I 've searched in here but haven't been able to find anyone else having
this trouble. I had to reformat and reinstall Win98se and now when I
download self-installing exe files they appear ok in Explorer - at first. I am
using Start/Run to load the file (instead of doubleclicking it) - which has
been working ok - the programs get installed. But now when I go back to
re-install the file the size of the file has been reduced to 18kb rendering
the self-extracting file useless. This happened even before any web
surfing. The Hijackthis looks ok and I have been monitoring cookies to be
sure only trusted sites appear. I was wondering if this is some setting I
need to make for Windows? My Win98 is an OEM version and this was not
a problem before. I do however have some bad spots on my less than 2
yr old hard drive (4) - but Scandisk has them marked.

Does anybody know what causes this? It happens on my Flash Drive as
well. This makes it pretty hard to keep a backup handy.

Robin

is the comp spyware/malware free? if not sure
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview

also what is your net connection like?

Cudni

Hi Cudni,
As far as I can tell, I do not have any spyware or adware on the computer and my internet connection has been good.

I did notice in the registry that for EXE (and DLL) files the entry for content type is:

application/x-msdownload

Any idea what this means? My computer at work has the same entry and it works fine.

Also I had found a dl.exe file on my desktop that was a javascript for Red Sheriff that appeared during downloads. When I tried deleting it, it appeared in other places too. So I edited the file and blanked out the major portion of the script so that it stops right after it starts - which seems to work. Then added lycos.com and all its variants to my restricted sites.

I'm getting nowhere with investigating what causes this!

You mentioned a recent reinstall . If you are still fresh (no new data to backup) I would just cut my losses and format again .

I have a list of links to standalone installers for java , flash , shockwave , acrobat , .net , directx , wmp9 , 98se servicepack , windows installer and ie6 full installer . With all this in place one trip to windows updates is all you need .

Combine that with a list of good links to antivirus and antispyware and and you shold be able to make your first trip to the internet a safe one .

Well I have narrowed it down somewhat... This is occurring after a reboot. Could the virus setting in my BIOS have anything to do with this phenomenon? I purposely didn't open the new downloads and they were still there in explorer but did make a change that asked for a restart and sure enough the files I had just downloaded were truncated. So running the files is the not the problem it is the reboot. Can I turn off the BIOS and is it wise to do so?

Hi MoGrace,
I don't think it an issue with the BIOS.

I'm interested in the "dl.exe" file. I don't think it is related to Red Sheriff. If I remember right it's related to a email worm. Did you look it up?

I think I read somewhere that Red Sheriff is not designed to leave any tracks on you system. Finding a file associate with it is highly suspect and the discription you wrote of it popping up all over the place when you tried to remove the original is a Malware trick.

You didn't say how you knew you sustem was clean. I suspect that you have been reinfected. It seems the place to start looking for an answer. If the system isn't too far along the rebuilding process, it might be quicker to start again but this time, download the updates and malware removal/protection files you need before you do it so you don't have to go online unprotected.

I looks like Nosirrah has a list that might help you if this is the route you decide to take.

ZZ

ZZ

Hi ZZ,
Well I am not inclined to think is the BIOS either. It is definitely occurring during downloading. Even when the file size is still correct the WinZip header is getting corrupted. Files that are not using the WinZip extracter seem ok, but even some that use a differnt installer have been corrupted - but not all. I burned a few files to a CD and the corruption was only on some of those files too - all from the same site. I have used Hijackthis, Ad-Aware and Troubleshooter to try and find this thing. I sent the dl.exe file over to Kephyr but have not heard back. I am using Outlook Express 6 with AOL as my email server. Supposedly AOL scans the email for viruses. The Panda Software program I bought came with its own problems and I do not want to try using it again. Except for this download annoyance everything else seems to be fine (so far). If I have a worm - what can I expect to occur?

Robin,
I found a listing for this in the Symantec Security site.
Shttp://www.sarc.com/avcenter/venc/data/w32.bagz@mm.html

The worm listed here appears to be what is associated with dl.exe. Symantec's site appears to assume that you are running XP but the trojan can infect windows 98 too. You might try download the free copy of "Antivir" at; http://www.free-av.com/

I don't know if it will find the worm and clean it but I've used this a lot on client's machines when they have not kept their AV up to date. It works well but you may need to boot your machine to "Safe Mode" then run Antivir to clean things up.

All of this is assuming that you can even install it after you down load it. If you can, remember to run it on any removable media that you have used too. The CD's you burned may be infected too so you might need to throw those away.

I'm a bit confuse here because I thought from your first post that you had to reinstal the O.S. very recently but it seem now that you have been working n this for a while. How long has this been going on?

ZZ

Hi ZZ,
I have been working on the reinstall all week - had to reformat and
reinstall 3 times before I "got it right" with configuring and updating
Win98. The dl.exe showed up as soon as I downloaded anything which
tells me they've got my address - whoever they are. Some of the
downloads did come from my AOL email through Outlook Express 6. I
wanted to set up the system without the AOL program but perhaps I lost
more than just the overhead. Since the dl.exe is actually a java script, I
was able to read its contents. All it seems to be is a director for RedSheriff
activities. Nothing too serious in its content - just starting and stopping
measurements of some sort. However, I had been having popup troubles
that occurred suddenly whereas I had not had them before. It started
after a visit to a site offering free avatars. I shoulda known better

So then I went and downloaded Panda Titanium 2006 and when it ran it went through all my exe files and renamed them without so much as a "may I?" That was when the system crashed and I couldn't get it back up, even though I was able to rename all the file changes first. I still cannot get into safe mode. All I get is the blank blue screen without any icons or start menu. Scandisk has found and marked 5 bad clusters. So perhaps my hard disk is damaged and I need to replace it. The system is working but without being able to download how am I supposed to get any programs loaded?

The first ting you should do is to make sure that you have backups of everything you can't replace . (this assumes you live in the us) Go to newegg.com to replace your hard drive . Judging by the fact that you are installing 98 on this machine it is likely that you will not need than this : http://www.newegg.com/Product/Product.asp?Item=N82E16822144233 . It has very good review as well .

I will get that list of links together for you .

.

Hi Nosirrah,
If you don't mind me asking, why are you recommending that Robin replace the HD? 5 bad clusters doesn't sound like all that many to me. Not without knowing the size of the drive, how often scandisk is run and if it finds bad clusters every time or if the problem is with the FAT entries or with the clusters themselves. I agree that a backup of the data is important but if the drive is infected, as it appears, the backup couldl just reinfect the new drive.

Robin,
Are you trying to reboot to the "Safe Mode" or are you pressing "F8" on startup? Also, are you using a restore CD that came with the PC or a windows 98 CD to reinstall?

ZZ

@ZippyZingo : Physical drive problems self perpetuate . A small particle combined with a 5400 to 7200 rpm platter is a bad combo . And safe is better than sorry . I have seen many hard drives with bad clusters have an increasing number of bad clusters over time . I have only seen a few that did not .

If you want a second opinion Bill_Bright is the hardware master . If he thinks it is ok to let go , I would trust his advise over my own when it comes to hardware .

Well I took the advice NOT to use any CD's I had burned, nor to download any files I had saved to my flash drive and this reformat/install seems to be fine. I ran scandisk /surface from DOS before I installed Windows and had the same bad spots in the same location as previously. I will check on these regularly and make sure no more show up. The Windows update went smoothly and Internet Explorer is behaving with my safety settings.

I do have a question though about anti-virus programs. Each time I have tried to use one on an infected drive it quarantined my exe files so they could not be used. I am concerned that I may have infected my work computer. I do not want to run these programs if it will render the programs I need inoperative. So what should I do? Will backing up the data files be safe if I do not copy any exe files? How should I go about getting that computer ready in case of failure - which very likely will be soon? Can you point me to a good site that can give me some instructions? That dl.exe file has shown up at work this past week - no doubt from the flash drive. Its too bad wisdom always comes 2nd! I also probably need a list of files to check and see if they are resident on my cpu at work - who has a good list?

Thanks so much for all your help!

One more question. Can I piggyback my work drive to a new drive to get the data files only from it? I can reinstall the programs from the original CD's but there is a lot of data to try and backup off the drive. I do not have a CD burner at work. I was planning on upgrading to a new Dell with XP Pro at work which is connected to a new 2003 Server. I have not loaded any programs onto the Server yet (thank goodness). Can I stay connected to the Server do you think? This will no doubt generate a zillion more questions from me before I get a decent nite's sleep...

Can I piggyback my work drive to a new drive to get the data files only from it?
yes you can set its jumper as slave and attache it to slave position on ide cable. than remove what you want.