Copyright © 1999 - 2006, Sandra Hardmeier, All Rights Reserved Worldwide
Last updated 20/08/2006

Becoming more common, but information is sparce.  URLs addressing the problem include:

http://ktp.e-isa.com/av/Viruses/Gpix.htm

 

The information is pretty much identical to:

http://hq.mcafeeasap.com/dispTrojan.asp?virus_k=100247

http://www.z-virus.com/Eng-virus-HTM/gpix.htm

http://vil.nai.com/vil/content/Print100247.htm

 

A fix is available at the URL below. Save it to your desktop and then run it (thanks to Doug Knox):

http://www.dougknox.com/utility/scripts/9x_gpixfix.vbs

 

If you cannot start your machine, even in safe mode, do the following (again from Doug Knox) to remove Gpix:

 

Doug has created two files, called novirus.reg and novirus.bat that can be used to clean a machine from DOS.

 

A predone BAT and REG file can be found at:
http://www.dougknox.com/utility/scripts/gpixfix_dos.zip

Instructions for use are at:
http://www.dougknox.com/utility/scripts_desc/9x_gpixfix.htm

 

If you have a file called explorer.exe at c:\explorer.exe, rename it. There have been examples of that file being implicated.  Important note. Do not touch the file with the same name at c:\windows\explorer.exe.  That file is part of Windows.

 

The gpix problem *might* be related to martfinder.com but more evidence is required before a conclusion can be reached. Its purely guilt by association at the moment.  I would appreciate an email from anybody who has shellexpl.exe on their system. I would like to know if they, also, have hndldt.ini or winhndl.ini on their systems, and if their search engine has been hijacked by martfinder.com.

 

Note: some people have shellexpl.exe, some have shellexpi.exe. Please keep feedback coming in (thanks to all who have emailed). Doug is updating the script to catch new/unsolved problems as often as he can :o)