• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 425
  • Last Modified:

Infection?

InoculateIT_PE, my anti-virus program, notified me that I have a Trojan, actually two (2) of them.

1. C:\WINDOWS\PWRSVM.EXE is infected with Win32.SubSeven.21.D ldr Trojan

2. C:\WINDOWS\XIDUMSS.EXE is infected with Win32.SubSeven.21.D ldr Trojan

The virus program deleted both files. I'm trying to reinstall fresh files to replace the infected files. I connot find these two files for anything. No one has them on their PC.

Were these files installed maliciously? Now, when I try to start an application, I get the following message:

XIDUMSS.EXE
This program is needed for opening files of type 'Application'.

Can anyone assist me?

Thankfully,
Erik Hundrieser
Los Angeles
0
ehundrieser
Asked:
ehundrieser
  • 8
  • 6
1 Solution
 
tjoinerCommented:
This link to McAfee will give you a detailed explanation of what the virus was and what it did to your system.

http://vil.mcafee.com/dispVirus.asp?virus_k=10566

The reason you're getting that XIDUMSS.EXE error is because the registry key that controls how programs are started has been modified.

HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default)

This should be ""%1" %*"and yours has probably been changed to  "xidumss.exe "%1" %*

Check that. Your virus software probably deleted the xidumss.exe file, but windows still thinks it should use it to open applications, thus the error.

Use GREAT CAUTION in editing registry entries... it's not for the feint of heart.

Good luck

Tim
0
 
tjoinerCommented:
Also, if you can't run REGEDIT due to the affects of the virus, that website also shows how you can create a registry file on another computer and copy it to yours to fix your problem. Look at step 11 on that web page.

Tim
0
 
ehundrieserAuthor Commented:
Tim, thanks! I will work on this tomorrow. Better bright and awake, than dull and tired when trying to do this. Your plan, and the info on McAfee's site, should take me to nirvana. <g> Will advise!

Erik
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
chevCommented:
If your not into hacking the registry here is the url of a freeware utility..http://softseek.zdnet.com/Utilities/Virus_Protection/Review_29741_index.html

Subseven 2.1d is quite a new version I would check back through emails and stuff like that for exe files and stuff that have been sent to you... Just to find out who got you in the first place..


0
 
ehundrieserAuthor Commented:
I have no access to regedit. I'm ready to do a clean install, unless I can access regedit to edit the registry.
0
 
tjoinerCommented:
You don't need regedit. You can create a simple text file on another machine and then copy it via floppy to your c:\windows folder to fix your problem. From that web site I referenced earlier...

11) In the event that the trojan was deleted before making the registry changes, it is still possible to repair the registry. You will need access to another computer, or at a minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create a file called UNDO.REG with the following content (you can cut and paste):

REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

                 [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"


12) Save this file to the Windows folder of the affected system as the file
"UNDO.REG".

13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents of UNDO.REG should be now imported to the registry.

Try it.. you can't end up any worse than you already are!

good luck

Tim
0
 
ehundrieserAuthor Commented:
I have access to another PC. I would use notepad and Cut,Paste the above info that begins with REGEDIT 4. I would save the file to a floppy and name it UNDO.REG

I'd place the floppy into the affected machine and go to Windows Explorer and move the UNDO.REG file to C:\Windows folder.

Then to step 13 (as above)

Question: the format of my cut and paste. Should each of the 3 lines of text (starting with REGEDID 4) be on one line, followed by a blank line, or does that make a difference.

Sorry to be so anal. Better to be safe and ask. <g>

Erik
0
 
tjoinerCommented:
It's actually five lines....

REGEDIT4

[HKEY_......
@="\"%1\" %*"

[HKEY_.......
@="\"%1\" %

and yes keep the blank lines just as they appear here.

Tim
0
 
ehundrieserAuthor Commented:
tjoiner, thanks for getting back to me. I'm glad I asked.

Since I have access to Windows Explorer, I'll try to save as many of my data files (spent most of yesterday doing just that), just in case. What are the chances for my system not to respond at all when I perform the aforementioned; any guess?
0
 
tjoinerCommented:
The error in that one section of your registry shouldn't prevent you from installing the fix. It doesn't have to actually "start" another application to accomplish it, so it should bypass the remnants of that virus. I don't think you'll have any trouble.

If I were you though, I'd print out that web page ahead of time so you'll have a step by step guide to follow on what to click and when.

I'll be out of town till late Sunday.. hope everything goes okay...

Tim
0
 
ehundrieserAuthor Commented:
Thanks, I'll keep you posted. Speak with you when you get back. Hopefully I'll have good news!

Erik
0
 
ehundrieserAuthor Commented:
Tim, I'm up and running! Thanks for your help in staying with me on this. I appreciate it!
0
 
tjoinerCommented:
Great! Glad you stuck with it too... I hate to see people reformat when there's even the smallest chance things can be salvaged.

Tim
0
 
ehundrieserAuthor Commented:
Tim, I agree with you.

Generally, I do a complete new install every 8-12 months, due to the amount of programs I install/uninstall. As you know the system becomes unstable due to all the leftover garbage from shareware, etc. I'm not knocking shareware, freeware, whateverware, it's just about any program that leaves leftovers in your registry after uninstalling.

Just prior to dealing with the virus, I was actually preparing to do a clean install. I'm glad that with your help I was able to work this through to completion. It always gives me pleasure to learn or be made aware of new processes.

Thanks again!
Erik
0
 
ehundrieserAuthor Commented:
Incidentally, actually, more importantly, I believe that the reason for my virus predicament was that sometime ago I messed with the default settings on my virus program (InoculateIT PE). I set it do delete the offending virus. Last night I switched back to all of the default settings. I'm very good at downloading and installing updates (every couple of days or so), but what good is that when the settings were not maximized. Another lesson learned!

Erik
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now