EXE files gone missing

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Jrob

Thread Starter
Joined
May 15, 2001
Messages
216
Hello

I was unsure whether this belongs here or in Security, so please forgive me if I have placed it wrongly.

My connection speed to the internet slowed to the pace of a three-toed sloth. So I rounded up the usual repair suspects (Ad-Aware, scandisk, defrag, etc) and ran them all. But my connection was still slow. I decided to run a virus check from Housecall and was horrified when it found 684 infected files. (I virus checked only 2 days previously, so I think I got infected via the net or e-mail.) There were 2 viruses causing the damage. The vast majority were PE_SPACES.1445, but there were a few PE_CIH. Housecall cleaned PE_SPACES but said it couldn't completely clean PE_CIH. It suggested I download rescue_disk_builder. exe and copy it onto disks. But when I came to open the downloaded program I got this error message:

RESCUE_DISK_BUILDER caused an invalid page fault in
module RESCUE_DISK_BUILDER.EXE at 0167:00401aee.
Registers:
EAX=4f2bcf0d CS=0167 EIP=00401aee EFLGS=00010202
EBX=0036eb61 SS=016f ESP=0065fd58 EBP=00029000
ECX=4f2bcf0e DS=016f ESI=00000000 FS=11b7
EDX=00000000 ES=016f EDI=4f2bcf0e GS=0000
Bytes at CS:EIP:
8a 06 6a 00 50 e8 38 39 00 00 32 c3 fe c3 59 80
Stack dump:
00000000 0000000c 0036ebd9 004016f5 00000000 4f2bcf0e 0000000c 00000000 4f2bcf0e 0065fe38 00990660 00000104 00000000 00401208 00990660 00000000

So that, as they say, was that. But when I returned to my desktop, I found something akin to finding your forefinger on the wrong side of a bacon slicer. All my icons were messed up. But the blood didn't stop there. Scores of my EXE files had been removed. All the important ones as well, such as; System Tools, System information, msconfig, msinfo, rundll32, Ad-Aware, WinZip, and others far too numerous to mention. Also most of the programs I have left cannot run (ie: accessing programs in Control Panel) because the EXE file needed to run them is missing!

Suffice to say my computer is spluttering towards its Armageddon. I checked the Windows directory in MS-Dos and discovered that all the missing EXE files had been changed to the extensions .RB0 and .RB1. Does this mean that I can recover the lost files, or am I just being teased. I can't re-install Windows98 because the software was pre-installed. Is this now simply a case of having to buy the disk to rectify my problem?


PS. I tried to reinstall IE to recover Outlook Express but it wouldn't/couldn't install MDAC, which I understand is a vital component for accessing programs.


Kind Regards

jrob
 
Joined
Dec 9, 2000
Messages
45,855
jrob, either one of those infections is enough to requre a reformat for most. But both together, I really don't think there is a realistic alternative. Spaces corrupts exe files and the only solution I've seen involves burning an antivirus program which can clean it to a CD and and then running the install off that. Similarly cih is actually spread by the running of any antivirus program. And while there is a a "kill" tool available for it, it has to be used before an antivirus program is run (catch 22).

Yup, I'm going to move you to the Security/Virus forum as a lesson to those who don't have a good antivirus program running to catch these things before it's too late :rolleyes:

Exe files should be able to run if the registry's "shell open" command has not been corrupted and the exe's themselves are ok. To repair the registry, you can run the exefix08 file from the Reticulate Toys site. There is an unzipped version available through the ONLY IE link at the very bottom of the page.

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

Control Panel files require a valid rundll32.exe file in Windows. You will need to replace that.

Have you tried running a windows overinstall? [Edit: i see you answered that question]
 

Jrob

Thread Starter
Joined
May 15, 2001
Messages
216
Hello

Just tried to re-install Microsoft Office 2000 from disk and got this error screen:

Installation of System Software Installer SHIP

error creating process<c:\windows\TEMP\IXP000.TMP\msiinst.exe /i instmsi.msi REBOOT=REALLYSUPRESS /q>. Reason: %1 is not a valid Win32 application.


Eh!

Can anyone enlighten this congenitally-deficient-in-thyroid-hormone-Englishman!?


Kind Regards

jrob
 
Joined
Dec 9, 2000
Messages
45,855
It is probably due to the cih infection.
There is a cih-kill tool here. It won't remove it, but it will keep it from spreading further:

http://www.sarc.com/avcenter/kill_cih.html

If you have Winzip and it still works, and you have a c:\windows\options\cabs directory, you may be able to replace infected files from there.

If Find Files still works, you can locate specific files by entering their names in the "containing text" field and pointing the search to the c:\windows\options\cabs directory.
 
Joined
Jul 7, 1999
Messages
389
CIH is an .exe infector, it will infect any exe file you try to access once it is active in memory, so you will have to get at it another way. I would go here ftp://ftp.europe.f-secure.com/anti-virus/free and download fprot 3.11a and unzip it (if it will let you) Then boot the machine from a clean, write protected startup disk, and run f-prot from the directory you unzipped it to. It would be even better if you could download the files on another computer and write them to a cdrom, but I believe you can get it to work. There are also some free CIH tools you can download that will unload CIH from memory so you can run the virus program. Here is a link to one:
http://www.stoletje.com/virus/w95_cih.html
I would do the boot to dos, then run the CIH kill tool, then use f-prot to do the removal. In the case of windows system files being infected, most Windows scanners cant clean them because the system shows them as being in use and wont allow access. As for whether you can get your windows back, that's hard to say. If you have problems once you get all the virus, the 98 setup files are probably in c:\windows\options\cabs, that is where most preinstalled systems put them, you can run setup from that directory
 

Jrob

Thread Starter
Joined
May 15, 2001
Messages
216
Hello Rollin'Rog and swwelsh (are you a "Taffy?")

Thank you both for your excellent advice (normal on this site), and sorry for the delay in replying. But the CIH virus and it's brothers-in-arms had carpet-bombed my files and created so many problems, I decided not to reply until I was at least half sorted out.

I had to re-install Windows98 from Cabs - as suggested. But when it was installing, it told me that it couldn't install sucatreg.exe - so I had to skip the file because I don't have the installation CD. Is this a vital file?

I eventually accessed Windows and virus scanned with Protector Plus. A complete waste of time. It didn't remove the virus. So, step by step, I followed the advice given here. The KILL_CIH tool only disabled the virus, it didn't remove it. So I downloaded a trial verion of F-Prot 311 and F-Prot 311 for DOS. Wise move - I think. I installed both, re-booted to dos, changed the directory to c:\util (where I placed F-Prot), and ran F-Prot to disinfect all infected files.

Now my problems that remain.

The scan found over 1400 infected files but didn't disinfect all. I was informed by F-Prot that Iexpiore.RB0 couldn't be disinfected because it had a "New or modified variant of CIH. Viruses cannot be disinfected unless they are identified." Also my MSOffice programs "could be infected with an unknown virus and viruses cannot be disinfected....." The only others it couldn't disinfect were some Common Files, all Microsoft Shared, and all Webserver Extensions exe files. I surmise these are the FrontPage applications of MSOffice. My questions here are how do I proceed? Where can I find a scanner to finish the job? Would it be safe to completely expunge MSOffice? The last question is asked because I understand that when files are uninstalled or deleted, they are placed in Swap files and are thus still in the computer. I would expect that the "Unknown" viruses would also still be present. Therefore, the question now becomes; would I have to run one of those notorious "Evidence Eliminators" to purge them?

Another problem I have left is my sloth-like Outlook Express. When I click on the icon, it takes (I timed it) 40 seconds to pop-up, and a further 10 seconds to load up. When I close, it takes 10 seconds to close down. Allied to this, my dial-up connection spends around 10 seconds initializing before letting me click the Connect button. I went down the list in System Information - Tools, scanned my disk, defragged, and set my Start Ups to minimal (3 running processes) but the slowness remained. (By the way, I've also lost my WindowsUpdate execution file).

This reply is getting overlong, so I'll end by asking (No, don't groan!); what are these RB0....RB1....2....etc., files? Are they backups of the originals?


Kind Regards

Jrob
 
Joined
Dec 9, 2000
Messages
45,855
I believe sucatreg.exe is only installed with Win98SE, and is not a vital file. It is commonly one infected by the magistr virus.

Here is what MS says about it:

Windows 98. Windows 98 Second Edition added improved support for finding file signatures related to installation of multifunction devices. Also, a tool (Sucatreg.exe) was provided with Windows 98 Second Edition that developers can use to register catalog files so end users are not prompted to provide catalog files during device installation.
I don't know what the Iexplore.rb* files are, but the extension indicates some kind of registry backup. Perhaps they were created duing an upgrade, update, or reinstall. I wouldn't worry about them.

For Office related files, about all I can suggest is removing and reinstalling that.

The problems with Outlook may be due to a damaged identities key or imagehlp file. I will give you a link for that, but you should also try a separate post in the Web forum.

http://www.tomsterdam.com/insideoe5/problems/index.htm

Don't worry about what remains when something is deleted; it can no longer be run.

A lot of those individual problems should be addressed in separate posts in the appropriate forum, once the basic virus problem looks to be resolved.

Thanks for the info about F-Prot, I'm glad to hear it was helpful, I keep a copy handy myself -- will have to get around to updating it.

For other scanners, you can try online ones such as Housecall:

http://housecall.antivirus.com/pc_housecall/

Or you can try something from here:

http://cws.internet.com/utilities.html

InoculateIT is very good and can still be downloaded and updated, but it is no longer supported and can't be registered.
 

Jrob

Thread Starter
Joined
May 15, 2001
Messages
216
Hello Rollin'Rog

Thanks for the explanations and tips. Housecall is usually my first port-of-call as backup evidence that my own scanner is working correctly - it was my blase attitude that caused my problems. Nonetheless, I've dumped Protector Plus. I was never happy with it, anyway. F-Prot is much better.

I've only one question about InoculateIT: Will there be any conflicts with F-Prot? I understand that sometimes having more than one scanner can cause problems. For example, I know that PC-Cillin won't allow installation if it detects other antivirus applications on a computer.

As for the rest of your advice, I will follow the links for Outlook Express and will post in the correct forum if I still can't solve my problem - ditto the other problems I am encountering since I got infected.

Once again, many thanks for your help. Ain't this site grand!


Kind Regards

jrob
 
Joined
Dec 9, 2000
Messages
45,855
I don't know of any conflict. Unless you have a different version of f-prot than I have, it only runs when you execute it. I've run f-prot with InoculateIT still on in the background with no errors.
 

Jrob

Thread Starter
Joined
May 15, 2001
Messages
216
Hello Rollin'Rog


The F-prot version I have has a realtime scanner which I have on Startup. It only gives a report, though. A screen pops up every time it notices a virus to report what it's found.

Keeps telling me about the possible infections I may have - the ones I previously mentioned. I'm about to delete MSOffice to get rid of them.

Kind Regards

jrob
 
Joined
Dec 9, 2000
Messages
45,855
If it's a real time scanner, I would just stick with it. F-Prot's a well-regarded outfit, and you should do well by it. I'd be interested in any evaluation you have after using it for awhile :)
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top