Windows Recovery Virus

[JHM]

To answer that, a bit of explanation is in order. I built her computer for her, and set it up the same way I setup mine. I use a single line of icons down the left side of the screen, which are mostly shortcuts to folders containing shortcuts.

These are sorted by type of software, rather than by originating company. For example the "CD Creator Icon", when double clicked, opens a folder with all shortcuts pertaining to the setup of the CD drives; and burning software, irrespective of what company produced it.

There are, as you know, a number of ways in which one can normally create and move shortcuts. BUT if I create a shortcut to "MS Task Manager", for example

Then attempt to drag the shortcut into the desktop "Utilities\System" folder, the shortcut goes BAD and will no longer work. The same is true if I try to "cut" the shortcut out of C:\Windows\System32 and "paste" it into C:\Windows\98 Desktop\Utilities\System

Attempts to delete the dead shortcut

Get me the following messages :

And the only way I have found to get around it, is to bypass the operating system, by using another operating system to delete them. There are three ways to do this.
1) have a dual boot, and use the other OS to clean up the mess.
2) put her drive in a hotswap tray, and use my OS to remove them
3) use my ERD Commander disk, (with its stripped down version of XP that runs from a CD), to delete them

This is exactly the same message I got when I tried to delete the 3 viruses I found in the "All users\application data" folder on her drive. I had to use ERD Commander to get rid of them too. Also might add that when I moved the "Malware Bytes" desktop shortcut into the utilities\system folder, it went bad too. I had to use ERD Commander to get rid of it, and create a new one.

 

[johnb35]

Definately a weird issue there. What happens when you just go into the folder where you want a shortcut and and right click on click on new shortcut? Is the system formatted fat32 or ntfs?

However, depending on the infection you get and even after its cleaned up the damage its created may be irreversible and only a fresh install of windows will fix it.

 

[JHM]

1) The system is NTSF. 2) The method of shortcut creation you mentioned works, - though I have never used it before. Didn't know it existed. Another method that works is right click on the file you want to create a shortcut to, then drag it to the folder you want the shortcut in; and click on "Create shortcuts here" in the popup window that opens.

3) Be it noted that with both of these methods, you are "Creating" a shortcut in its desired final location. Attempts to "Move" existing shortcuts now invariably fail, with the shortcut moving, but going bad in the process, and becoming inaccessible to the user. Probably a registry issue there.

 

[johnb35]

You may want to try running SFC /scannow at the command prompt. It may or may not fix the issue.

 

[JHM]

Thanks again John; where do I find that one ?

 

[johnb35]

Start, run, type "sfc /scannow" without quotes and make sure there is a space between the c and the /. Also make sure you have the xp cd in the drive when you do this.

 

[JHM]

Will do as soon as I finish working with "Registry First Aid", which is finding a slew of registry errors. Thanks again.

 

[johnb35]

Just a warning, you may make things worse by using a registry cleaning program. They usually do more damage then good.

 

[JHM]

Oh I don't let them do anything "Automatically". I deselect ALL items found, then go through them one at a time fixing the ones where I KNOW what the proper answer is.

Re "sfc /scannow", it keeps asking for an XP disk with "Service Pack 1". - Don't have. Have only an old one with no sevice packs, and a newer one with "Service Pack 3". How do I get around that one ?

 

[johnb35]

I guess that won't be an option then. Where is the original cd that you installed the OS with?

 

[JHM]

Unless I am mistaken I used the Service Pack 3 disk. I built this thing for her three or four years ago, Originally it was a Win98-SE machine, but then I upgraded it to XP-Pro. Not sure. She has her own Liscence.

 

[johnb35]

Then I don't know why it would be asking for the service pack 1 cd. May have to take the dive and backup data and reinstall windows.

 

[JHM]

Thinking about that, I think I must have used the old disk with no service packs on it; then gone online to update her installation, downloading Service Pack 1, (or 1a, - which was my favourite at that time), because although Service Pack 2 was available at that time, I had had a lot of problems with it and didn't trust it.

Question : Can I go online and redownload Service Pack 1a ? If not, I can probably get ahold of the appropriate disk from a local computer shop. She DOES have a legal liscence, so thats not an issue.

 

[johnb35]

You could try slipstreaming sp1a into a new install cd from the no service pack install cd. Only you know what you used to install it with.

 

[JHM]

Fraid you lost me with that one. How do I go about "Slipstreaming SP1a into a new install CD" using my no service pack disk ?

 

[JHM]

Hmm, No response to my last; oh well here is more about what I have found on Gloria's machine. I ran "MSConfig" to see if I would find anything untoward that way.

Sure enough, something rather strange there. Right at the bottom we find "REBOOT.EXE" listed as a "Disabled Startup Item" Now usually items in the "Startup" folder are shortcuts to programs you want to run on Windows Startup. BUT this is no shortcut but rather a 327 Kilobyte exe file.

Now why on earth would anyone want Windows to automatically "REBOOT" every time it starts ? Could this be part of the "Windows Recovery Virus" ? I searched my machine for a file named "REBOOT.EXE" and there wern't any. I then searched her machine for references to "REBOOT.EXE" and found :

Next, checking my machine for a folder in Windows labled "pss"" revealed there was none.
Searching her registry for references to ""REBOOT.EXE" revealed exactly 4 registry entries pertaining to the two files found, apart from those pertaining to the search I made.

Attempts to see the ""Properties" of "REBOOT.EXE" failed 9 out of 10 times. The machine would go into a freeze, with the hourglass showing, and stay that way for several minutes, then the window from which one may select "Properties" would flicker visible for about 1/10 th of a second then disappear. Sometimes a corner of the window would become visible for a while but nothing else. Persistance eventually paid off however and I was able to see :

Further examination revealed :

And the only other information I could get was "Language" - "Chinese Taiwan".

Has anyone else here who is running Windows XP-PRO ever seen this file before ? Bear in mind that the "Windows Recovery Virus" Reboots your machine if you start running an antivirus program on it.

 

[johnb35]

Reboot.exe is nothing to do with infections, it's actually part of windows, msdos and 3.1. If you look at the date, it says 2004. Not knowing what you have installed on these machines its probably part of the software installed.

 

[JHM]

Thanks John, I guess the thing to do is move it from "Disabled Startup Items" to the "pss"" folder. It sure doesn't belong in "All users\Start Menu\Startup"".