F
Fred Ma
Hi,
I have Spybot installed. It has a tool that enables/disables apps
from launching at system startup (like msconfig, but it seems to show
more items ie. some of which don't show up in msconfig). One such
item is TweakUI. Under the "Command line" column, it says
"RUNDLL32.EXE TWEAKUI.CPL TweakMeUp". If I select it, the following
information is shown.
| Current filename:
| RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
|
| Database status:
| Necessity depends on users preferences
| Value:
| Tweak UI
| Filename:
| rundll32.exe tweakui.cpl, tweakmeup
|
| Description
| Restores settings that can't be retained if you have Microsoft's Tweak UI "powertoy" installed
|
| Source:
| Paul Collins Startup list
| ____________________
|
| Current filename:
| RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
|
| Database status:
| Necessity depends on users preferences
| Value:
| Tweak UI
| Filename:
| rundll32.exe tweakui.cpl, tweaklogon
|
| Description
| Automatically logs you on if you have Microsoft's Tweak UI "powertoy" installed
|
| Source:
| Paul Collins Startup list
| ____________________
|
| Current filename:
| RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
|
| Database status:
| Necessity depends on users preferences
| Value:
| Tweak UI
| Filename:
| RunDLL32 tweakUI.DLL, TWEAKUI /tweakmeup
|
| Description
| Added as a result of the _ SUBWOOFER_ VIRUS! Note - the real Tweak UI entry for this is "rundll32.exe tweakui.cpl, tweakmeup"
|
| Source:
| Paul Collins Startup list
From the last few lines, I'm surprised that I am infected, since I
ordinarily have Norton AV updated and autoprotect running. I also
have Kerio firewall running with pretty restrictive settings. I tried
uninstalling TweakUI (there is no such process in the taskbar), but
"Add/Remove Programs" says that there were errors in the uninstall,
and asks whether I want to remove it from the list (of programs in
Add/Remove Programs). I say no. The TweakUI icon still appears on
the control panel.
There are very few hits under a Google Groups search for "tweakui
subwoofer virus" (without quotes), and nothing illuminating. Under a
plain Google search, there is a symantec posting from 2002 about this:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subwoofer.html.
I am scanning my system as I type (it takes *forever*), and I am also
suppose to edit the registry (I hate doing that because of the
perils). The scan is for *all* files (I just finished a scan which
defaulted to just program and document files, and nothing came up).
A scan of the TweakUI download (tweakui.zip) also came up empty.
Is there any chance that this is a mistake? I don't visit lurid
websites, and I don't receive email on the PC. I wonder if it is a
false positive.
Fred
P.S. I've crossposted this to grc.security, alt.comp.virus, and
alt.comp.antivirus. I will manually keep the thread from fragmenting.
I have Spybot installed. It has a tool that enables/disables apps
from launching at system startup (like msconfig, but it seems to show
more items ie. some of which don't show up in msconfig). One such
item is TweakUI. Under the "Command line" column, it says
"RUNDLL32.EXE TWEAKUI.CPL TweakMeUp". If I select it, the following
information is shown.
| Current filename:
| RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
|
| Database status:
| Necessity depends on users preferences
| Value:
| Tweak UI
| Filename:
| rundll32.exe tweakui.cpl, tweakmeup
|
| Description
| Restores settings that can't be retained if you have Microsoft's Tweak UI "powertoy" installed
|
| Source:
| Paul Collins Startup list
| ____________________
|
| Current filename:
| RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
|
| Database status:
| Necessity depends on users preferences
| Value:
| Tweak UI
| Filename:
| rundll32.exe tweakui.cpl, tweaklogon
|
| Description
| Automatically logs you on if you have Microsoft's Tweak UI "powertoy" installed
|
| Source:
| Paul Collins Startup list
| ____________________
|
| Current filename:
| RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
|
| Database status:
| Necessity depends on users preferences
| Value:
| Tweak UI
| Filename:
| RunDLL32 tweakUI.DLL, TWEAKUI /tweakmeup
|
| Description
| Added as a result of the _ SUBWOOFER_ VIRUS! Note - the real Tweak UI entry for this is "rundll32.exe tweakui.cpl, tweakmeup"
|
| Source:
| Paul Collins Startup list
From the last few lines, I'm surprised that I am infected, since I
ordinarily have Norton AV updated and autoprotect running. I also
have Kerio firewall running with pretty restrictive settings. I tried
uninstalling TweakUI (there is no such process in the taskbar), but
"Add/Remove Programs" says that there were errors in the uninstall,
and asks whether I want to remove it from the list (of programs in
Add/Remove Programs). I say no. The TweakUI icon still appears on
the control panel.
There are very few hits under a Google Groups search for "tweakui
subwoofer virus" (without quotes), and nothing illuminating. Under a
plain Google search, there is a symantec posting from 2002 about this:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subwoofer.html.
I am scanning my system as I type (it takes *forever*), and I am also
suppose to edit the registry (I hate doing that because of the
perils). The scan is for *all* files (I just finished a scan which
defaulted to just program and document files, and nothing came up).
A scan of the TweakUI download (tweakui.zip) also came up empty.
Is there any chance that this is a mistake? I don't visit lurid
websites, and I don't receive email on the PC. I wonder if it is a
false positive.
Fred
P.S. I've crossposted this to grc.security, alt.comp.virus, and
alt.comp.antivirus. I will manually keep the thread from fragmenting.