Solved batch virus gone wrong

Microsoft Windows xp home edition
January 8, 2010 at 16:02:11
Specs: Windows XP
hi all,
heres the story. my acount privleges were threatened one day. expecting the worst, i prepared to give my self some degree of control. so i looked up instutions for an unprotected cmd that would appear as a screen saver from the system login screen, then i could hack the admin account if things got worse. but the threat passed so i deleted it. next day i look in system32 and see another copy of it! i delete that and 5 seconds later a new one pops up! i believe it backed up the screensave because its in the choose screensaver list and also backed up command prompt. plez help me get rid of it for good! :(

here the basic idea of the script (might have been different):
mkdir temphack
copy logon.scr temphack\logon.scr
copy cmd.exe temphack\cmd.exe
del logon.scr
rename cmd.exe logon.scr

additonal info:
the oringinal cmd.exe is still there and working.
i found temphack folder and deleted it. it didn't come back.
logon.scr has the icon of cmd.exe
logon.scr acts like screensaver with the same right-click menu options as one.
after changing the name to logons, a new one appered called logon.
after deleting logons a new logons did not appear.

plez help me!

See More: batch virus gone wrong

Report •

January 8, 2010 at 16:44:15
✔ Best Answer
Cmd.exe is one of the Windows System Protected files and will be automatically replaced from the Protected Files cache if it is renamed, deleted or amended. It appears you have renamed Cmd.exe as Logon.scr which may have been created with the same protection as Cmd.exe and a new copy of Cmd.exe has been automatically written from the cache.

Attempting to delete/rename Windows System Protected files is fraught with many dangers.

More info

Report •
Related Solutions

Ask Question