The following line was added (by what?) at the end of my C:\Windows\win.ini file, and the [b]PC became very slow[\b]:

[Windows]
Run=WinUsr.exe

1. the corresponding file “C:\Windows\WinUsr.exe” is a 58 ko application with “Windows User Module” as description & Copyright (C) Microsoft Corp. 1997!
2. search in microsoft returned nothing
3. search in google & others return a few questions and no answers
4. search in avast, symantec & others returned nothing

win.ini was not modifiable any more.

To solve the problem:
a) restart in safe mode
b) remove Run=WinUsr.exe from win.ini
c) restart in normal mode
d) remove winusr.exe

Better solution:

Follow all steps as explained on the page in my signature.

The provided solution from gbo, doesn’t handle the registry amongst some other things.

Hi gbo,
if you still have the WinUSr.exe file and updated avast doesn’t detect it:
please submit the file in a password-protected archive to
virus (at) avast.com
include archive-password & short description

thx …

Thanks whocares,
winusr.exe posted to virus (at) avast.com

I was already using SpywareBlaster & PestPatrol and scan is clean
scan by Spybot - Search & Destroy done: clean

On-line scan by “COD Command On Demand” clean

On-line scan by “Trend micro” clean
http://fr.trendmicro-europe.com/enterprise/products/housecall_pre.php

On-line scan by “Panda active scan” clean http://www.pandasoftware.com/activescan/fr/activescan_principal.htm

On-line scan by “kaspersky” clean
http://www.kaspersky.com/fr/scanforvirus

Of course, no reference to winusr in regedit or in Hijackthis except the win.ini

P.S.: you don’t have anything to do with …

WinUSR - US REPORTER INVOICING/REPORTING SYSTEM ?

No (I live in France)

results of http://virusscan.jotti.dhs.org/ scan

File: WinUsr.exe
Status: INFECTED/MALWARE Packers detected: COM2EXE

AntiVir: No viruses found (0.63 seconds taken)
Avast: No viruses found (1.63 seconds taken)
BitDefender :No viruses found (0.94 seconds taken)
ClamAV : No viruses found (1.47 seconds taken)
Dr.Web : No viruses found (1.41 seconds taken)
F-Prot Antivirus : No viruses found (0.16 seconds taken)
Kaspersky Anti-Virus : No viruses found (1.65 seconds taken)
mks_vir : No viruses found (0.60 seconds taken)
NOD32 : No viruses found (1.24 seconds taken)
Norman Virus Control :W32/Datom.A (0.11 seconds taken)

Looks like a false positive by Norman.

Do you have US Robotics Modem or other product from them?

I’ve nothing from US Robotics (adsl 2 Mb)

and I don’t think it’s a false positive: the behavior of the PC is much better after removal (CPU load & response time)

Make sure that your network/inet-Shares are locked or secured with better passwords…

maybe post a hijackthis-Log here…

Logfile of HijackThis v1.98.2
Scan saved at 09:16:55, on 01/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\hffsrv.exe {hide files & folders}
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Documents and Settings\jsl\Menu Démarrer\Programmes\Démarrage\Buzzsaw.exe {defrag tool}
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jsl\Mes documents\appli1\outils\antivirus firewall\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: CIEHelperObj Class - {094C3578-F038-4879-929E-E3FB21950BB5} - C:\Program Files\MereSurfer 2003\MereSurferF.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MereSurfer - {340166BC-786B-401f-96AC-7C8821EFA9CD} - C:\Program Files\MereSurfer 2003\MereSurferF.dll
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Bandwidth Monitor Pro.lnk = ?
O4 - Startup: Buzzsaw.exe
O8 - Extra context menu item: Traduire cette page - C:\WINDOWS\web\powertoy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: teleir_cert - http://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4//teleir_cert.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/308dedc13bf8d649b620/netzip/RdxIE601_fr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093975772609
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4339/mcfscan.cab