Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
Thankyou, I'm trying this.
Medalist <borag@kocsistem.com.tr> wrote in message
news:AD07AECB-F74D-42DD-B922-B8C6C944B8C5@microsoft.com...
> The virus is a Trojan called 'Winshow'.
>
> Here is the fix...
> This problem is created by a trojan (VBS_Winshow.A, as Trend Micro refers
to
> it as)
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINSHOW
..A&VSect=T
>
> or adware as Symantec refers to it as.
>
>
http://securityresponse.symantec.com/avcenter/venc/data/adware.winshow.html
>
> This past weekend happens to be about the one month anniversary of its
> initial appearance; perhaps this is the reason why it the 'copy' error
> started showing up. On my machine, it looks like it first deposited itself
on
> 10/30/03. Its main impact for me was it would not allow multiple launches
of
> IE from the desktop icon, and it became impossible over the weekend to
synch
> my pda, HD MP3 player or use my multi-card reader, and impacted anything
else
> that was hooked up through my USB 2.0 card. IE session since the beginning
of
> November have seemed somewhat buggy; anything depending upon a plug-in
applet
> (like Java) took FOREVER to load. The 'copy' boot error does not show up
with
> every bootup or login, making it seem like the problem goes away.
>
> In 2000/XP, you need to search for the folders Winshow and Winlink,
usually
> deposited in C:\ Documents and Settings \ (user) \ Local Settings \
> Application Data, where (user) is whatever name you log into or use
XP/2000
> with. If you have them, you will need to delete eventually, but you'll
first
> have to delete the registry entries (if you don't, the trojan will simply
> recreate the folders with the next bootup). There probably is the file
> 'msupdater.exe' on your machine as well, this and the two folders have
been
> associated as a IE hijacker routine a number of people have reported on
the
> internet.
>
> Norton's WinDoctor can delete some of the registry entries (it did for me,
> but it didn't get everything), but you really need to use it or better
yet,
> use Hijack This, booted into Safe Mode (where the trojan isn't allowed to
> start before attempting to delete its components).
>
> For those who don't know, Hijack This is an anti-hijacking app is easy to
> find (and best of all, is free). You can find it on CNET and other places
to
> download. In my case, it came in a .zip file; within it was a .exe file
that
> launches Hijack This when clicked. It doesn't appear to install itself to
> Windows. Upon starting in Safe Mode, you should get a window; select Scan,
> and in a second or two you will get a listing of the processes that launch
on
> startup with your specific computer. Look for the Winlink and Winshow
entries
> (under BHO on my computer), click the tick boxes, and click Fix Check.
>
> Once done, you can reboot normally, go and find the the msupdater.exe
file,
> Winshow and Winlink folders and delete w/o them showing up again.
>
> To further clean up, you can go into the registry (with regedit, but only
if
> you know what you're doing in there), and search for both winlink and
> winshow; there may be remnants still lurking as there were on my computer.
If
> you find them, delete them; the trojan shouldn't be active at this point
so
> it shouldn't recreate them. NOTE: if you have multiple login user
identities
> on your machine, you may have to do this exercise for EACH one. If you're
> knowledgeable and brave enough, you can delete the registry entries in
Safe
> Mode also, without using Hijack This or any other app.
>