batch virus gone wrong add on

Microsoft Windows xp home edition
January 14, 2010 at 15:41:04
Specs: Windows XP
hello peoples,
this message is an extension of my prevoius question which i suggest reading before read this, or else you won't know whats going on
(see here):

anyways... after setting the rededit value
SFC Disable to 1 (prevously 0) i went to delete logon.scr. so, from command prompt i typed del %systemroot%\system32\logon.scr. before changing the regedit value it would say, "access denied". now it able to deletes logon.scr from cmd, but it is still coming back. even when deleted manuelly.

plez help me.

See More: batch virus gone wrong add on

Report •

January 14, 2010 at 17:15:50
This is a follow-on from my previous reply also here

You renamed Cmd.exe to Logon.scr so it seems Logon.scr was created with the same protections as Cmd.exe and a new version of Cmd.exe was copied to the System32 folder from the Protected Files cache..

If this has happened Logon.scr would have been recognized by WFP as not being included in the Protected Files cache and automatically copied to the cache. You now have Logon.scr in both the System32 folder and in the PF cache so that if you delete/rename/alter Logon.scr in System32 a new version will be automatically copied from the PF cache.

So what can you do now? My suggestion is to leave things alone. Having Logon.scr in either location is doing no harm whereas the alterations being made to the Registry may cause one or more headaches. Just hope that the system administrator (if that's not you) doesn't decide to investigate why alterations to the system are being made.

Anyone else care to advise please?

Report •

January 15, 2010 at 18:09:13
thanks for your help. the only reason that i care admin doesn't see is because he already suspects something. seeing a command prompt against a screen of nothing after turning on the screen is gonna set him off for sure. so, instead of trying to delete it, is there a way i can set the system logon screensaver to go off after...say, a thousand minutes? that way i could truely forget about it.

Report •

January 16, 2010 at 13:07:00
You could try CP>Display>Screen Saver and increase the wait time there and it may be worth looking for the Cmd screensaver in the list of available screensavers and deleting it.

However, be aware that the renaming of a Protected System File will have been logged in the System Event Log and the administrator may be notified automatically at admin login that this has occurred..

The more you do the bigger the hole you may be digging...

Report •

Related Solutions

Ask Question