) logs. They are named DDS.txt and Attach.txt. Please save both reports to your desktop. Then run GMER. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. In the right panel, you will see several boxes that have been checked for you. Please Uncheck the following boxes: Sections, IAT/EAT, any Drives/Partitions other than the Systemdrive (typically C:\), and Show All (be sure not to miss this one!) Now click on the Scan button and wait for it to finish. Once it is done scanning, click the "Save..." button and in the file name area type in gmerscan.txt. Please copy and paste the contents of the dds.txt log to this thread. As for the attach.txt log and gmerscan.txt logs, please send them as an attachment to the email address I have provided for you in the private message that I just sent you. Once I have a chance to check these logs I will be able to better determine what our next steps should be. If you have any questions, please let me know. ------ MOS Master Certified MCP Certified CCNA Certificate Pending A+ Certificate Pending "I have gone to find myself. If I get back before I return, please tell myself to wait." :

HI, I would appreciate an explanation as to why we are doing each step, instead of just blindly doing it. For example why should I download a screen saver file (.scr). Sophos web site declares the DDS file u r asking me to download as a virus... Also why should I publish a file here, but sent you the other ones privately? Just FYI i am an IT person. (not expert in viruses though...

Not a problem. The first file that I have you downloading and running is not a screen saver, even though the program is packed that way. If you would like, I can send you links to it packed as a .pif file. The reason why it is packed like that it to allow the program to run without being infected by viruses that attach to .exe and .com files. DDS is actually an executable script file that runs a sudo HijackThis scan along with another scan to show the running processes, any start up processes or files, registry files, BHO, DPF, what antivirus (if any), and some basic info on any files that have been added or changed in the past 30 days. The second program, GMER, is a RootKit detection utility. The reason why we uncheck some of the boxes before we are running the scan is not not only decrease the amount of time that the scan takes to run, but also to remove some of there areas where most of the false positives can occur. This is also why I said not to take any action yet on anything that might come up on these scans. The entre reason why we do this first is so that i can see what we might be dealing with. Once I know that, I will be able to better plan the removal process, as some tools that work on one infection might not work on another and may even cause major data loss. As for why I said to email to GMER and Attach logs to me, well it is easier than clogging up the thread with all that text. Some of the other forums that I help out on have a way to attach files to the post, so I have people do that, but unfortunately there is no way to do that here. If you would like to cut and paste all the logs into this thread, you are free to do so. I, too, am an IT consultant by day, so I know what it can be like to just be asked to blindly follow directions. :) If you want any other information, or have any other questions, please do not hesitate to ask me. ------ MOS Master Certified MCP Certified CCNA Certificate Pending A+ Certificate Pending "I have gone to find myself. If I get back before I return, please tell myself to wait." :

In that case thanks very much for taking the time and effort to help me. First I will try and explain what i dont want to do and secondly I will describe what I have already done and try and break down the problem. I am extremely reluctant to start doing things with programs that i have not used before, because if something happens to this PC I am totally screwed up. This PC is the main connection point for the wireless network around home and the ADSL wireless router is connected to it. From there we all have our wireless connections to the Internet. My laptops, the kids laptops, the wife's laptop and so on. I am not really bothered that much about using this PC as a normal PC as I have a laptop for work, another laptop for multimedia etc. What I am trying to say is that if i dont use this PC as a normal PC does not bother me that much AS LONG AS IT CAN PROVIDE ME WITH AN INTERNET CONNECTION POINT for all the other computers used around the house. So, I d rather try and do things manually. I know it takes time but at least I know exactly what I ma doing and what I have done. If i start using programs that I have not used in the past and im not sure about their functionality I am worried something bad will happen and loose my internet connection. Now I will try and explain what I have done until now, and try and take it one step at a time. Firstly I got rid of the banner shouting infection-warning etc. I am nor sure if that was the reason that the CPU was running flat out at 100%. if it wasnt the warning message was just a nuisance and not really affecting any functionality. To be honest I cheated, i didnt really fixed it. what I did: I created another administrator account called administrator2. Copy and pasted from account administrator1 all my shortcuts and desktop icons and now when I log onto the system using the account administrator2 I dont get the silly message about infection etc. Then I went into the registry and I did alll the usual stuff fer re-enabling the Browse button into my desktop (policies, deleted active desktop folder etc) when i check the running processes via the task manager I get no multiple instances of the tkew00.exe and everything seems almost normal. I say almost because rundll32.exe is running and I dont know of this shuld be the case or not. The CPU load oscilates from 3% -> 100% up and down every 5 secs approx, but this does not really seem to affect the actual speed of the system, as when i click and dble click or right click on objects the response is quite good ( or adequate for me). Which makes me think that although the system is reporting CPU load 100%, does not really seem like a 100%. (because when I was clicking on objects under account administrator1 it was taking about 5 secs for a window to open). So I can live with this too. The big problem is that Internet explorer will not connect to any web page. (this under the new account - administrator2). Under the previous account - administrator1 (that now i dont use because of the silly banner warning about infection etc) Internet explorer will connect to my home page but not to any other home page.. WHY? Both accounts use the same Internet explorer program. Why one account connects to only one web page and the other account to none? Obviously(?) the internet explorer program Has been corrupted(?). The obvious thing would be to copy a fresh IExplorer.exe.... Or do you have anything else to suggest, in case the above train of thought is wrong. I think if I can resolve this issue< I could come back and investigate the 100% load CPU issue.. While I am waiting your reply to the above, I will study your response. Thanks again

Hi yannis.U definitely deal with some virus.Virus use C:\windows\prefetch as an autostart method. If U know to explore windows registy I can give U the exact location and what U will need to chage BUT(BE CAREFUL,BECAUSE EVERY CHANGES ON YOUR REGISTRY CAN DAMAGE YOUR SYSTEM.(only if you are 100% sure that you can do to that).If u dont know or U are not sure I can make for U a little soft to fix that problem. Sorry for my bad english. AlexK BalkanPro

I know how to explore and change things in the registry (regedit) BUT I DONT KNOW what I need to change... I am aware of the damage changes to the registry can do, thats why i am nervous. Tell me what you think.. BTW have you identified what my problem is? Sorry where r u based?