OT: Very strange virus??

[Annie]

hello guys,

Avast is prompting me that it has found a virus as below:

C:\WINDOWS\system32\??pPatch\ntvdm.exe

But when i want Avast to delete it, or move it to chest it can't work as it
complains about the Folder
??pPatch and says didn't find the folder and it is invalid.

When i go the System32 to check the folder physically, it doesn't exist at
all, i changed folder view to
show hidden files/folders but still can't find it.

How can i get rid of this weired thing?
any one had issues with it? what is it?

TIA

 

[Matt]

hello guys,

Avast is prompting me that it has found a virus as below:

C:\WINDOWS\system32\??pPatch\ntvdm.exe

But when i want Avast to delete it, or move it to chest it
can't work as it complains about the Folder
??pPatch and says didn't find the folder and it is invalid.

When i go the System32 to check the folder physically, it
doesn't exist at all, i changed folder view to
show hidden files/folders but still can't find it.

How can i get rid of this weired thing?
any one had issues with it? what is it?

TIA

Virus group to ask in or do one of many free online scans like
Trend
House call

 

[Steven Burn]

hello guys,

Avast is prompting me that it has found a virus as below:

C:\WINDOWS\system32\??pPatch\ntvdm.exe

Though the filename is a valid Windows file, it's location is not. This file
usually resides in the system directory (aka System32 for NT based systems
such as XP).

Download HiJack This;

www.merijn.org

DD URL: http://www.merijn.org/files/hijackthis.zip

Extract the contents of the zip to c:\HJT (DO NOT extract them to a
temporary folder)

Once extracted, load HiJack This and select "Do a system scan and save a log
file"

Once the log file is generated, post it to;

http://temerc.com/phpBB2/viewforum.php?f=12

DO NOT ask it to fix anything prior to posting the log!.

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Al Klein]

hello guys,

Avast is prompting me that it has found a virus as below:

C:\WINDOWS\system32\??pPatch\ntvdm.exe

But when i want Avast to delete it, or move it to chest it can't work as it
complains about the Folder
??pPatch and says didn't find the folder and it is invalid.

When i go the System32 to check the folder physically, it doesn't exist at
all, i changed folder view to
show hidden files/folders but still can't find it.

How can i get rid of this weired thing?
any one had issues with it? what is it?

"?" is not valid in a filename (or foldername), so there's no filder
on your computer named "??pPatch". Or is there? You can't tell
Windows to create such a folder, or name a folder to that name, but a
program could do a low-level disk access, access the sector the virus'
folder name is on, and change it, making it inaccessible from Windows,
since it can't exist.

If the idiots who thought these things up turned their attention to
constructive programming they'd be wealthy.

 

[Annie]

yea, looks like it exist such a thing!
coz Avast finds it but cannot delete it coz the folder name is invalid!
very strange!!!

 

[Stan Weiss]

In MS-DOS didn't the file system place a "?" in the first position of a
file number when it deleted it. If so then maybe an undelete program
will find it and let you change it name.
Stan

 

[REM]

"Annie" <[email protected]> wrote:

hello guys,

Avast is prompting me that it has found a virus as below:

But when i want Avast to delete it, or move it to chest it can't work as it
complains about the Folder
??pPatch and says didn't find the folder and it is invalid.

When i go the System32 to check the folder physically, it doesn't exist at
all, i changed folder view to
show hidden files/folders but still can't find it.

How can i get rid of this weired thing?
any one had issues with it? what is it?

You can try this:

http://www.pricelesswarehome.org/2006/P_programs.php

Note: This description may be outdated. The most recent infomation is
shown on the acf Program Information pages

DelinvFile
Company: Assistance & Resources for Computing Inc Author: James A.
Lawler
(Freeware)
Windows OS: Windows NOTES: A no install version is available.
Languages: English
Description: DelinvFile can delete data files that you have not been
able to delete using the normal Windows Delete function. DelinvFile is
a Windows program that provides a convenient User Interface for
selecting the file that you need to delete and provides for a choice
of two delete methods. You use the standard controls for Drives,
Folders, and Files to navigate to the Folder and Select the file to be
deleted. Note that Filenames are displayed in both forms - Short
FileName and Long Filename as a convenience for the user. Once a
FileName is selected (highlighted), you can click the Delete buttons
to try to delete the file. Note that you may be able to delete the
file with one method but not the other. Try both if necessary. If
neither of the delete operations succeed, you have a more involved
problem than described above.
Program description: download page v 1.4.0.11 (2005-05-17)? [
divfinst.exe (5123 KB)] [ delinvfile.exe (458 KB) no install]
http://www.purgeie.com/delinv.htm
(desc. rev.: 2005-10-01)


It's very handy to keep around for just such situations. You'll need
to clean the registry also most likely looking for references to that
program.

If it's real nasty, you might need to run HiJackThis to make sure it
won't re-download itself.

 

[B. R. 'BeAr' Ederson]

In MS-DOS didn't the file system place a "?" in the first position of a
file number when it deleted it.

No. The deletion flag is the 0xE5 char. Depending on the code page you
see different chars. English code page 437 shows a small Greek letter
Sigma, for instance. The question mark can be found at 0x3F position.

BeAr

 

[Al Klein]

In MS-DOS didn't the file system place a "?" in the first position of a
file number when it deleted it.

I may be confusing CP/M and MSDOS, but you may be right. Then again,
it may have been a hex E5 (I know CP/M did that, and SailDos [MSDOS
sub 1.0] was a direct ripoff of CP/M.).

If so then maybe an undelete program will find it and let you change it name.

Could be, but only the first character - this one has two of them.

 

[Al Klein]

DelinvFile

It still uses the WinAPI for file deletion, which won't take an AFN (a
name with '?' or '*' in it). Files in computers have to have
unabmiguous names, an ambiguously named file is supposedly impossible
- at least to the OS.

 

[David]

In MS-DOS didn't the file system place a "?" in the first position of a
file number when it deleted it.

I may be confusing CP/M and MSDOS, but you may be right. Then again,
it may have been a hex E5 (I know CP/M did that, and SailDos [MSDOS
sub 1.0] was a direct ripoff of CP/M.).

Hex E5 is correct for the deleted marker for all MS Operating systems.
This value is set for the first letter of the File Name.

Could be, but only the first character - this one has two of them.

Once the first one has been amended the file is no longer considered
to be a deleted file. Perhaps you should run CHKDSK/SCANDISK and
DEFRAG from Safe Mode. If the deleted marker has been used then this
should get rid of the file.

Scandisk will check the filename and conclude that the alllocated
space is free amending the pointers appropriately whether FAT or NTFS.
Defrag will/should eliminate the filename from the directory structure
and may overwrite the values contained in the file. Using a free space
cleaner or information wiper should further eliminate any hope of the
file being recovered in a useable state. You can simulate this by
selecting your largest directory and making copies until your disk is
full then deleting those copies.
--
David
Remove "farook" to reply
At the bottom of the application where it says
"sign here". I put "Sagittarius"
E-mail: justdas at iinet dot net dot au

 

[REM]

It still uses the WinAPI for file deletion, which won't take an AFN (a
name with '?' or '*' in it). Files in computers have to have
unabmiguous names, an ambiguously named file is supposedly impossible
- at least to the OS.

Hmmm, I've had luck in deleting illegally named files and directories
with this program. Eraser messed up when I gave it a test run and left
deeply nested directories with illegal names and the file names were
illegal also. Poof! The program worked great where all else failed.