The Mystery of The Disappearing .exe's...

Or, more simply titled, wha the f...

I have a small, three PC network - this one, running XP forming the hub, the other two both running Windows ME - silly of me I know, but it works. Anyway, the secondary unit in the network, what I imaginatively called The Other Computer, is a 2gb machine I generally use for heavy processing - it's mostly set aside for 2D and 3D rendering work. Being as how this, the XP system, copes pretty well with all the day today stuff, including stuff like piddling around here, The Other Computer (ME) isn't running all the time, and when it is the network connections only on long enough to transfer data from this machine to it.

The whole systems clean, all machines work perfectly fine except one tiny oddity which I confess has gotten me puzzled, mainly because I've never in my life heard of it happening and its this -

A good 70% of all the third party software I've installed on this Other Computer (ME), even though it all remains installed, no longer seems to possess the requisite programmes .exe file.

They are just no longer anywhere on the computer. The OS is fine, in tact, this isn't a problem that's affected anything Windows whatsoever, just third party software - programme folders are there, drivers, work done, everything except the programmes .exe

System Restore seems to think no changes have happened to the system at all since it was initialised 18 months back - so, something is definitely up with that, but basically has anyone ever encountered this phenomena associated with Windows ME before?

I've searched MS's database extensively to no avail, the problem hasn't manifested itself on the Other Other Computer which also runs on ME - and its just a tiny bit sureal...

Anyone have any idea what's going on?

 

Log in or Sign up to hide all adverts.

have you checked that ME isnt doing the same thing as xp, and hiding files it deems important? i know i spent about 20 minutes looking around for half of my windows files onec before realising that by default half of them are hidden. and activating them in my folder options.

otherwise, check the logs on your virus scanner, if you have one made by microsoft then it is likely programmed to defend the monopoly. but even with avg i have had files go missing, later to find that they had been infected with viruses and deleted without my permission.

 

Log in or Sign up to hide all adverts.

that was my first impression, that the 'show all files' wasn't checked in folder options.

but what gets me is why doesn't system restore show no changes since initial install of the os?

there has to be a virus on your machine or your folder options aren't configured properly

as to the system restore, try to set up a manual restore point
you might have inadvertently disabled system restore

 

Log in or Sign up to hide all adverts.

Firstly the others have suggested that perhaps it's mearly a setting that hides the EXE's from view (there might even be a Registry key that does this).

I suggest you could try using a Win98/ME bootdisk so you can boot into commandline.

Since for one we don't know if it's simply a flag or registry, we have to assume the worst, that the files are deleted. So checking the folder in commandline means you can at least find out if the files are there. If they are there it's a flag/key, if they aren't then they've been deleted.

Since ME uses FAT32 for it's file system you should be able to access all folders without having to type passwords or decrypt files/folders.

In commandline you can just navigate to a folder:
CD foldername

then just use:
DIR *.exe /P

This will attempt to show you just the EXE files in that directory. Via commandline should prove as to whether the EXE's still exist, which will then mean that somethings has been toggled or flagged in the OS to hide them from the GUI. (The /P switch is used to Pause the stream of filenames should it fill the screen)

BTW, my reasoning for including such commandline trivia is not so much thinking that you don't know, but others might not know how to look if they suffer the same instance.

 

if you aren't interested in the creation date and file size you can use the /w switch to list more than one file per line.
it could be useful if there are a lot of files in the directory

the syntax for the above example would be dir *.exe /p/w

 

Hello chaps - sorry I haven't been able to reply earlier, been a tad busy of late.

Prudent suggestions one and all, thank you for your input. Perhaps I should have made clearer - the .exe's in question are indeed gone, not present, no where to be found. Checked the hidden file option first off, searched comprehensively and also ran the DIR search from a boot disk - but thanks awfully Stryder and Leo for chucking in the search filter parameters for that. Couldn't for the life of me remember them when I ran the check, just did everything on C:\ DIR\s - as luck would have it, it threw up the Programmes folder straight off and just meant wading through all the folders...

I can now at least avoid doing that again until the next time I forget I suppose. Ta

Please Register or Log in to view the hidden image!

Resident AV programme installed is AVG 7 - latest database, clean sweep, not a sausage unpleasant detected anywhere. Double checked from a version off system on one of the other computers just to make sure nothing had knobbled AVG into telling porkies. No viruses detected...

Which leads me to a pondering concerning what sort of virus it is that leaves the OS intact and fully functional and just goes off eating the .exe files from a peculiar assortment of various third party software exclusively?

That's got to be one for the record books, surely.

In the interim, System Restore seems to think its set up isn't more than a week or so past its original inception, even though extensive modifications concerning programme additions are clearly recorded using these Restore Points yields no discernible result. Add/Remove Programmes lists the problem affected software as being installed. Something has obviously compromised the Registry and that can't be good, but compromising a Registry can't delete a file, only the OS's ability to load the thing into memory, and these .exe's remain AWOL.

Any other thoughts chaps, always appreciated, suggestions help clarify the mind, always.

My regards,

A

Please Register or Log in to view the hidden image!

 

wow, what a problem

the only other thing i can think of is someone is deleting your files

i keep trying to connect the problem with system restore and the missing files and i can't

the only other possibility is that you are running cracked programs and they are screwing with you system

i had a problem with such programs that made my computer run scandisk when i shut it down from the start menu
a couple of times it did a thourough scan and i have a 18GB hard drive
when i checked the log it said there was no problems found
my only recourse was to reformat and reinstall

 

if someone is deleting your files you can check that with a hex editor i suggest (hackman) look for an E5 at the begging of the hex line. That would be a clear indicator that its being deleted.

Are there any other errors that occur or just exe's going missing?

Do you have the same problem if you create a partition with a different OS?

 

No, non whatsoever. The same version of the OS is running on a separate machine, same programmes equally installed, no such problem occurring on the other unit.

And yes, the problem only seems to be the .exe's disappearing. Drivers, cab files, everything else of the installation remains perfectly intact - This particular units on a lock out, pass word protected, only one on the system that is and only I have anything like the technical ability to override the lockout at this location. I don't connect to the net on it and unless processing its never on unless doing work, certainly never on an open LAN connection with the internet connection running at the same time so there really isn't any physical way anyone can be remoting it. The opportunities just never there, its a work machine not a R&R set-up.

What ever's affecting it should be affecting at least one of the other machines in the network but it isn't

I can fix the problem easily enough by just overwriting the original installations, but with the registry thing going on in the background system restore is basically doing dick and that really isn't going to change less I follow Leo's advisement (thanks again Leo) and reinstall the works - I know this, it's just a pain in the arse and I'm basically just more curious at this point to discern if anyone's ever come across anything similar with an ME installstion of windows. I know from experience it's got a few bugs to it, but I've never run into a thing like this on anything in over a good ten years or so of pottering around with these bastards on and off - its a peculiarity rather than anything I'd term as terminal, if y'follow m'drift.

But thank you for the thinking nevertheless, always we like the brain thinks. Oh yes, oh yes we do.

Please Register or Log in to view the hidden image!

 

All I can suggest for the future is if you don't use Windows Script Hosting to turn it off/ uninstall it. Since it allows the use of VBScript and was the original problem with windows browser/mailclient integration. All it takes is one little VBScript and your EXE's get deleted (Although not SHREADED)

I would suggest hunting for a tool that UNDELETE'S to retreive your EXE's if you want to fix your system, as long as you haven't had a heavy load of swapdrive activity those EXE's should still be on your system intact, just marked deleted.

 

Stryder old chap, that's bladdy inspired. Worth it at anyrate just to find out.

Figured they'd be retrievable but never even thought to consider WSH as a possible cause - capital thinking. Even if it isn't right, it bladdy well should be.

Inspired!

Please Register or Log in to view the hidden image!

Right then, that's me sorted for the rest of the day. See you in a bit.

Toodles, A

Please Register or Log in to view the hidden image!

 

here is some info on wsh and how to disable it
http://www.symantec.com/avcenter/venc/data/win.script.hosting.html

 

Please Register or Log in to view the hidden image!

.. Pristine timing, Leo. I'm, once again, of the obliged. Indeed, I was wondering quite how I was going to go about doing that.

I have a distinct feeling in m'water this is the exact bugger that's been causing the problem.

Thanks once again chaps.

A

Please Register or Log in to view the hidden image!

 

Hey guys,
I don't even know what forum this is, but I came upon this thread while I was searching google and I registered just to post a reply. I'm having exactly the same problem. I'm on a Win XP pro IBM notebook, and about two days ago I noticed an EXE file had disappeared. It was VLC media player actually, and the same thing happened to me that happened to the original poster: the entire file structure for the program was intact, all the folders, etc. but the EXE file had disappeared. I thought it was just an isolated incident and I reinstalled VLC (noting that during re-installation it warned me that an earlier version was already installed - so it seems like the VLC installation still saw that the program was installed on the computer). Then today I just tried to run MS Excel and the same thing occured; the shortcut didn't work because Excel.exe no longer existed. What in the world is going on here? I just ran a virus scan today actually and it didn't find anything. I'm simply stunned about the whole thing and completely clueless as to how this is happening.

 

To add on to my post above, I just tried installing an Undelete program to see if it could recover the missing EXE files, and guess what happened? I lost another EXE file. Now that I think about it, every time that I've lost an EXE file (now three in total), it has happened right after I installed another program (I lost VLC when I installed a program called "YSIGet", I lost Excel when I reinstalled VLC, and I just lost a photo editing program called "Neat Image" when I installed this Undelete program). What gives here?

 

Well if anyone is reading this thread and is curious as to what happened, it turns out McAfee virus scan went a little awry over the last few days. McAfee released a virus definitions file that caused the virus scan program to misidentify up to 295 files as virii. There was only a 4 hour and 53 minute window where that DAT definitions file was available for download before McAfee caught the problem, but I happened to hit that window. Luckily, McAfee provided a program fix that took all my misindentified files out of quarantine and restored them to their original location. Hope somebody at least enjoyed reading my saga

Please Register or Log in to view the hidden image!

 

Please Register or Log in to view the hidden image!

... Well, I'm damnably pleased you got your self sorted out there - Sorry for the delay in responding, but I'm afraid I'm as completely in the dark here regarding this one as you were. Nice to know it was fixable.

I believe in my particular case the culprit may indeed be a virus after all - I've just been following Stryder's suggestion of disabling WSH and the bastard keeps reproducing itself - never bodes well that.

Hi ho, reformat and delete is is then....

Please Register or Log in to view the hidden image!

Jolly good news something good came of the whole exercise at anyrate.

My regards,

A

EDIT: Well, it's official. Turns out no mystery at all. It was a virus after all. Didn't show up on AVG but Stryder hunch regarding WSH proved absolutely spot on the money - it was a simple script virus after all, thing of it was though because I only have the unit in question on for relatively brief periods of time the virus itself wasn't allowed to progress terribly far terribly quickly - only manifesting itself first off in the peculiar disappearances (deletions I've no doubt) of the third party .exe's outlined before progressing to the main course.

Snapshots, as it were, of what was going on rather getting to see the whole picture.

Backing up work saved expensively last night meant the thing was on for quite a while. Today bastard won't boot meaning it's progressed, finally, to the OS. My guess is the viruses parameters are such as to target .exe's via date of installation. I managed to take a peek at the registry last night and tried deleting keys pertinent to WSH since the actual programme kept regenerating itself - same remained true of the registry keys. You delete them, they come back.

Possibly accounts for all the business regarding the problem concerning the lack of actual restore points.

Good catch Stryder, once again, my thanks for pointing me in the right direction. I knew there was a reason to come here other than the chance to argue the toss about UFO's....

Please Register or Log in to view the hidden image!

 

I'm glad I could help. It's a pity that you couldn't actually fix the problem, however you'll know how to stop this problem emerging in the future.

As for why the Antivirus didn't pick it up, well it was probably in a .VBS script. Although .VBS can be caught with new definitions, Virus writers tend to use other programming languages to create an Encoded virus. One such Virus I had a look at some time back, the actual VBScript was written in a Javascript array, so that opening a webpage would generate an exexecution of the VBScript, The VBScript would then FTP from a server online a trojan to the system and start circumnavigating the systems security.

In most cases a detected Infection can mean mutliple infections, since Virus writers that create such trojans attempt to deploy as many viruses as they have. The first one might of been lucky and eventually ends up caught with a patched Antivirus pattern, however the others they can load on your system hoping they won't be spotted in the future.

A virus can only grow in problem if it's run, with WSH it meant a script could be intepreted however the other usual place to find them is running as a "Zombie server" on your system. The most common types of Zombie infection are usually student friends that want you to check out their "toolkit project", which is full of bugs and errors, and doesn't fully close down when you close the program. The bugs are mearly there to disguise what they are up to.

This of course is just a generalisation of viruses, however it's noted that the more popular and Purchaseware Antivirus programs are usually the ones that don't pickup on Virual patterns. The reason for this is the Virus makers tend to use copied versions of antivirus software to aid them in learning how to get around their patterns etc.

To remain virus free there's 3 main points:

Prevention
Use something like Spywareblaster, it's freely available to download and it doesn't run a program in the background to keep you safe. All it does is register a number of registry keys to stop adware and viruses infecting your system in the future.

It's also a novel idea to not open files from people through E-mail. notibly older versions of E-mail clients (especially Microsoft clients) will suffer from certain defects like the original .ICO and .JPG problems. There is an option to stop files being opened or executed, however it can be awkward to get at files that you want to open.

If daring and in doubt, open it in a Text program (Although be warned, it hasn't been done in a while but there use to be a virus that would hook to the Text program so it would execute when loaded) If not so daring just out right delete it. If you have a Deletion Shredder program then use that to make sure it doesn't "Lazarus" (come back from being deleted) on you.

On Win9*/WinME kill Windows Script Hosting or prepare to suffer the consequences. Quite simply WSH is only really used by people that write VBScript batch files to automate their windows system, however for a majority of common windows users this wasn't something they used and should of never been allowed "By default" to be installed. (Makes you wonder if this was Microsoft's way of leaving a legal backdoor or "Loophole")

WinXP there are a number of services that might be on your OS (depending on if you are using Home or Pro), notibly the Remote Assistance, Messaging and Remote Administration (Pro I think). Although the Remote Assistance might have been built to aid computer users, it can also be potentially a flaw in security so it's best being turned off and disabled when not in use. Messaging can be annoying although I believe there have been patches made to deal with people spiking the system with messages, as for Remote Administration this is only meant for systems that are networked where a single administrator is slaving a number of machines from a main terminal, although it too could be a problem if not disabled.

Identification

[Before killing anything in the process list, make sure that it's not a problem to reboot i.e. don't save a large file etc. ]
Learn what your OS needs to have running to survive, for the most part alot of the programs that run with the OS aren't actually needed by the OS. however it can be a bit of trial and error to work out what works and what doesn't.

Only Win9*/ME it only really needed explorer.exe (covers the desktop and icons) and systray.exe (the tray bar at the bottom of the screen by default) There are other files that might run too that could be to do with peripherals like your Raid array, graphics programs, sound programs, Antivirus, Update programs for things like Quicktime or Realplayer etc. For the most part the less of these you run, the more resources your computer has available to use and the less chance of a virus passing itself off as something that you would normally see in your process list.

As for XP, most of the SVCHOST.exe occurances are actually caused by Services, so if you want to limit the number of these in your tasklist kill them in the Services window rather than just killing them in Processes, otherwise be prepared for a reboot or two from destablising your OS.

Since XP can use NTFS format for the harddrive a number of the files loaded into memory are actually for handling the decryption of information from the drive using your current login credentials. So killing some of those files will cause your system to destablise.

If you trial and error what you can run, you can eventually build up a list of what the programs that run do, and which ones are un-necessary it's then up to you to check on these regularly to make sure you don't have a new one appear.
(think of it like a Rolecall register, where you are looking for Absentee's and new people in your group)

Protection

For protection there is Antivirus programs and Firewalls. Antivirus programs will attempt to find infections when run, however you have to keep the programs up to date otherwise you might miss new viruses.

Firewalls can be useful, since for the most part they block unauthorised incoming signals that might attempt to probe for Trojans or Zombie servers. (Zombie just means the file is "inactive" until an event occurs)

For the most part however Firewalls do allow by default most outgoing connections to be made (unless completely locked down). If a trojan creates an outgoing connection it can bypass a persons firewall, so it's really up to you to stop yourself gaining an infection in the firstplace.

Firewalls can have logs running, so it's a good idea to check on them regularly too, to make sure that nothing "odd" is occuring.

Finally, if you find you have an infection, do what you need to get rid of it (either use an antivirus or removal tool or reformat) Once you have done that Change ALL your passwords, this means your OS login, your online Email account(s), your Ebay password etc.

The reason for this is that if it was a trojan reporting keystrokes to a server online, someone might have collected enough information to gain access to all those sorts of places. They could use your money from your bank to buy things, or use your online e-mail address to recover passwords (if you didn't set up recovery with your ISP), they could even sign you up for things you didn't want. (We all hate spam)

Don't leave it for 3-6 months to make your password change.

Rule of thumb, if you are paranoid someone is watching or has access to your accounts, then act like they have as for the most part someone probably is. so get those passwords changed pronto.