Copyright © 1999 - 2006, Sandra Hardmeier, All
Rights Reserved Worldwide
Last updated
20/08/2006
Becoming more common, but information is sparce. URLs addressing the problem include:
http://ktp.e-isa.com/av/Viruses/Gpix.htm
The information is pretty much identical to:
http://hq.mcafeeasap.com/dispTrojan.asp?virus_k=100247
http://www.z-virus.com/Eng-virus-HTM/gpix.htm
http://vil.nai.com/vil/content/Print100247.htm
A fix is available at the URL below. Save it to your desktop and then run it (thanks to Doug Knox):
http://www.dougknox.com/utility/scripts/9x_gpixfix.vbs
If you cannot start your machine, even in safe mode, do the following (again from Doug Knox) to remove Gpix:
Doug has created two files, called novirus.reg and novirus.bat that can be used to clean a machine from DOS.
A predone BAT and
REG file can be found at:
http://www.dougknox.com/utility/scripts/gpixfix_dos.zip
Instructions for use are at:
http://www.dougknox.com/utility/scripts_desc/9x_gpixfix.htm
If you have a file called explorer.exe at c:\explorer.exe, rename it. There have been examples of that file being implicated. Important note. Do not touch the file with the same name at c:\windows\explorer.exe. That file is part of Windows.
The gpix problem *might* be related to martfinder.com but more evidence is required before a conclusion can be reached. Its purely guilt by association at the moment. I would appreciate an email from anybody who has shellexpl.exe on their system. I would like to know if they, also, have hndldt.ini or winhndl.ini on their systems, and if their search engine has been hijacked by martfinder.com.
Note: some people have shellexpl.exe, some have shellexpi.exe. Please keep feedback coming in (thanks to all who have emailed). Doug is updating the script to catch new/unsolved problems as often as he can :o)