Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Missing EXE Files

2 views
Skip to first unread message

Bert Kinney

unread,
Feb 10, 2002, 5:48:24 PM2/10/02
to
Hi Jim

These are not windows files. I would suspect
they were the virus files. What was the name
of the virus?

--
Regards,
Bert Kinney [MS-MVP DTS]
http://members.home.com/dts-l/

"Jim" wrote
> I ran a virsus scan and it deleted the follwing three
> files. How can I get them back without reloading the
> software?
>
> qgtil.exe
> win98vxd.exe
> dihguddpjs.exe


Doug Knox MS-MVP

unread,
Feb 10, 2002, 9:49:14 PM2/10/02
to
From a previous post by Alan Edwards:

Read this standard post but ignore the names, as this trojan creates
random names.

It is part of a virus or trojan.
How you fix it at this point depends on what variety you have.
It looks like a Backdoor variety so you may have a reference to
seblcbfoswjq.exe in system.ini and seblcbfoswjq.exe in the Registry.

If you can edit system.ini, then look for the "Shell=explorer.exe"
line and remove anything following that.

The line must read:
shell=Explorer.exe
but yours probably reads:
shell=Explorer.exe biyafhstnv.exe
Just remove the space and the biyafhstnv.exe


The next is a Registry edit. You will see some details in the urls
below, but it depends on whether you can run Regedit.exe
You may be able to rename Regedit.exe to Regedit.com to alter the
Registry or you can import the attached exefix.reg (emailed to you
only)
This is what exefix.reg is like:
-----
REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

-----
You can try this:
The Cleaner-for Trojans: http://www.moosoft.com/cleaner.html

There are a few Trojans about, but try these for an idea.

Check this page for details on the SubSeven trojan
http://www.hackfix.org/

SubSeven 2.0 Server
Aliases: Backdoor.Trojan, Pinkworm
http://www.symantec.com/avcenter/venc/data/sub.seven.20.html

Aliases Multidropper.c, Passport.exe, Passport, Backdoor-G, DUNpws.w
http://vil.mcafee.com/vil/tro10393.asp

http://www.datafellows.com/v-descs/subseven.htm

--
"Do not Panic! Your password is correct. It just looks wrong!" - MS-MVP Kelly
--------------------------------
Doug Knox, MS-MVP Windows 9x/XP
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Associate Expert
ExpertZone - http://www.microsoft.com/windowsxp/expertzone
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Jim" <heyj...@aol.com> wrote in message news:12c9701c1b282$f9782de0$3def2ecf@TKMSFTNGXA14...

Ron Badour

unread,
Feb 12, 2002, 12:25:29 AM2/12/02
to
1. You may have a Backdoor Trojan that creates randomly generated
names. I will refer to it as "random.exe" instead of rewriting this
standard message each time to personalize it for the random name it
chooses. Just substitute your Trojan's name for "random.exe" in the
text below. (Note: As you start fixing the problem, you may notice more
than one name involved so write down the names you find.) This is a
simple procedure for removing the Trojan; however, if it doesn't work,
go here for complete Trojan information: http://www.hackfix.org/

a. Most likely your system will have lost the ability to open .exe
files so reboot with your Windows emergency floppy disk in. When you
get to an A: prompt, type: C: and hit enter. When you get to a C:
prompt, type: CD windows and hit enter. When you get to a Windows:
prompt, type: copy regedit.exe regedit.com and hit enter. This
should give you the ability to use the registry editor. Remove the
floppy and reboot the PC.

b. Open the registry editor (start menu, run and type:
regedit.com) to this key: HKEY_CLASSES_ROOT\exefile\shell\open\command
In the right pane, right click default and select modify. Cut and paste
this information to the value data: "%1" %* and click OK. This
should allow you to use .exe files so open the Explorer to the Windows
folder.

c. Double-click the system.ini file and look for a line like this
in the boot section:
shell=explorer.exe "random.exe" or shell="random.exe" Remove
"random.exe" so the line reads:
shell=explorer.exe and then save the file.

d. Double-click the win.ini file and see if "random.exe" is listed
after the load= or run= lines. If so, delete it and save the file.
Note: there could be a legitimate entry listed along with "random.exe"
but I would delete it also. If you do, write down the name that you
delete and figure out if it is needed after your PC is functioning
properly.

e. Do a find on your hard drive for "random.exe" and if found,
delete it. (Note: for steps e and f, if you noticed more than one name,
search on both of them.)

f. Open regedit.exe and do a find on "random.exe" and if found,
delete it.

2. Here are other sources to check out if you need them:

F-Secure Virus library: http://ftp.datafellows.com/virus-info/
NAI Virus library: http://vil.nai.com/vil/default.asp
Symantec Virus library: http://www.symantec.com/avcenter/vinfodb.html
The Cleaner (Trojan remover software):
http://www.moosoft.com/cleaner.html

--
Regards

Ron Badour, MS MVP W95/98 Systems
Tips: http://badour.freewebsites.com/index.html
Knowledge Base Info:
http://support.microsoft.com/default.aspx?pr=kbinfo&

0 new messages