winusr.exe loaded by win.ini file

[gbo]

The following line was added (by what?) at the end of my C:\Windows\win.ini file, and the PC became very slow[\b]:

[Windows]
Run=WinUsr.exe

1) the corresponding file "C:\Windows\WinUsr.exe" is a 58 ko application with "Windows User Module" as description & Copyright (C) Microsoft Corp. 1997!
2) search in microsoft returned nothing
3) search in google & others return a few questions and no answers
4) search in avast, symantec & others returned nothing
 
win.ini was not modifiable any more.

To solve the problem:
a) restart in safe mode
b) remove Run=WinUsr.exe from win.ini
c) restart in normal mode
d) remove winusr.exe

[Eddy]

Better solution:

Follow all steps as explained on the page in my signature.

The provided solution from gbo, doesn't handle the registry amongst some other things.

[whocares]

Hi gbo,
if you still have the WinUSr.exe file and updated avast doesn't detect it:
please submit the file in a password-protected archive to
virus (at) avast.com
include archive-password & short description

thx ...

[gbo]

Thanks whocares,
winusr.exe posted to virus (at) avast.com

I was already using SpywareBlaster & PestPatrol and scan is clean
scan by Spybot - Search & Destroy done: clean

On-line scan by "COD Command On Demand" clean

On-line scan by "Trend micro" clean
http://fr.trendmicro-europe.com/enterprise/products/housecall_pre.php

On-line scan by "Panda active scan" clean http://www.pandasoftware.com/activescan/fr/activescan_principal.htm

On-line scan by "kaspersky" clean
http://www.kaspersky.com/fr/scanforvirus

Of course, no reference to winusr in regedit or in Hijackthis except the win.ini

[whocares]

P.S.: you don't have anything to do with ...

WinUSR - US REPORTER INVOICING/REPORTING SYSTEM  ?

[gbo]

No (I live in France)

[gbo]

results of http://virusscan.jotti.dhs.org/ scan

File:      WinUsr.exe
Status: INFECTED/MALWARE Packers detected: COM2EXE
 
AntiVir: No viruses found (0.63 seconds taken)
Avast: No viruses found (1.63 seconds taken)
BitDefender :No viruses found (0.94 seconds taken)
ClamAV : No viruses found (1.47 seconds taken)
Dr.Web : No viruses found (1.41 seconds taken)
F-Prot Antivirus : No viruses found (0.16 seconds taken)
Kaspersky Anti-Virus : No viruses found (1.65 seconds taken)
mks_vir : No viruses found (0.60 seconds taken)
NOD32 : No viruses found (1.24 seconds taken)
Norman Virus Control :W32/Datom.A (0.11 seconds taken)

[Eddy]

Looks like a false positive by Norman.

Do you have US Robotics Modem or other product from them?

[gbo]

I've nothing from US Robotics (adsl 2 Mb)

and I don't think it's a false positive: the behavior of the PC is much better after removal (CPU load & response time)

[whocares]

Make sure that your network/inet-Shares are locked or secured with better passwords..

maybe post a hijackthis-Log here..

[gbo]

Logfile of HijackThis v1.98.2
Scan saved at 09:16:55, on 01/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\hffsrv.exe  {hide files & folders}
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Documents and Settings\jsl\Menu Démarrer\Programmes\Démarrage\Buzzsaw.exe {defrag tool}
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jsl\Mes documents\appli1\outils\antivirus firewall\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: CIEHelperObj Class - {094C3578-F038-4879-929E-E3FB21950BB5} - C:\Program Files\MereSurfer 2003\MereSurferF.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MereSurfer - {340166BC-786B-401f-96AC-7C8821EFA9CD} - C:\Program Files\MereSurfer 2003\MereSurferF.dll
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Bandwidth Monitor Pro.lnk = ?
O4 - Startup: Buzzsaw.exe
O8 - Extra context menu item: Traduire cette page - C:\WINDOWS\web\powertoy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: teleir_cert - http://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4//teleir_cert.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/308dedc13bf8d649b620/netzip/RdxIE601_fr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093975772609
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4339/mcfscan.cab