Solved

Infection?

Posted on 2000-05-03
15
416 Views
Last Modified: 2013-12-28
InoculateIT_PE, my anti-virus program, notified me that I have a Trojan, actually two (2) of them.

1. C:\WINDOWS\PWRSVM.EXE is infected with Win32.SubSeven.21.D ldr Trojan

2. C:\WINDOWS\XIDUMSS.EXE is infected with Win32.SubSeven.21.D ldr Trojan

The virus program deleted both files. I'm trying to reinstall fresh files to replace the infected files. I connot find these two files for anything. No one has them on their PC.

Were these files installed maliciously? Now, when I try to start an application, I get the following message:

XIDUMSS.EXE
This program is needed for opening files of type 'Application'.

Can anyone assist me?

Thankfully,
Erik Hundrieser
Los Angeles
0
Comment
Question by:ehundrieser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
15 Comments
 
LVL 1

Accepted Solution

by:
tjoiner earned 200 total points
ID: 2776381
This link to McAfee will give you a detailed explanation of what the virus was and what it did to your system.

http://vil.mcafee.com/dispVirus.asp?virus_k=10566

The reason you're getting that XIDUMSS.EXE error is because the registry key that controls how programs are started has been modified.

HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default)

This should be ""%1" %*"and yours has probably been changed to  "xidumss.exe "%1" %*

Check that. Your virus software probably deleted the xidumss.exe file, but windows still thinks it should use it to open applications, thus the error.

Use GREAT CAUTION in editing registry entries... it's not for the feint of heart.

Good luck

Tim
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2776391
Also, if you can't run REGEDIT due to the affects of the virus, that website also shows how you can create a registry file on another computer and copy it to yours to fix your problem. Look at step 11 on that web page.

Tim
0
 

Author Comment

by:ehundrieser
ID: 2776436
Tim, thanks! I will work on this tomorrow. Better bright and awake, than dull and tired when trying to do this. Your plan, and the info on McAfee's site, should take me to nirvana. <g> Will advise!

Erik
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 1

Expert Comment

by:chev
ID: 2776448
If your not into hacking the registry here is the url of a freeware utility..http://softseek.zdnet.com/Utilities/Virus_Protection/Review_29741_index.html

Subseven 2.1d is quite a new version I would check back through emails and stuff like that for exe files and stuff that have been sent to you... Just to find out who got you in the first place..


0
 

Author Comment

by:ehundrieser
ID: 2779624
I have no access to regedit. I'm ready to do a clean install, unless I can access regedit to edit the registry.
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2779634
You don't need regedit. You can create a simple text file on another machine and then copy it via floppy to your c:\windows folder to fix your problem. From that web site I referenced earlier...

11) In the event that the trojan was deleted before making the registry changes, it is still possible to repair the registry. You will need access to another computer, or at a minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create a file called UNDO.REG with the following content (you can cut and paste):

REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

                 [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"


12) Save this file to the Windows folder of the affected system as the file
"UNDO.REG".

13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents of UNDO.REG should be now imported to the registry.

Try it.. you can't end up any worse than you already are!

good luck

Tim
0
 

Author Comment

by:ehundrieser
ID: 2779677
I have access to another PC. I would use notepad and Cut,Paste the above info that begins with REGEDIT 4. I would save the file to a floppy and name it UNDO.REG

I'd place the floppy into the affected machine and go to Windows Explorer and move the UNDO.REG file to C:\Windows folder.

Then to step 13 (as above)

Question: the format of my cut and paste. Should each of the 3 lines of text (starting with REGEDID 4) be on one line, followed by a blank line, or does that make a difference.

Sorry to be so anal. Better to be safe and ask. <g>

Erik
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2781121
It's actually five lines....

REGEDIT4

[HKEY_......
@="\"%1\" %*"

[HKEY_.......
@="\"%1\" %

and yes keep the blank lines just as they appear here.

Tim
0
 

Author Comment

by:ehundrieser
ID: 2781569
tjoiner, thanks for getting back to me. I'm glad I asked.

Since I have access to Windows Explorer, I'll try to save as many of my data files (spent most of yesterday doing just that), just in case. What are the chances for my system not to respond at all when I perform the aforementioned; any guess?
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2781666
The error in that one section of your registry shouldn't prevent you from installing the fix. It doesn't have to actually "start" another application to accomplish it, so it should bypass the remnants of that virus. I don't think you'll have any trouble.

If I were you though, I'd print out that web page ahead of time so you'll have a step by step guide to follow on what to click and when.

I'll be out of town till late Sunday.. hope everything goes okay...

Tim
0
 

Author Comment

by:ehundrieser
ID: 2781957
Thanks, I'll keep you posted. Speak with you when you get back. Hopefully I'll have good news!

Erik
0
 

Author Comment

by:ehundrieser
ID: 2783427
Tim, I'm up and running! Thanks for your help in staying with me on this. I appreciate it!
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2783521
Great! Glad you stuck with it too... I hate to see people reformat when there's even the smallest chance things can be salvaged.

Tim
0
 

Author Comment

by:ehundrieser
ID: 2784417
Tim, I agree with you.

Generally, I do a complete new install every 8-12 months, due to the amount of programs I install/uninstall. As you know the system becomes unstable due to all the leftover garbage from shareware, etc. I'm not knocking shareware, freeware, whateverware, it's just about any program that leaves leftovers in your registry after uninstalling.

Just prior to dealing with the virus, I was actually preparing to do a clean install. I'm glad that with your help I was able to work this through to completion. It always gives me pleasure to learn or be made aware of new processes.

Thanks again!
Erik
0
 

Author Comment

by:ehundrieser
ID: 2784432
Incidentally, actually, more importantly, I believe that the reason for my virus predicament was that sometime ago I messed with the default settings on my virus program (InoculateIT PE). I set it do delete the offending virus. Last night I switched back to all of the default settings. I'm very good at downloading and installing updates (every couple of days or so), but what good is that when the settings were not maximized. Another lesson learned!

Erik
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question