Hi Ron,
Thanks for your reply.
My PC is a Dell Dimension 3000. It is a Pentium 4 not an AMD. I finished getting all the updates to Windows last night. According to a scan by Microsoft at their update site, all updates have been made.
I found the closeall.exe file in a program I have been trying to remove through the control panel. It is part of a group of SBC Yahoo! Home Networking Installer programs for the 2wire DSL router that is no longer necessary according to SBC since the DSL connection is automatically detected. I didn't know that and tried to use the Install disk when I first fired up the PC. I ask the add/remove program to remove it and get no response.
I sent the file to virustotal.com as you suggested and had it reanalyzed. This is the result:
File name:
closeAll.exe
Submission date:
2011-02-20 23:48:52 (UTC)
Current status:
queued queued analysing finished
Result:
5/ 41 (12.2%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.02.14.02 2011.02.14 -
AntiVir 7.11.3.165 2011.02.20 TR/Autoit.BR
Antiy-AVL 2.0.3.7 2011.02.19 -
Avast 4.8.1351.0 2011.02.20 -
Avast5 5.0.677.0 2011.02.20 -
AVG 10.0.0.1190 2011.02.20 -
BitDefender 7.2 2011.02.21 -
CAT-QuickHeal 11.00 2011.02.20 Trojan.Agent.ATV
ClamAV 0.96.4.0 2011.02.20 -
Commtouch 5.2.11.5 2011.02.20 -
Comodo 7753 2011.02.20 -
DrWeb 5.0.2.03300 2011.02.21 -
eSafe 7.0.17.0 2011.02.17 -
eTrust-Vet 36.1.8170 2011.02.18 -
F-Prot 4.6.2.117 2011.02.20 -
F-Secure 9.0.16160.0 2011.02.20 -
Fortinet 4.2.254.0 2011.02.20 -
GData 21 2011.02.21 -
Ikarus T3.1.1.97.0 2011.02.20 -
Jiangmin 13.0.900 2011.02.20 -
K7AntiVirus 9.87.3906 2011.02.19 -
McAfee 5.400.0.1158 2011.02.21 -
McAfee-GW-Edition 2010.1C 2011.02.20 -
Microsoft 1.6502 2011.02.20 -
NOD32 5891 2011.02.20 -
Norman 6.07.03 2011.02.20 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.02.20 Trj/Autoit.AJ
PCTools 7.0.3.5 2011.02.20 -
Prevx 3.0 2011.02.21 -
Rising 23.45.04.06 2011.02.18 -
Sophos 4.61.0 2011.02.20 -
SUPERAntiSpyware 4.40.0.1006 2011.02.21 -
Symantec 20101.3.0.103 2011.02.20 -
TheHacker 6.7.0.1.134 2011.02.20 Trojan/Agent.lf
TrendMicro 9.200.0.1012 2011.02.20 -
TrendMicro-HouseCall 9.200.0.1012 2011.02.15 -
VBA32 3.12.14.3 2011.02.18 -
VIPRE 8487 2011.02.20 -
ViRobot 2011.2.19.4319 2011.02.20 Trojan.Win32.Autoit.95736
VirusBuster 13.6.210.1 2011.02.20 -
Additional information
Show all
MD5 : cda58701492e0395bfb17a81b8d36040
SHA1 : b04344517964bedd4c16b0b389f828091f2b3b1a
SHA256: 61ee0b86325719dd62b6aabdb1eb15c4d4c76d27e82142935068eabfc44b6773
ssdeep: 768:BZOkcLwynvk0RqXTCISOAqumPYwKIMVa2Jk:pg3vk0kXLgMKIa7Jk
File size : 43185 bytes
First seen: 2006-06-05 00:26:30
Last seen : 2011-02-20 23:48:52
TrID:
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: Compiled AutoIt Script
description..: Compiled AutoIt Script
original name: n/a
internal name: n/a
file version.: 2, 64, 0, 0
comments.....: Third-party compiled AutoIt script. For details visit
http://www.hiddensoft.com/AutoIt/
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers (F-Prot): UPX
PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0x48B30
timedatestamp....: 0x3E00C9CA (Wed Dec 18 19:17:30 2002)
machinetype......: 0x14c (I386)
[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x3F000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x40000, 0x9000, 0x8E00, 7.88, 804e3e6f0857bd94c28fb9701dd53cfe
.rsrc, 0x49000, 0x2000, 0x1400, 3.36, 34885b13bf5439c8135e7c8eaab09eea
[[ 6 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
ADVAPI32.dll: RegCloseKey
comdlg32.dll: GetOpenFileNameA
GDI32.dll: GetStockObject
SHELL32.dll: Shell_NotifyIconA
USER32.dll: IsIconic
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 36864
Comments: Third-party compiled AutoIt script. For details visit
http://www.hiddensoft.com/AutoIt/
EntryPoint: 0x48b30
FileDescription: Compiled AutoIt Script
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 42 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 2, 64, 0, 0
FileVersionNumber: 2.64.0.0
ImageVersion: 0.0
InitializedDataSize: 8192
LanguageCode: English (British)
LinkerVersion: 7.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
PEType: PE32
ProductName: Compiled AutoIt Script
ProductVersion: 2, 64, 0, 0
ProductVersionNumber: 2.64.0.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2002:12:18 20:17:30+01:00
UninitializedDataSize: 258048
I'm not savvy enough about these things to know what to think about that but I don't need this program on my PC so it seems to me that the most expedient thing to do is get rid of it and all the programs associated with it.
In the meanwhile back at the ranch, I had to go out for awhile this afternoon so I shut my PC down. When I turned it back on, once again, the password for the administrator account did not work. Neither did the password for the non administrator account. sigh... I restored the OS back to last night.
I've used this password for at least 3 years on my other PC. I used the same password for the system and both accounts. It's a semi-complicated password but I have muscle memory for typing it in and don't even have to think about it anymore. I didn't forget what it was. I retyped it 4 times in each case. I've removed the passwords for the present.
Another thing that is happening is that when I try to turn the PC on it will act as if it is starting up but then it dies and I may have to press the start button 2 or 3 times, holding it down for a few seconds before it actually fires up.
Now what?
Barbara