weird error in autocad 2009

[ReMark]

DWL files are created by the whohas.arx registry key. If you want to stop the creation of dwl files during the current AutoCAD session you must type appload at the command line. This will bring up the Load/Unload Applications dialog box. Go to the Loaded Applications tab and using the scroll buttons go to the bottom of the listed applications. Click on whohas.arx. Look to the right. Click on the Unload button. In the rectangular window at the bottom of the dialog box you'll see the following message: whohas.arx successfully unloaded. Now click on the Close button. That's it. Keep in mind this is only for the session of AutoCAD you are in. Once you close it out and then reopen it later AutoCAD will start creating dwl files every time you open a drawing. There is a way to permanently stop the creation of dwl files but it involves editting the Registry. Do you really want to do this?

[ReMark]

Here is a sample output from a dwl file I opened using Notepad.

 

mark MMM Wednesday, July 08, 2009 11:46:30 AM

[lordjkpff]

it was a theroy...

 

Now an even bigger mess is it appears that some people have checked the box "Don't show me this again", and now every file they open and save gets this language pack error.

Once you press "open" or check the "Don't show me this again" a acad.vlx file is created. Then it changes the acaddoc and a few other files on the computer who opened it. That is when commands start to go haywire.

http://discussion.autodesk.com/forums/thread.jspa?threadID=733104&tstart=75

The virus arrived in several manifestations. It exploits AutoCAD's automatic loading of reserve-named "program files" such as acaddoc. lsp (the most prevalent one found so far), acad.lsp, acad.fas. acad.vlx, etc. Once infected, it has the curious habit of growing the infected files to become huge (I have seen an acaddoc.lsp grow up tp 50 MB and more during one outbreak). Also, it

infects a number of .LSP and .MNL files in the AutoCAD \support folder

location. Typically I just sort the \support folder by DATE, because the

infected files will be very recent, and you'll notice that the small lisp and

mnl files get very large, often into multi-megabytes. One needs strategies

to fight the threat. I keep protected copies of the good original .LSP

& MNL files to copy back down to an infected station. We've had no new

outbreaks in the last 5 months or so.

Important: not all virus detection picks up

these files. The signatures can change, since they are just text files,

but when AutoCAD launches, the text of course gets read and executes doing it's

malicious work. We do a lot of international work, and this particular

virus hailing from China, often comes innocently enough in file transmittals of

CAD files sent to us by clients and consultants... they probably don't realize

they're infected.

 

Using the WBLOCK command seems to clean infected files except Civil 3D files, some objects will not go with the WBLOCK.

 

Is there any purge that strip whatever it is out of the drawing? Whatever it is, it is in the drawing!

[ReMark]

If you do not know what "it" is then what are you purging? When you do use the purge command do you purge regapps? I believe I've seen a reference to a LISP routine called SuperPurge but I can't recall what benefits it offers over the regular purge command.

[ReMark]

Well then, what are your choices at this point? Care to try an experiment? Pick one of the computers that is "infected" and wipe the hard drive. Then reinstall your OS and your CAD software. Test it with a known "clean" drawing. What happens?

[lordjkpff]

Yep, Regapps was one of the first things we tried... and we don't know what "it" is either, we just know "it" is causing problems..

We are in contact with the Manusoft, makers of SuperPurge, unfortunately we have to go item by item to figure out what "it" is...

[ReMark]

Not interested in sacrificing one of your computers then are you?

[lordjkpff]

Unfortunately it has nothing to do with the computer station, it has to do with the dwg files. We have found the acad.vlx all over our server, it is saved where your infected drawing is saved.

 

 

We used Superpurge to see if we could track down the APP. We open a CLEAN file and ran superpurge. We made a screen shot of the items it found in the drawing, it was a small list.

 

Then we recovered a infected file and saved it. Then went back to the clean file and saved it which infected it. We confirmed by trying to open the file and it gave the language pack error. We then ran Superpurge on the file and notice ONE MORE APP had been added to the file.

 

The APP is called:

 

App IDs: [1]

ADE

 

THE PROBLEM IS, YOU CAN SUPERPURGE THE APP, BUT YOU CANNOT SAVE WITHOUT INFECTING THE FILE AGAIN!!!

 

WE NEED A WAY TO PURGE THIS APP AND SAVE THE DRAWING!!!

Screen Shots Before & After:

[lordjkpff]

Just to add, i wasn't ignoring the brand new computer option, it was a great suggestion and we did that too. We are actually using the menus from that computer to replace corrupted ones on the workstations. We have narrowed the root of the problem to be contained in the dwg's.

We are also trying and old school approach and creating a dummy, blank acad.vlx file and a script to replace them on our server until Autodesk tells us how to purge the app and save without re-infecting it.

[ReMark]

Acad.vlx? If you run appload at the command line this file shows up in the Loaded Applications list?

[ReMark]

F.Y.I. - FAS and VLX files. As per AutoDesk:

 

"FAS and VLX files are compiled AutoLISP® files that were created with Visual LISP®. FAS files contain a single compiled AutoLISP routine, whereas VLX files contain multiple routines."

[ReMark]

If you want a complete list of all ARX, FAS and VLX files being loaded you can use the routine acadinfo.lsp. To use this utility enter (load"acadinfo") on the command line and press Enter. Next type acadinfo and press Enter. The Select file name dialog box should appear on your screen with the default acadinfo.txt already listed. You can indicate to AutoCAD where you want to save this file. I saved mine to the Desktop. You should then see something very similar to this:

 

ACADINFO is a utility for gathering information about

your AutoCAD installation and current setup. The routine

will examine your system and write a text file called

'C:\Documents and Settings\mark\Desktop\acadinfo.txt'

to your hard drive.

 

At this point you can press ENTER to continue or ESC to cancel. Assuming you elect to continue this is what you should see next:

 

Examining your AutoCAD setup. Please wait...

Performing load tests...

AutoCAD menu utilities loaded.

AutoCAD Express Tools Copyright © 2002-2004 Autodesk, Inc.

Writing AutoCAD system variable information...

Formatting and writing ouput. Please wait...\

Output written to: "C:\Documents and Settings\mark\Desktop\acadinfo.txt"

Done.

 

Go to your Desktop and open acadinfo.txt and the information you seek will be located at or very near the top of the file. The file also contains, among other things, a complete list of all system variables and their current setting.

[lordjkpff]

Nope, the thing is when you open an infected file, even if you go through the recover command, and then open a non-infected file, then save it, it to is now infected. The .vlx only show up is you press "Open" or "Don't show this again" box when the language pack comes up. Then the next time you run AutoCAD it rewrites your commands.

 

Autodesk sends us this....

 

Please take a look at the following link:

 

http://discussion.autodesk.com/forums/thread.jspa?messageID=6180777

 

It would be good to look through the entire thread, but in particular look at the post from markdoel on February 18th at 7:25 am. This gives a good way to search for these files. You want to delete all vlx files on your system, and then replace the bad lsp files with ones from a machine that does not have the problem. I will also post one more link to another discussion group also referencing this issue.

 

And of course Autdesk's #1 solution is:

 

If this does not work then we may need to look into a 'clean' reinstall on the affected machines to assure that all bad files are replaced.

 

 

They keep ignoring the fact that this malicious APP resided "INSIDE" the dwg file and just opening it will infect any other file saved after.

 

There was one possible helpful post on that page with a link to a lisp file that could show all hidden objects in a dwg file. However that link has no pot of gold (lisp) at the end of it. It appears that this lisp is only a mystic fairytale.

 

Posted by: Gary_K on Jun 27, 2009 7:45 AM

http://cadtips.cadalyst.com/display-properties/turn-objects-invisible-or-visible

 

Does anyone have such a lisp..

[ReMark]

Sounds like you're stuck between a rock and a hard place. Even if you clean out every computer (wipe and reinstall OS and all programs) as soon as you try to work with the drawing file you become infected again. How many infected drawing files do you suppose you have at this point?

[ReMark]

Are you saying you could not download the LISP file? Actually it is a zip file named HTH2058.zip. I was able to download it and unzip it. The zip file contained one file called Hide&Show.lsp. The routine is called by typing InVis. It purports to be able to turn objects invisible and then visible again. Use it to amaze your friends or hide something more sinister? The author does refer to "objects" so I'm not sure what you hoped to do with it. Care to explain?

[ReMark]

By the way, I did not try the lisp routine out so I can't tell you if it works or not.

[lordjkpff]

Tried the lisp, it found no hidden objects!

We have found this acad.vlx file throughout our server with the earliest date of 6/29, we figure someone received an updated background from an architect and it spread from there. We are considering going to a backup copy of our network which means we would lose 2 weeks worth of work!

I hope Autodesk is working with Symantec or another virus company to fix this. I have noticed more chatter popping up with this same malicious behavior.

I SUGGEST TO ANYONE TO EDUCATE YOUR CAD USERS, IF THEY SEE SUSPICIOUS WARNINGS TO ALERT THE CAD MANAGER!!!

[Car5858]

I would convert the infected files to pdf, before reverting to the network back up.

 

I have looked for the drawing that I had a problem with, That drawing is no longer in my system. I tend to deleat drawings after I convert to pdf to save space on the HD.

 

I also agree with the alert.

[ReMark]

I searched my standalone workstation and everything on our network and did not find any file named acad.vlx but then I did not expect to. I guess that at this point this is between your firm and AutoDesk. I wouldn't expect much in the way of help from Symantec (just my opinion).

 

Please keep us informed as to what transpires. Thanks and good luck.

[lordjkpff]

UPDATE:

Autodesk has given up on the tech support end and states that WBLOCK is the answer. Symantec has reported that they are starting to see a surge of similar requests for assistance.

For basic AutoCAD files the use of WBLOCK or a "Hard" Superpurge will remove the malicious virus within the DWG.

HOWEVER as for Civil 3D or any other vertical product, as of yet, there is no safe way to remove the virus without losing the intelligent data produced by the vertical product.