A very "touchy" file

[Tom Del Rosso]

On a Win2k machine (upgrade install) this file is in the root folder:

os581474.bin

The few Google references suggest that it has to do with trial-ware, but
I can't think of any trial-ware that was installed on this machine.

What makes it so "touchy" is that all I have to do is single click on it
and there is an immeidiate reboot. It goes straight to the POST with no
BSOD or brief flash or anything. It happens the same way if I use the
keyboard arrows to highlight successive files, or if I use the mouse to
box a group of files. As soon as that one is highlighted, it reboots.
It behaves the same if I'm logged in as administrator or restricted
user. It reboots too fast to use filemon to see what happened.

My only guess is that Windows is reading file properties to put in the
little pop-up description, and something doesn't like that.

But what?

 

[Pegasus \(MVP\)]

On a Win2k machine (upgrade install) this file is in the root folder:

os581474.bin

The few Google references suggest that it has to do with trial-ware, but
I can't think of any trial-ware that was installed on this machine.

What makes it so "touchy" is that all I have to do is single click on it
and there is an immeidiate reboot. It goes straight to the POST with no
BSOD or brief flash or anything. It happens the same way if I use the
keyboard arrows to highlight successive files, or if I use the mouse to
box a group of files. As soon as that one is highlighted, it reboots.
It behaves the same if I'm logged in as administrator or restricted
user. It reboots too fast to use filemon to see what happened.

My only guess is that Windows is reading file properties to put in the
little pop-up description, and something doesn't like that.

But what?

- Boot in Safe Mode, then rename the file.
- Scan your PC with an external virus scanner,
e.g. on www.antivirus.com ("free online scan").

 

[Tom Del Rosso]

In Pegasus (MVP) typed:

- Boot in Safe Mode, then rename the file.

Yeah, I thought of that, and that seems to have no effect. The file
must be used by some active process, but I tried a lot of apps while the
file had a different name and nothing complained. Also, Task Manager
shows the same number of processes running (in normal mode) with the
file renamed or not, so renaming it doesn't prevent any process from
running.

After renaming it in safe mode command prompt and then rebooting in
normal mode, in addition to the aforementioned observations, FileMon
shows no access to this file even when I run all the major apps. If I
highlight the file it reboots too fast to see anything in FileMon.

Also, if I try to restore the original name while in normal mode, it
reboots as soon as I hit enter on the rename. Then when I boot in safe
mode it shows the file has not been restored to the original name.

- Scan your PC with an external virus scanner,
e.g. on www.antivirus.com ("free online scan").

Nothing there either. No viruses.

 

[Tom Del Rosso]

In Tom Del Rosso typed:

After renaming it in safe mode command prompt and then rebooting in
normal mode, in addition to the aforementioned observations, FileMon
shows no access to this file even when I run all the major apps. If I
highlight the file it reboots too fast to see anything in FileMon.

I meant to say that FileMon shows no access to the file in normal mode
*before* I renamed it.

 

[Pegasus \(MVP\)]

In Pegasus (MVP) typed:

Yeah, I thought of that, and that seems to have no effect. The file
must be used by some active process, but I tried a lot of apps while the
file had a different name and nothing complained. Also, Task Manager
shows the same number of processes running (in normal mode) with the
file renamed or not, so renaming it doesn't prevent any process from
running.

After renaming it in safe mode command prompt and then rebooting in
normal mode, in addition to the aforementioned observations, FileMon
shows no access to this file even when I run all the major apps. If I
highlight the file it reboots too fast to see anything in FileMon.

Also, if I try to restore the original name while in normal mode, it
reboots as soon as I hit enter on the rename. Then when I boot in safe
mode it shows the file has not been restored to the original name.



Nothing there either. No viruses.

- Delete the file while in Safe Mode.
- Run chkdsk /f c: under a Command Prompt.

 

[Tom Del Rosso]

In Pegasus (MVP) typed:

- Delete the file while in Safe Mode.

I left it renamed. I didn't want to delete it until I knew what it was
for. What do you think about leaving it that way for a week to see if
it affects anything?

This is the only Google hit (a cracker site).
http://66.98.132.48/krobar/tutlist/tutlist1620.htm

- Run chkdsk /f c: under a Command Prompt.

I've done that each time it rebooted spontaneously, and once while it
was renamed. Do you mean specifically to do this after deleting it?

 

[Pegasus \(MVP\)]

In Pegasus (MVP) typed:

I left it renamed. I didn't want to delete it until I knew what it was
for. What do you think about leaving it that way for a week to see if
it affects anything?

This is the only Google hit (a cracker site).
http://66.98.132.48/krobar/tutlist/tutlist1620.htm



I've done that each time it rebooted spontaneously, and once while it
was renamed. Do you mean specifically to do this after deleting it?

- I don't use NAV, with good reason: Too many problems!
- If I was forced to use NAV then I would delete the file immediately,
then re-install NAV if necessary.
- All my PCs have two drives (C:, D, so would be easy for me to move
the file to a different drive in order to neutralise it.
- As an alternative, I would temporarily install old disk (e.g. 2 GBytes)
as a slave disk, then move the file onto it in order not to lose it,
then run chkdsk c: /f. NAV appears to have done something very
strange.
- I would also check the registry for traces of this file name.

 

[Tom Del Rosso]

- I don't use NAV, with good reason: Too many problems!

It always follows success. McAffee went bad so everybody got NAV,
then.... But I don't like depending on free AV. They could stop
supplying updates at any time, and then what do I do with all the
systems I installed it on.

But this file is not on other systems with the same version of NAV.
That website says it is connected with VBOX, or maybe with the generic
trialware timer VBOX uses.

- I would also check the registry for traces of this file name.

Forgot to mention that I did search the registry and the only references
were in the MRU search keys. I also searched within all files and the
only one that contains the name is IMAGE.DAT which has the names of all
files in the root.

Symantec's website doesn't mention it, and there are a few mentions on
usenet where somebody posted his root directory listing.

 

[Vance Green]

Perhaps you already mentioned this and I missed it,
but I've had some luck with deleting problematic crap
over the network when nobody is logged in (i.e. machine
is booted and at logon screen).

Is this machine networked?

 

[Tom Del Rosso]

Perhaps you already mentioned this and I missed it,
but I've had some luck with deleting problematic crap
over the network when nobody is logged in (i.e. machine
is booted and at logon screen).

Is this machine networked?

No, but I haven't tried to delete it because I didn't know what put it
there. I can rename it in safe mode so I can probably delete it too.

For now I'll leave it renamed and move it to a folder. Eventually I'll
wipe that machine and reinstall everything.

 

[Dan Seur]

Tom - my google for
"os581474.bin" (with the quotes)
turns up only one hit, which may clear this up for you. For some reason,
I can't copy/paste the actual URL from Netscape 7.1 to my antique
Eudora, or I'd make it easier for you. Pls post back in this thread if
this solves your problem -

 

[Jim Byrd]

Hi Tom - You're probably OK to proceed with the Delete if you decide to do
so. However, for future reference:

How to Replace Currently Locked Files with Inuse.exe
http://support.microsoft.com/?kbid=228930

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Tom Del Rosso]

Tom - my google for
"os581474.bin" (with the quotes)
turns up only one hit, which may clear this up for you. For some reason,
I can't copy/paste the actual URL from Netscape 7.1 to my antique
Eudora, or I'd make it easier for you. Pls post back in this thread if
this solves your problem -

I saw that page. Looks like a cracker wrote it. I still don't know
what program put the file there, because that page says it is part of a
trial-ware timer, and the machine in question has no trial-ware that I
can see. There are also references to NAV, but the NAV installed was
never a trial version.

I find many references to VBOX, but there are different products by that
name, like a music/video program which isn't on the target machine. He
implies that it is also the name of a generic trial-ware timing product
used by NAV.

 

[Enkidu]

I saw that page. Looks like a cracker wrote it. I still don't know
what program put the file there, because that page says it is part of a
trial-ware timer, and the machine in question has no trial-ware that I
can see. There are also references to NAV, but the NAV installed was
never a trial version.

Have you ever upgraded the BIOS of the MB or any other device?
Sometimes the image file is called osxxxxxxxx.bin or awbxxxxxxx.bin.

 

[Tom Del Rosso]

In Enkidu typed:

Have you ever upgraded the BIOS of the MB or any other device?
Sometimes the image file is called osxxxxxxxx.bin or awbxxxxxxx.bin.

I don't think so, but thanks for pointing that out. It seems to me the
file must be used by some active process since it reacts when I touch
it.

 

[Vance Green]

In Enkidu typed:

I don't think so, but thanks for pointing that out. It seems to me the
file must be used by some active process since it reacts when I touch
it.

That being the case, the "expired trialware" theory seems
pretty good...it'd always be checking-

 

[Tom Del Rosso]

In Vance Green typed:

That being the case, the "expired trialware" theory seems
pretty good...it'd always be checking-

That makes sense, but...

....filemon says nothing is looking at that file in any way. Mysterious.

 

[Enkidu]

In Vance Green typed:

That makes sense, but...

...filemon says nothing is looking at that file in any way. Mysterious.

You could open it with a hex/text editor and see what it contains. It
may contain strings which might give you a clue.

Cheers,

Cliff

 

[Tom Del Rosso]

In Enkidu typed:

You could open it with a hex/text editor and see what it contains. It
may contain strings which might give you a clue.

No, it's just 500 binary bytes. I took a glance at a disassembly but
didn't examine it in depth.

It must have come with this VBOX trialware thing. I found a dll in the
Norton Utilities folder, and a couple of other files, that have the
letters "vbox" embedded in their names.

The mystery is how reading it causes a reboot. It's probably peculiar
to the case of Win2k installed as an upgrade, and an old version of NAV
that was there in the past. The newer NAV that now runs on it might be
crashing when it tries to do an auto-scan of the file.

Thanks all, for your interest in this puzzle.

 

[John Herbster]

On a Win2k machine ... this file is in the root folder:
os581474.bin ...
[a] single click on it and there is an immediate reboot.

Perhaps the problem is not with the file but rather
with what you have the "file association" set to do
when it sees a fine with the file's extension. Is
"BIN" the real extension? What do you have the
BIN association set to do? Do you have other
files with the same extension? Do they cause the
same problem? Regards, JohnH