[Help] winresd32.dll

**betamax** · February 5, 2006

My virus protection keeps detecting the virus Win32/Saliy.G in C:\windows\system32\winresd32.dll. It deletes the vile and says it's gone, which it is. A few hours later, the file is back again and the virus protection pops up and says it found a virus and removed it. This happens every few hours.

I decided to run filemon over night and catch it in the act.

This is what I found:

The file was opened by process 419478232.tmp. 419478232.tmp was created in executed by explorer.exe.

That's the kicker right there. What is making explorer create and execute this process (which is still running in the background?)

I can't post my filemon log file because it's 256MB. I can show the part that I'm looking at though. It's kinda tough to read but here it is.

I also noted via proc exp that the .tmp process was reading some file index.dat in content.ie5. Is it okay to just boot up in safe mode and blow everything away in my Temporary Internet Files folder?

485272 4:00:57 AM explorer.exe:356 CREATE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: OverwriteIf Access: All

485273 4:00:57 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Options: Open Directory Access: 00000000

485274 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 1024

485275 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 1024 Length: 1024

485276 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 2048 Length: 1024

485277 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 3072 Length: 1024

485278 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 4096 Length: 1024

485279 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 5120 Length: 1024

485280 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 6144 Length: 1024

485281 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 7168 Length: 1024

485282 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 8192 Length: 1024

485283 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 9216 Length: 1024

485284 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 10240 Length: 1024

485285 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 11264 Length: 1024

485286 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 12288 Length: 1024

485287 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 13312 Length: 1024

485288 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 14336 Length: 1024

485289 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 15360 Length: 1024

485290 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 16384 Length: 1024

485291 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 17408 Length: 1024

485292 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 18432 Length: 1024

485293 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 19456 Length: 1024

485294 4:00:57 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20480 Length: 1024

485295 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 21504 Length: 1024

485296 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 22528 Length: 1024

485297 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 23552 Length: 1024

485298 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 24576 Length: 1024

485299 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 25600 Length: 1024

485300 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 26624 Length: 1024

485301 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 27648 Length: 1024

485302 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 28672 Length: 1024

485303 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 29696 Length: 1024

485304 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 30720 Length: 1024

485305 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 31744 Length: 1024

485306 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 32768 Length: 1024

485307 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 33792 Length: 1024

485308 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 34816 Length: 1024

485309 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 35840 Length: 1024

485310 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 36864 Length: 1024

485311 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 37888 Length: 1024

485312 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 38912 Length: 1024

485313 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 39936 Length: 1024

485314 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 40960 Length: 1024

485315 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 41984 Length: 1024

485316 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 43008 Length: 1024

485317 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 44032 Length: 1024

485318 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 45056 Length: 1024

485319 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 46080 Length: 1024

485320 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 47104 Length: 1024

485321 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 48128 Length: 1024

485322 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 49152 Length: 1024

485323 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 50176 Length: 1024

485324 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 51200 Length: 51

485325 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485326 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485327 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 51251

485328 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 16384

485329 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 16384 Length: 2048

485330 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 18432 Length: 2048

485331 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20480 Length: 2048

485332 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 22528 Length: 2048

485333 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 24576 Length: 2048

485334 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 26624 Length: 2048

485335 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 28672 Length: 2048

485336 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 30720 Length: 2048

485337 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 32768 Length: 2048

485338 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 34816 Length: 2048

485339 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 36864 Length: 2048

485340 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 38912 Length: 2048

485341 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 40960 Length: 2048

485342 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 43008 Length: 2048

485343 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 45056 Length: 2048

485344 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 46131 Length: 5120

485345 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\CAVTemp\TEMPMON_1652_0 NOT FOUND Options: Open Access: All

485346 4:00:58 AM explorer.exe:356 CREATE C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Options: Create Access: All

485347 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0

485348 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0

485349 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485350 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485351 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 51251

485352 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 16384

485353 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 16384 Length: 2048

485354 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 18432 Length: 2048

485355 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20480 Length: 2048

485356 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 22528 Length: 2048

485357 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 24576 Length: 2048

485358 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 26624 Length: 2048

485359 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 28672 Length: 2048

485360 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 30720 Length: 2048

485361 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 32768 Length: 2048

485362 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 34816 Length: 2048

485363 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 36864 Length: 2048

485364 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 38912 Length: 2048

485365 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 40960 Length: 2048

485366 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 43008 Length: 2048

485367 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 45056 Length: 2048

485368 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 46131 Length: 5120

485369 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\CAVTemp\TEMPMON_1652_0 NOT FOUND Options: Open Access: All

485370 4:00:58 AM explorer.exe:356 CREATE C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Options: Create Access: All

485371 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0

485372 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0

485373 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 51251

485374 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 51251

485375 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485376 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485377 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS FileAttributeTagInformation

485378 4:00:58 AM explorer.exe:356 DELETE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485379 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485380 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: OpenIf Access: All

485381 4:00:58 AM explorer.exe:356 WRITE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 25625

485382 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485383 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485384 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625

485385 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 16384

485386 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20505 Length: 5120

485387 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485388 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Attributes: A

485389 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485390 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485391 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Attributes: A

485392 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485393 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485394 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485395 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625

485396 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 0 Length: 16384

485397 4:00:58 AM explorer.exe:356 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 20505 Length: 5120

485398 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625

485399 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Options: Open Access: All

485400 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Options: Open Access: All

485401 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796

485402 4:00:58 AM explorer.exe:356 READ C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Offset: 0 Length: 16384

485403 4:00:58 AM explorer.exe:356 READ C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Offset: 1185676 Length: 5120

485404 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\CAVTemp\TEMPMON_1652_0 NOT FOUND Options: Open Access: All

485405 4:00:58 AM explorer.exe:356 CREATE C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Options: Create Access: All

485406 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0

485407 4:00:58 AM explorer.exe:356 SET INFORMATION C:\WINDOWS\CAVTemp\TEMPMON_1652_0 SUCCESS Length: 0

485408 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796

485409 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796

485410 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Length: 1190796

485411 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\AppPatch\systest.sdb NOT FOUND Options: Open Access: All

485412 4:00:58 AM explorer.exe:356 OPEN C:\WINDOWS\AppPatch\systest.sdb NOT FOUND Options: Open Access: All

485413 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Options: Open Directory Access: All

485414 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS FileBothDirectoryInformation: 419478232.tmp

485415 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS

485416 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485417 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Attributes: A

485418 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485419 4:00:58 AM explorer.exe:356 OPEN C:\ SUCCESS Options: Open Directory Access: All

485420 4:00:58 AM explorer.exe:356 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: DOCUME~1

485421 4:00:58 AM explorer.exe:356 CLOSE C:\ SUCCESS

485422 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\ SUCCESS Options: Open Directory Access: All

485423 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\ SUCCESS FileBothDirectoryInformation: betamax

485424 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\ SUCCESS

485425 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\ SUCCESS Options: Open Directory Access: All

485426 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\ SUCCESS FileBothDirectoryInformation: LOCALS~1

485427 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\ SUCCESS

485428 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS Options: Open Directory Access: All

485429 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS FileBothDirectoryInformation: Temp

485430 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS

485431 4:00:58 AM explorer.exe:356 CLOSE C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS

485432 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS FileNameInformation

485433 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Options: Open Access: All

485434 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Attributes: A

485435 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485436 4:00:58 AM explorer.exe:356 OPEN C:\ SUCCESS Options: Open Directory Access: All

485437 4:00:58 AM explorer.exe:356 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: DOCUME~1

485438 4:00:58 AM explorer.exe:356 CLOSE C:\ SUCCESS

485439 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\ SUCCESS Options: Open Directory Access: All

485440 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\ SUCCESS FileBothDirectoryInformation: betamax

485441 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\ SUCCESS

485442 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\ SUCCESS Options: Open Directory Access: All

485443 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\ SUCCESS FileBothDirectoryInformation: LOCALS~1

485444 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\ SUCCESS

485445 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS Options: Open Directory Access: All

485446 4:00:58 AM explorer.exe:356 DIRECTORY C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS FileBothDirectoryInformation: Temp

485447 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\ SUCCESS

485448 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625

485449 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Length: 25625

485450 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp.Manifest NOT FOUND Options: Open Access: All

485451 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp.Manifest NOT FOUND Options: Open Access: All

485452 4:00:58 AM explorer.exe:356 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Options: Open Access: All

485453 4:00:58 AM explorer.exe:356 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Attributes: D

485454 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS

485455 4:00:58 AM explorer.exe:356 CLOSE C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS

485456 4:00:58 AM 419478232.tmp:2404 QUERY INFORMATION C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS FileNameInformation

485457 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\Prefetch\419478232.TMP-006197D3.pf NOT FOUND Options: Open Access: All

485458 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\Prefetch\419478232.TMP-006197D3.pf NOT FOUND Options: Open Access: All

485459 4:00:58 AM 419478232.tmp:2404 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\ SUCCESS Options: Open Directory Access: Traverse

485460 4:00:58 AM 419478232.tmp:2404 OPEN C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp.Local NOT FOUND Options: Open Access: All

485461 4:00:58 AM 419478232.tmp:2404 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 1024 Length: 1024

485462 4:00:58 AM 419478232.tmp:2404 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 10240 Length: 15360

485463 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\system32\winresd32.dll SUCCESS Options: OpenIf Access: All

485464 4:00:58 AM winlogon.exe:532 DIRECTORY C:\WINDOWS\system32 SUCCESS Change Notify

485465 4:00:58 AM 419478232.tmp:2404 READ C:\DOCUME~1\betamax\LOCALS~1\Temp\419478232.tmp SUCCESS Offset: 2048 Length: 8192

485466 4:00:58 AM 419478232.tmp:2404 WRITE C:\WINDOWS\system32\winresd32.dll SUCCESS Offset: 0 Length: 23040

485467 4:00:58 AM 419478232.tmp:2404 CLOSE C:\WINDOWS\system32\winresd32.dll SUCCESS

485468 4:00:58 AM winlogon.exe:532 DIRECTORY C:\WINDOWS\system32 SUCCESS Change Notify

485469 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\system32\winresd32.dll SUCCESS Options: Open Access: All

485470 4:00:58 AM 419478232.tmp:2404 QUERY INFORMATION C:\WINDOWS\system32\winresd32.dll SUCCESS Length: 23040

485471 4:00:58 AM 419478232.tmp:2404 READ C:\WINDOWS\system32\winresd32.dll SUCCESS Offset: 0 Length: 16384

485472 4:00:58 AM 419478232.tmp:2404 READ C:\WINDOWS\system32\winresd32.dll SUCCESS Offset: 17920 Length: 5120

485473 4:00:58 AM 419478232.tmp:2404 READ C:\WINDOWS\system32\winresd32.dll SUCCESS Offset: 13312 Length: 4096

485474 4:00:58 AM 419478232.tmp:2404 OPEN C:\WINDOWS\system32\winresd32.dll SUCCESS Options: Open Access: All

485475 4:00:58 AM 419478232.tmp:2404 READ C:\$Directory SUCCESS Offset: 16384 Length: 4096

485476 4:00:58 AM svchost.exe:864 DIRECTORY C:\$Extend\$ObjId SUCCESS Change Notify

485477 4:00:58 AM VetMsg.exe:2028 OPEN C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vete.dll

Please NOW, in Microsoft Windows XP section, use [TAGS] in your topic's title.

See rules.

--Sonic

**Sonic** · February 5, 2006

Try to rescan your system in Safe mode, if can't disable all non-microsoft services & startup apps using msconfig and reboot to rescn your system.

Try to rescan your system in Safe mode, if can't, disable all non-microsoft services & startup apps using msconfig and reboot to rescan your system.

**betamax** · February 5, 2006

I did rescan but it finds nothing because it already removed it upon it reappearing. What i'm trying to find out is what's causing it to re appear.

**LLXX** · February 6, 2006

Remove all unnecessary items from your startup with AutoRuns utility from www.sysinternals.com

Clearing out all the temporary internet files is also a good idea.

**betamax** · February 7, 2006

I don't see any non-microsoft items that I can remove. I'll post a log of my startup list later when I get home. In the meantime, I have another question about this.

My av software periodically finds files in C:\system volume information\_restore..... that are infected.

Is it possible these bad files are getting pulled from backup?

Is it safe to blow away all the backup folders from the day I started having problems to present?

Also, is it normal for me to get an access denied message when trying to open C:\system volume information from windows explorer?

**jftuga** · February 7, 2006

I don't see any non-microsoft items that I can remove. I'll post a log of my startup list later when I get home. In the meantime, I have another question about this.
My av software periodically finds files in C:\system volume information\_restore..... that are infected.
Is it possible these bad files are getting pulled from backup?
Is it safe to blow away all the backup folders from the day I started having problems to present?
Also, is it normal for me to get an access denied message when trying to open C:\system volume information from windows explorer?

I think this is one of your problems. Symantec's website recommends turning off System Restore before trying to clean a virus because it will be automatically restored once deleted.

from their website...

1. To disable System Restore (Windows Me/XP)

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

Disabling or Enabling System Restore on Windows XP

-John

**LLXX** · February 8, 2006

Re-extract explorer.exe from your Windows CD, that should get rid of any virus residing within it.

Sign In

[Help] winresd32.dll

Recommended Posts

betamax

Sonic

betamax

LLXX

betamax

jftuga

LLXX

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Activity

Browse