Solved

Infection?

Posted on 2000-05-03
15
401 Views
Last Modified: 2013-12-28
InoculateIT_PE, my anti-virus program, notified me that I have a Trojan, actually two (2) of them.

1. C:\WINDOWS\PWRSVM.EXE is infected with Win32.SubSeven.21.D ldr Trojan

2. C:\WINDOWS\XIDUMSS.EXE is infected with Win32.SubSeven.21.D ldr Trojan

The virus program deleted both files. I'm trying to reinstall fresh files to replace the infected files. I connot find these two files for anything. No one has them on their PC.

Were these files installed maliciously? Now, when I try to start an application, I get the following message:

XIDUMSS.EXE
This program is needed for opening files of type 'Application'.

Can anyone assist me?

Thankfully,
Erik Hundrieser
Los Angeles
0
Comment
Question by:ehundrieser
  • 8
  • 6
15 Comments
 
LVL 1

Accepted Solution

by:
tjoiner earned 200 total points
ID: 2776381
This link to McAfee will give you a detailed explanation of what the virus was and what it did to your system.

http://vil.mcafee.com/dispVirus.asp?virus_k=10566

The reason you're getting that XIDUMSS.EXE error is because the registry key that controls how programs are started has been modified.

HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default)

This should be ""%1" %*"and yours has probably been changed to  "xidumss.exe "%1" %*

Check that. Your virus software probably deleted the xidumss.exe file, but windows still thinks it should use it to open applications, thus the error.

Use GREAT CAUTION in editing registry entries... it's not for the feint of heart.

Good luck

Tim
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2776391
Also, if you can't run REGEDIT due to the affects of the virus, that website also shows how you can create a registry file on another computer and copy it to yours to fix your problem. Look at step 11 on that web page.

Tim
0
 

Author Comment

by:ehundrieser
ID: 2776436
Tim, thanks! I will work on this tomorrow. Better bright and awake, than dull and tired when trying to do this. Your plan, and the info on McAfee's site, should take me to nirvana. <g> Will advise!

Erik
0
 
LVL 1

Expert Comment

by:chev
ID: 2776448
If your not into hacking the registry here is the url of a freeware utility..http://softseek.zdnet.com/Utilities/Virus_Protection/Review_29741_index.html

Subseven 2.1d is quite a new version I would check back through emails and stuff like that for exe files and stuff that have been sent to you... Just to find out who got you in the first place..


0
 

Author Comment

by:ehundrieser
ID: 2779624
I have no access to regedit. I'm ready to do a clean install, unless I can access regedit to edit the registry.
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2779634
You don't need regedit. You can create a simple text file on another machine and then copy it via floppy to your c:\windows folder to fix your problem. From that web site I referenced earlier...

11) In the event that the trojan was deleted before making the registry changes, it is still possible to repair the registry. You will need access to another computer, or at a minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create a file called UNDO.REG with the following content (you can cut and paste):

REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

                 [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"


12) Save this file to the Windows folder of the affected system as the file
"UNDO.REG".

13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents of UNDO.REG should be now imported to the registry.

Try it.. you can't end up any worse than you already are!

good luck

Tim
0
 

Author Comment

by:ehundrieser
ID: 2779677
I have access to another PC. I would use notepad and Cut,Paste the above info that begins with REGEDIT 4. I would save the file to a floppy and name it UNDO.REG

I'd place the floppy into the affected machine and go to Windows Explorer and move the UNDO.REG file to C:\Windows folder.

Then to step 13 (as above)

Question: the format of my cut and paste. Should each of the 3 lines of text (starting with REGEDID 4) be on one line, followed by a blank line, or does that make a difference.

Sorry to be so anal. Better to be safe and ask. <g>

Erik
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 1

Expert Comment

by:tjoiner
ID: 2781121
It's actually five lines....

REGEDIT4

[HKEY_......
@="\"%1\" %*"

[HKEY_.......
@="\"%1\" %

and yes keep the blank lines just as they appear here.

Tim
0
 

Author Comment

by:ehundrieser
ID: 2781569
tjoiner, thanks for getting back to me. I'm glad I asked.

Since I have access to Windows Explorer, I'll try to save as many of my data files (spent most of yesterday doing just that), just in case. What are the chances for my system not to respond at all when I perform the aforementioned; any guess?
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2781666
The error in that one section of your registry shouldn't prevent you from installing the fix. It doesn't have to actually "start" another application to accomplish it, so it should bypass the remnants of that virus. I don't think you'll have any trouble.

If I were you though, I'd print out that web page ahead of time so you'll have a step by step guide to follow on what to click and when.

I'll be out of town till late Sunday.. hope everything goes okay...

Tim
0
 

Author Comment

by:ehundrieser
ID: 2781957
Thanks, I'll keep you posted. Speak with you when you get back. Hopefully I'll have good news!

Erik
0
 

Author Comment

by:ehundrieser
ID: 2783427
Tim, I'm up and running! Thanks for your help in staying with me on this. I appreciate it!
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2783521
Great! Glad you stuck with it too... I hate to see people reformat when there's even the smallest chance things can be salvaged.

Tim
0
 

Author Comment

by:ehundrieser
ID: 2784417
Tim, I agree with you.

Generally, I do a complete new install every 8-12 months, due to the amount of programs I install/uninstall. As you know the system becomes unstable due to all the leftover garbage from shareware, etc. I'm not knocking shareware, freeware, whateverware, it's just about any program that leaves leftovers in your registry after uninstalling.

Just prior to dealing with the virus, I was actually preparing to do a clean install. I'm glad that with your help I was able to work this through to completion. It always gives me pleasure to learn or be made aware of new processes.

Thanks again!
Erik
0
 

Author Comment

by:ehundrieser
ID: 2784432
Incidentally, actually, more importantly, I believe that the reason for my virus predicament was that sometime ago I messed with the default settings on my virus program (InoculateIT PE). I set it do delete the offending virus. Last night I switched back to all of the default settings. I'm very good at downloading and installing updates (every couple of days or so), but what good is that when the settings were not maximized. Another lesson learned!

Erik
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now