The virus is a Trojan called 'Winshow'.
Here is the fix...
This problem is created by a trojan (VBS_Winshow.A, as Trend Micro refers to
it as)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINSHOW
..A&VSect=T
or adware as Symantec refers to it as.
http://securityresponse.symantec.com/avcenter/venc/data/adware.winshow.html
This past weekend happens to be about the one month anniversary of its
initial appearance; perhaps this is the reason why it the 'copy' error
started showing up. On my machine, it looks like it first deposited itself on
10/30/03. Its main impact for me was it would not allow multiple launches of
IE from the desktop icon, and it became impossible over the weekend to synch
my pda, HD MP3 player or use my multi-card reader, and impacted anything else
that was hooked up through my USB 2.0 card. IE session since the beginning of
November have seemed somewhat buggy; anything depending upon a plug-in applet
(like Java) took FOREVER to load. The 'copy' boot error does not show up with
every bootup or login, making it seem like the problem goes away.
In 2000/XP, you need to search for the folders Winshow and Winlink, usually
deposited in C:\ Documents and Settings \ (user) \ Local Settings \
Application Data, where (user) is whatever name you log into or use XP/2000
with. If you have them, you will need to delete eventually, but you'll first
have to delete the registry entries (if you don't, the trojan will simply
recreate the folders with the next bootup). There probably is the file
'msupdater.exe' on your machine as well, this and the two folders have been
associated as a IE hijacker routine a number of people have reported on the
internet.
Norton's WinDoctor can delete some of the registry entries (it did for me,
but it didn't get everything), but you really need to use it or better yet,
use Hijack This, booted into Safe Mode (where the trojan isn't allowed to
start before attempting to delete its components).
For those who don't know, Hijack This is an anti-hijacking app is easy to
find (and best of all, is free). You can find it on CNET and other places to
download. In my case, it came in a .zip file; within it was a .exe file that
launches Hijack This when clicked. It doesn't appear to install itself to
Windows. Upon starting in Safe Mode, you should get a window; select Scan,
and in a second or two you will get a listing of the processes that launch on
startup with your specific computer. Look for the Winlink and Winshow entries
(under BHO on my computer), click the tick boxes, and click Fix Check.
Once done, you can reboot normally, go and find the the msupdater.exe file,
Winshow and Winlink folders and delete w/o them showing up again.
To further clean up, you can go into the registry (with regedit, but only if
you know what you're doing in there), and search for both winlink and
winshow; there may be remnants still lurking as there were on my computer. If
you find them, delete them; the trojan shouldn't be active at this point so
it shouldn't recreate them. NOTE: if you have multiple login user identities
on your machine, you may have to do this exercise for EACH one. If you're
knowledgeable and brave enough, you can delete the registry entries in Safe
Mode also, without using Hijack This or any other app.
