Solved Missing .exe's all over the place

[Resolved] Missing .exe's all over the place

First let me apologize to NOAHDFEAR for never getting back about my last post/thread (67039) and closing the thread... God and a few good doctors have determined that I should stick around and continue to make life interesting for all.

In my absence, my Dear Wife reported that the computer was "acting strangely" and that when I came home I could see what the problem was... so, now that I can once again access the third floor (where the router/modem and the "computer acting strangely" are) I went this AM to look it over...

"Strangely" is a misnomer of large proportion. Seems that OAO 10/01 almost ALL the exe files for most of the programs I have on the computer, as well as quite a few contained within WINDOWS 98SE (both computers run it) were removed (removed, not corrupted) from their folders on the "upsteirs" unit, but NOT from the "downstairs" unit.

All the AV programmes (AVG - Spybot - SpywareBlaster - AdAware), as well as well as most other programmes (Verizon DSL, Internet Explorer, winipconfig) have disappeared. I tried using EXEFIX08 but it tells me there's bad 'switch' and closes out without doing anything.

So... hat in hand, here I am again.

I'm sure I must have picked up something, but I can't see anything in Hijack out of the ordinary, Kaspersky give me a clean bill and I'm at a loss.

What info can I send to help you figure this out for me?

 

Hi pip!

Removed? As in completely gone? Not even in the recycle bin?

My first suggestion would be to grab a program like Restoration and see if any of those files are recoverable. Note: Restoration can and should be saved to and run from a floppy disk. The least amount of data written to the hard drive prior to attempting recovery the better. Deleted files are seen as free space and can be quickly overwritten with new data.

 

Noah: frayedknots is the signon for the (upstairs) computer: Pippopottomus is the (downstairs) box... sorry. Still me.




No joy on RESTORATON: d/l and unzipped to a floppy and tried to run it but got a 'program has performed an illegal operation and will be shut down' box.

And, yeh, like really gone. Nothing turns up, either in the recycle bin, by using the 'find files' function or by just exploring the directories.

An interesting thing; Verizon.exe is usually found in C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe and, indeed, is so shown in the hijack log attached, but looking in C:\Program Files\Verizon Online\VOLSW\ shows no instance of Verizon online.exe.

I had to reinstall AVG and AdAware, was going to put Spyware Blaster and Spybot back in but decided to wait until i got some advice on what the (censored) happened.

Internet connexion is OK thru router.

ZoneAlarm is still working from the Systray but not from the desktop shortchut icon.

Firefox works from both SysTray and desktop icons, as do Word and Excel, but so far those, Java and WinZip are the only ones operable.... everything else seems to have gone to Poughkeepsie for the toenail races.

here's the hijack log, more to show the existance of Verizon than anything else:

Logfile of HijackThis v1.99.1
Scan saved at 9:21:36 PM, on 10/29/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\TASKMON.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: WaveHelper Class - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1.1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMon32.exe "
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe "
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK6200dm.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\PROGRAM FILES\VERIZON ONLINE\CONTROLPAD\Misc\a_menu.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/1freemine_scecab_151.197.56.80.57010553821077266_887683.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.197.0.39,151.197.0.38,192.168.1.1

 

Additional fun:

Had to restart the computer (AVG updated itself) and while in DOS I got a message that the following file is located either in windows registry or SYS.INI: (C:\PROGRA~1\SYMANTEc\SYMVENT.386)

unless i'm mistaken, that's something fom Symantec's Antivirus which i thought i had deleted some time back and replaced it with AVG...

Also, once windows restarts (and my password no longer enters itself automatically, such a bother!) i get a box that Windows is searching for GrpConv.exe... that one foxes me completely.

Gremlins?

 

Just for kicks (OK, I'd like to know if it works ) since it's small, place the extracted Restoration file on the desktop and try running it again.

Did you check the AVG quarantined files for the missing files?

Do check sys.ini for a symantec entry. Hmmm, is it Start>Run and type sysedit (been a while since I played with 98)?

GrpConv.exe
Could it apply to anything you've done or know of that might have been done?

 

EUREKA!

Found all the missing .exe's in AVG's virus vault, but they're all showing as infected by WIN32/Gaelicum.A (whatever that is), so what do I do now? (Includes GRPCONV.EXE)

I did unzip (per instr) REST2514 to a folder on the desktop and tried to run the program from there with the same results" "Program has offended the Windows Gods and will now close. "


As for the "Missing File" on startup, I checked in SYSEDIT and can't find any reference to NORTON at all, but I may be just missing it: here's a copy of WIN.INI: note the REM'd out SPEEDY.PIF and the NORUN scrsvr.exe lines! (Yeek?) nothing in SYS.INI, either.



[windows]
load=
NullPort=None
norun=hpfsched,c:\windows\scrsvr.exe
;rem TShoot: run=C:\WINDOWS\SPEEDY.PIFc:\windows\speedy.pif
run=
device=PDF reDirect v2,ADOBEPS4,PDF_REDIRECT_PORT:

[Desktop]
Wallpaper=C:\WINDOWS\CLOUDS.BMP
TileWallpaper=0
WallpaperStyle=2

[intl]
iCountry=1
ICurrDigits=2
iCurrency=0
iDate=0
iDigits=2
iLZero=1
iMeasure=1
iNegCurr=0
iTime=0
iTLZero=0
s1159=AM
s2359=PM
sCountry=United States
sCurrency=$
sDate=/
sDecimal=.
sLanguage=enu
sList=,
sLongDate=dddd, MMMM dd, yyyy
sShortDate=M/d/yy
sThousand=,
sTime=:

[Fonts]

[Compatibility]
_3DPC=0x00400000
_BNOTES=0x224000
_LNOTES=0x00100000
ACAD=0x8000
ACT!=0x400004
ACROBAT=0x04000000
AD=0x10000000
ADW30=0x10000000
ALARMMGR=0x0040000
ALDSETUP=0x00400000
AMIPRINT=0x04000000
AMIPRO=0x04000010
APORIA=0x0100
APPROACH=0x0004
BALER=0x08000000
BMAPP=0x0004
CASMONEY=0x00200000
CAVOIDE=0x00200000
CCMAIL=0x00200000
CCMCWFY=0x80
CHARISMA=0x2000
CONFIG=0x00400000
CORELDRW=0x48000
CORELPNT=0x08000000
COSTAR=0x0004
CP=0x0040
CROSSTIE=0x00000400
DARCH=0x80
DESIGNER=0x00002000
DIRECTOR=0x00800000
DPLANNER=0x00200000
DRAW=0x2000
DS40=0x8000
DTWIN20=0x00000400
EAP=0x0004
ED=0x00010000
EXCEL=0x1000
EXPASTRO=0x04000000
EXTYPWND=0x00200000
FAXVIEW=0x04000000
FAXWORKS=0x00000400
FH4=0x00E08000
FLW2=0x8000
FMPRO=0x00200000
FREEHAND=0x8000
FULLTEXT=0x20000000
GIFTMAKE=0x20000000
GUIDE=0x1000
HDW=0x04800000
HGW=0x8000
HGW2EXE=0x8000
HGW3EXE=0x8000
HJDRAW=0x00400000
IDAPICFG=0x00400000
IDRAW=0x04008000
ILLUSTRATOR=0x8000
IMPROV2=0x00000000
INFOCENT=0x04000000
INSIGHT=0x00000400
INSTAL1=0x00400000
INSTALL=0x00400000
INTERMIS=0x10000000
IS20INST=0x00000000
IVIHEALT=0x00400000
JEOPARDY=0x00200000
JW=0x00000000
KALOAD2=0x00400000
KEYCAD=0x8000
LE_ADMIN=0x00400000
LUI=0x20000000
MAILSPL=0x10000000
MAKER=0x00200000
MAPS1=0x04008022
MATH=0x00000001
MAVIS=0x00200000
MCOURIER=0x0800
MFWIN20=0x02000000
MILESV3=0x1000
MILESV40=0x4
MOZART=0x40000000
MSARTIST=0x00100000
MSBHUMAN=0x4
MSREMIND=0x10000000
MVIEWER2=0x40200000
MYINV=0x00200000
MYST=0x08000000
NAFTA1=0x4008022
NBAMW4V4=0x04000000
NETSET2=0x0100
NOTES=0x200000
NOTSHELL=0x0001
OPERATOR=0x02000000
OUTPOST=0x00000000
OWLAPP=0x00400000
PACKRAT=0x0800
PAINTER=0x00000000
PAWC8DC3=0x00400000
PAWIN=0x4
PEACHW=0x04800004
PIXIE=0x0040
PLANIT=0x0004
PLANNER=0x2000
PLUS=0x1000
PM4=0xA000
PM5APP=0x8000
PP4=0x00000000
PR2=0x2000
PRINTHLP=0x0004
QAPLUSW=0x0004
QLIIFAX=0x00400000
QUAKE=0x80
QW=0x08000000
RELAY=0x20000000
REM=0x8022
RR2CD=0x00200000
RX=0x00000400
RXL=0x00000400
SETUP=0x00000000
SIDEKICK=0x0004
SLEEPER=0x10000000
SOL=0x00400000
SPCB=0x04008000
SPORTJEP=0x00200000
SPWIN20=0x00400000
ST2=0x4008022
STRAUSS=0x40000000
STRAV=0x40000000
SCHUBERT=0x40000000
SSBWIN=0x00200000
SWCWIN=0x00800004
TCVWIN=0x00200000
TCW=0x00400000
TCWIN=0x0004
TERRAIN=0x00400000
TISETUP=0x00200000
TL6=0x08000000
TME=0x0100
TMSWIN=0x20000000
TMTWIN=0x00200000
TMTWINCD=0x00200000
TOUCHUP=0x00400000
TURBOTAX=0x00080000
VB=0x0200
VEWINFIL=0x00400000
VISIO=0x00000004
VISIOHM=0x00000004
VISION=0x0040
W4GL=0x4000
W4GLR=0x4000
WGW=0x00440000
WIN2WRS=0x1210
WINCIM=0x4
WINLINK=0x20000000
WINPHONE=0x0004
WINSIM=0x2000
WINTACH=0x00200000
WORDSCAN=0x02200000
WPWINFIL=0x00000006
WPWIN60=0x00000400
WPWIN61=0x02000400
WSETUP=0x00200000
XPRESS=0x00000008
ZETA01=0x00400000
ZIFFBOOK=0x00200000
NOTIFIER=0x400000

[Compatibility32]
CLWORKS=0x00A00000
MCAD=0x00600000
PHOTOSHP=0x00208000
PODW=0x00200000
SPSSWIN=0x00200000
TYPSTRY2=0x00200000
V32VM20=0x02000000
VISIO=0x00000000
VISIOHM=0x00000000
WINPHONE=0x00000004
WRDART32=0x00400000
SHELL=0x80000000
USTATION=0x80000000

[Compatibility95]
CHAOS OV=0x80000000
CONF=0x00000002
MSDEV=0x00000002
IMAGE32=0x80000000
INST32=0x80000000

[ModuleCompatibility]
ACEROOBE=0x0004
AIRNFM=0x0002
ALDNCD=0x0002
AMRES=0x0002
ATM=0x0002
ARCHANGEL=0x0002
CSNOV=0x0002
DEFDEMO=0x0002
DIBWND=0x0002
DIB=0x0002
DS=0x0001
EMLIB=0x0002
EMSAVE=0x0002
FH4=0x0002
GEDIT=0x0002
GEORGE=0x0002
GVBSETUP=0x0002
HRWCD=0x0002
ISLFAXPR=0x0002
KIDDESK=0x0002
KIDSTYPE=0x0000
KNPS=0x0002
LIONKING=0x0002
MAUI_DRV=0x0002
MGXWMF=0x0002
MEMMAP=0x0002
MSARTIST=0x0002
MSCRWRTR=0x0002
MSCUISTF=0x0001
MVIEWER2=0x0002
MWAVSCAN=0x0002
MYINV=0x0002
OLESVR=0x0002
PDOXWIN=0x0002
PLANIT=0x0002
PP3=0x0002
PP4=0x0002
PPPP=0x0002
PXDSRV2=0x0002
REVIEWRT=0x0002
ROULETTE=0x0002
RRIRJ=0x0002
RR1=0x0002
RR2CD=0x0002
STL_DLG=0x0002
TECO=0x0001
TER=0x0002
TLW0LOC=0x0002
TMSWIN=0x0002
USA=0x0002
VOICE=0x0002
WFXVIEW=0x0004
WINFORM=0x0002
WPWIN61=0x0002

[TrueType]
FontSmoothing=0

[mci extensions]
mid=Sequencer
rmi=Sequencer
wav=waveaudio
avi=AVIVideo
cda=CDAudio
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=Sequencer
mov=MPEGVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
ivf=MPEGVideo2
lsf=MPEGVideo2
lsx=MPEGVideo2
mp2v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2

[MCICompatibility]
QTWVideo=0x0001
MCIXSND=0x0001
GDAnim=0x0001

[mciavi]

[Desktop_Shell]
Current=Win

[Pscript.Drv]
ATMWorkaround=0

[Ports]
LPT1:=
LPT2:=
LPT3:=
COM1:=9600,n,8,1,x
COM2:=9600,n,8,1,x
COM3:=9600,n,8,1,x
COM4:=9600,n,8,1,x
FILE:=
j2 Global Messenger=

[embedding]
Package=Package,Package,packager.exe,picture
midfile=MIDI Sequence,MIDI Sequence,C:\WINDOWS\mplayer.exe /mid,picture
SoundRec=Wave Sound,Wave Sound,C:\WINDOWS\sndrec32.exe,picture
mplayer=Media Clip,Media Clip,C:\WINDOWS\mplayer.exe,picture
Wordpad.Document.1=WordPad Document,WordPad Document,C:\PROGRA~1\ACCESS~1\WORDPAD.EXE,picture
Imaging.Document=Image Document,Image Document,C:\WINDOWS\KodakImg.Exe,picture
WangImage.Document=Image Document,Image Document,C:\WINDOWS\KodakImg.Exe,picture
avifile=Video Clip,Video Clip,C:\WINDOWS\mplayer.exe /avi,picture

[Devices]
PDF reDirect v2=ADOBEPS4,PDF_REDIRECT_PORT:

[PrinterPorts]
PDF reDirect v2=ADOBEPS4,PDF_REDIRECT_PORT:,15,45

[Sounds]
SystemDefault=,

[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=MPEGVideo
mov=MPEGVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
ivf=MPEGVideo2
lsf=MPEGVideo2
lsx=MPEGVideo2
mp2v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2

[WinZip]
win32_version=6.3-8.0
Name=Vince Brennan
SN=5cda1df1
Note-1=This section is required only to install the optional WinZip Internet Browser Support build 0231.
Note-2=Removing this section of the win.ini will have no effect except preventing installation of WinZip Internet Browser Support build 0231.

[extensions]
ZIP=C:\PROGRA~1\WINZIP\winzip32.exe ^.ZIP
LZH=C:\PROGRA~1\WINZIP\winzip32.exe ^.LZH
ARJ=C:\PROGRA~1\WINZIP\winzip32.exe ^.ARJ
ARC=C:\PROGRA~1\WINZIP\winzip32.exe ^.ARC
TAR=C:\PROGRA~1\WINZIP\winzip32.exe ^.TAR
TAZ=C:\PROGRA~1\WINZIP\winzip32.exe ^.TAZ
TGZ=C:\PROGRA~1\WINZIP\winzip32.exe ^.TGZ
TZ=C:\PROGRA~1\WINZIP\winzip32.exe ^.TZ
GZ=C:\PROGRA~1\WINZIP\winzip32.exe ^.GZ
Z=C:\PROGRA~1\WINZIP\winzip32.exe ^.Z
UU=C:\PROGRA~1\WINZIP\winzip32.exe ^.UU
UUE=C:\PROGRA~1\WINZIP\winzip32.exe ^.UUE
XXE=C:\PROGRA~1\WINZIP\winzip32.exe ^.XXE
B64=C:\PROGRA~1\WINZIP\winzip32.exe ^.B64
HQX=C:\PROGRA~1\WINZIP\winzip32.exe ^.HQX
BHX=C:\PROGRA~1\WINZIP\winzip32.exe ^.BHX
CAB=C:\PROGRA~1\WINZIP\winzip32.exe ^.CAB
MIM=C:\PROGRA~1\WINZIP\winzip32.exe ^.MIM



[FontSubstitutes]
Helv=MS Sans Serif
Tms Rmn=MS Serif
Times=Times New Roman
Helvetica=Arial
MS Shell Dlg=MS Sans Serif
MS Shell Dlg 2=MS Sans Serif
Monotype.com=Andale Mono



[Mail]
MAPI=1
MAPIX=1
CMC=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
MAPIXVER=1.0.0.1
OLEMessaging=1

[CloneCD]

[Software by Design]
Error Messages for Windows=v2.6

[DrawDib]
pnpdrvr.drv 1152x864x16(565 0)=37,5,5,5

[Fax via eFax]
;rem TShoot: inipath=C:\PROGRA~1\EFAXME~1\hotsend.ini

[MSCharMap]
Font=Terminal

[programs]
;rem TShoot: TABLEDIT.EXE= "D:\Program Files\Music\TablEdit\TABLEDIT.EXE "
Nfodiz.exe= "C:\WINDOWS\Nfodiz.exe "

[Pscript TrueType Substitutions]
Arial=Helvetica
Arial Narrow=Helvetica-Narrow
Book Antiqua=Palatino
Bookman Old Style=Bookman
Century Gothic=AvantGarde
Century Schoolbook=NewCenturySchlbk
Courier New=Courier
Monotype Corsiva=ZapfChancery
Monotype Sorts=ZapfDingbats
Symbol=Symbol
Times New Roman=Times

[PostScript,PDF995PORT]
ATM=placeholder
softfonts=16
softfont1=C:\PSFONTS\pfm\engrfe__.pfm,C:\PSFONTS\engrfe__.pfb
softfont2=C:\PSFONTS\pfm\engrfs__.pfm,C:\PSFONTS\engrfs__.pfb
softfont3=C:\PSFONTS\pfm\engrt___.pfm,C:\PSFONTS\engrt___.pfb
softfont4=C:\PSFONTS\pfm\engrth__.pfm,C:\PSFONTS\engrth__.pfb
softfont5=C:\PSFONTS\pfm\engrtn__.pfm,C:\PSFONTS\engrtn__.pfb
softfont6=C:\PSFONTS\pfm\engrtt__.pfm,C:\PSFONTS\engrtt__.pfb
softfont7=C:\PSFONTS\pfm\Jazz____.pfm,C:\PSFONTS\Jazz____.pfb
softfont8=C:\PSFONTS\pfm\JazzCord.pfm,C:\PSFONTS\JazzCord.pfb
softfont9=C:\PSFONTS\pfm\Jazzperc.pfm,C:\PSFONTS\Jazzperc.pfb
softfont10=C:\PSFONTS\pfm\Jazzte__.pfm,C:\PSFONTS\Jazzte__.pfb
softfont11=C:\PSFONTS\pfm\Jazztext.pfm,C:\PSFONTS\Jazztext.pfb
softfont12=C:\PSFONTS\pfm\Maestro_.pfm,C:\PSFONTS\Maestro_.pfb
softfont13=C:\PSFONTS\pfm\MAESW___.PFM,C:\PSFONTS\MAESW___.PFB
softfont14=C:\PSFONTS\pfm\MAESP___.PFM,C:\PSFONTS\MAESP___.PFB
softfont15=C:\PSFONTS\pfm\petru___.pfm,C:\PSFONTS\petru___.pfb
softfont16=C:\PSFONTS\pfm\tamburo_.pfm,C:\PSFONTS\tamburo_.pfb
MFDFile=C:\WINDOWS\MSE65FC1.MFD

[PostScript,PDF_REDIRECT_PORT]
ATM=placeholder

 

Please upload the following file, if present, to my submission channel. Leave a link back to this topic.

C:\WINDOWS\Nfodiz.exe

Restore a couple of those files from the vault (something that doesn't normally run unless called). Please go to the eTrust online scanner link in my signature and run a full system scan. When it completes, if any infected files are found other than the ones in the vault, select the 'Cure' option for those files only (I don't want you to attempt curing the vaulted files at this point). Let me know the results.

 

Restore a couple files from the vault without 'healing'.... correct?

Picking PING.EXE, WINIPCFG.EXE and VUEPRO.EXE (a graphics viewer)

Sent NFODIZ as requested. In vault on this computer.

(later.....)

OK: Did the scan, found one file in a stored programme that was infected with WIN32/Malum.VTN but since it wasn't anything I use and since it is listed as "no cure ", I just deleted the programme folder from storage.

Note that none of the 'restored' files were found to be infected.

Whom do I shoot now?

 

LOL! Never even thought about that! It's quite possible that AVG can clean them when restoring, which would cause me to scratch my head, dumbfounded as to why AVG ate them instead of cleaning in the first place.

Tell ya what, restore a couple without healing, then a couple with healing, then run the online scan. If the healed ones come up clean, see if they still work.

 

All the scans I have done on the NFODIZ.exe file you uploaded show it to be clean.

 

Ahhhh... well. Finally got on line again after last nite's debacle.

Ran the scan and got the one report, deleted that and then (stupid me) restarted the computer.

Ah. Not good.

As it booted Windows, AVG once again reported the three files I had as infected and I (perhaps foolishly) told it to ignore them. Immediately lost my Internet connexion (may be as a result of, may not be, but...). After checking the router to be sure that the connexion was still valid and after trying a few tricks, I finally gave up about 1:30AM and crashed.

Forgot that AVG was set to run, which it did and it re-gobbled the three .exe's I'd pulled out.

Just managed to get back online about an hour ago (now dealing with Trick-or-Treater interruptions) and type this up for you. DSL is running at about 1.2KBS so any replys from me will be slow.

I'll try pulling out a few different .exe's for testing and pull out some others with 'healing'. (No guarantee that AVG CAN heal them, but there is a option to try) and then run another scan. (Obviously, my estimation of "things that are not usually called" is somewhat faulty... if you'd care to recommend a few, I'll use them.)

Bear with me: when you say "a full system scan" you ARE referring to scanning ALL hard drives (physical or partitions), correct? Took almost 2 hrs to run last nite, which is why I ask.

I've had NFODIZ since Phrozen Crew days... a great little .diz and .nfo reader.


Ah well, once we were Phrozen for life...but we melted.

 

OK, so if I understand correctly, the eTrust scan did not detect the restored (not healed) files as infected. Correct?

I would personally restore all of the files (heal them), then do an online scan with several scanners. eTrust, Panda ActiveScan, Kaspersky Online Scanner and ESET Online scanner. I wanted the whole drive scanned in case there was anything else infected still lurking around. You will need to scan all folders that files have been restored to. Please save and post any scan results that show an infection.

 

Well, no joy there.

Went into AVG's virus vault and find that it has ALL of the .exe's infected by the Gaelicum.A listed as unhealable!


you were correct that after releasing the four .exe's (still infected) last nite, the CA scan did not find them, and i did do the entire computer in the scan.

Rather than releasing more of these infected exe's and then having AVG sweep them 'under the rug" again tonite, I thought it might be best to just check back in case instructions differ due to AVG's not being 'able' to 'heal' the objects.

Also, connectivity is down around 250 b/s to 1.2 Kb/s so the on-line scans are not really possible at present. I'm working on fixing that as the DSL is thru the router, not the computer. Verizon suspects a line problem and is checking it. I suspect that Verizon are a group of (.. censored.... censored.... censored..), but suspect that ComCast is not much better.

Might there be a cure programme for that virus on the Microsoft website that I might d/l, then release the affected .exe's and fix with the programme?

Just a thought.

I need a drink.

 

See if you can identify half dozen that belong in say, the system windows\folder. Restore those and online scan just the windows\system. That shouldn't take long.

I'm of the mind that something has went south in AVG and that none of them are infected, but I may well be proven wrong.

 

OK: Update.

Took a a few of the infected .exe's out and they were NOT detected by the other online AV scans... then ran AVG again and they got scooped up back into the vault as infected! (Dunno what that was all about... surprising that only AVG found 'em)

So I went on to AVG's forum to see if they had a clue and found "vcleaner.exe" was the recommended solution.... so decided, what the heck.

D/l it to a floppy (to keep it from getting infected) and loaded it to the computer, took all 1,592 infected .exe's out of the vault (THAT took a while!), went to Safe Mode and ran it...

Vcleaner got all the Win32/Gaelicum viri EXCEPT for explorer.exe and ...guess what? VCLEANER.EXE!. Ran AVG again while in safe mode and it swept up EXPLORER.EXE and VCLEANER.EXE into the vault as they showed infected with our friend, along with three other virii that I think I accidentally released from the vault while restoring the other files. (I was gettin' sorta punchy towards the end there.)

Restarted computer and found it wouldn't start without EXPLORER.EXE, so copied THAT from the uninfected computer (spent about ten minutes trying to remember how to do a DOS copy) and copied it to the appropriate folder, restarted Windows and ran another AVG on C:\ only... this one came up clean.

SO: it looks as though I got the Gaelicum problem licked, but AVG needs to be reinstalled as it won't "update it's electronic certificate ". ( ? ) Also, WinZip's install archive got corrupted and I'm sure I'll find a few other things that no longer work.

I am firmly convinced the computers were invented just to keep our attention away from politicians... who has time to worry about them? We're all trying to fix these Devil Machines!

NOW: I need to know where I should post (providing I can) for problems with a Linksys BEFSX41 4-wire router. Verizon, after a three hour marathon tonite with a lovely little Indian lady, has determined that either my network cards OR the router is the cause of my connectivity problems. Your advice on that would be appreciated. Linksys "no longer supports" that router (nice of 'em... it's 4 years old! ) and I'm at my wits end to get back online reliably.

Thanks for the help with the virus and stick vcleaner in your quiver for future reference.

Anything else I should do/think of/smoke to be sure the problem is gone?

Thanks again, now off tot eh router/NIC card/network wars.

Vince The Weary.

 

Well, I still think AVG was errantly on a warpath, but as long as it's happy after running their tool and doesn't vault your executables, I'm as happy as you must be. Thanks for the update!

You can get help for that router in the networking forum.