ehundrieser
asked on
Infection?
InoculateIT_PE, my anti-virus program, notified me that I have a Trojan, actually two (2) of them.
1. C:\WINDOWS\PWRSVM.EXE is infected with Win32.SubSeven.21.D ldr Trojan
2. C:\WINDOWS\XIDUMSS.EXE is infected with Win32.SubSeven.21.D ldr Trojan
The virus program deleted both files. I'm trying to reinstall fresh files to replace the infected files. I connot find these two files for anything. No one has them on their PC.
Were these files installed maliciously? Now, when I try to start an application, I get the following message:
XIDUMSS.EXE
This program is needed for opening files of type 'Application'.
Can anyone assist me?
Thankfully,
Erik Hundrieser
Los Angeles
1. C:\WINDOWS\PWRSVM.EXE is infected with Win32.SubSeven.21.D ldr Trojan
2. C:\WINDOWS\XIDUMSS.EXE is infected with Win32.SubSeven.21.D ldr Trojan
The virus program deleted both files. I'm trying to reinstall fresh files to replace the infected files. I connot find these two files for anything. No one has them on their PC.
Were these files installed maliciously? Now, when I try to start an application, I get the following message:
XIDUMSS.EXE
This program is needed for opening files of type 'Application'.
Can anyone assist me?
Thankfully,
Erik Hundrieser
Los Angeles
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tim, thanks! I will work on this tomorrow. Better bright and awake, than dull and tired when trying to do this. Your plan, and the info on McAfee's site, should take me to nirvana. <g> Will advise!
Erik
Erik
If your not into hacking the registry here is the url of a freeware utility..http://softseek.zdnet.com/Utilities/Virus_Protection/Review_29741_index.html
Subseven 2.1d is quite a new version I would check back through emails and stuff like that for exe files and stuff that have been sent to you... Just to find out who got you in the first place..
Subseven 2.1d is quite a new version I would check back through emails and stuff like that for exe files and stuff that have been sent to you... Just to find out who got you in the first place..
ASKER
I have no access to regedit. I'm ready to do a clean install, unless I can access regedit to edit the registry.
You don't need regedit. You can create a simple text file on another machine and then copy it via floppy to your c:\windows folder to fix your problem. From that web site I referenced earlier...
11) In the event that the trojan was deleted before making the registry changes, it is still possible to repair the registry. You will need access to another computer, or at a minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create a file called UNDO.REG with the following content (you can cut and paste):
REGEDIT4
[HKEY_CLASSES_ROOT\exefile
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Softwa
@="\"%1\" %*"
12) Save this file to the Windows folder of the affected system as the file
"UNDO.REG".
13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents of UNDO.REG should be now imported to the registry.
Try it.. you can't end up any worse than you already are!
good luck
Tim
11) In the event that the trojan was deleted before making the registry changes, it is still possible to repair the registry. You will need access to another computer, or at a minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create a file called UNDO.REG with the following content (you can cut and paste):
REGEDIT4
[HKEY_CLASSES_ROOT\exefile
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Softwa
@="\"%1\" %*"
12) Save this file to the Windows folder of the affected system as the file
"UNDO.REG".
13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents of UNDO.REG should be now imported to the registry.
Try it.. you can't end up any worse than you already are!
good luck
Tim
ASKER
I have access to another PC. I would use notepad and Cut,Paste the above info that begins with REGEDIT 4. I would save the file to a floppy and name it UNDO.REG
I'd place the floppy into the affected machine and go to Windows Explorer and move the UNDO.REG file to C:\Windows folder.
Then to step 13 (as above)
Question: the format of my cut and paste. Should each of the 3 lines of text (starting with REGEDID 4) be on one line, followed by a blank line, or does that make a difference.
Sorry to be so anal. Better to be safe and ask. <g>
Erik
I'd place the floppy into the affected machine and go to Windows Explorer and move the UNDO.REG file to C:\Windows folder.
Then to step 13 (as above)
Question: the format of my cut and paste. Should each of the 3 lines of text (starting with REGEDID 4) be on one line, followed by a blank line, or does that make a difference.
Sorry to be so anal. Better to be safe and ask. <g>
Erik
It's actually five lines....
REGEDIT4
[HKEY_......
@="\"%1\" %*"
[HKEY_.......
@="\"%1\" %
and yes keep the blank lines just as they appear here.
Tim
REGEDIT4
[HKEY_......
@="\"%1\" %*"
[HKEY_.......
@="\"%1\" %
and yes keep the blank lines just as they appear here.
Tim
ASKER
tjoiner, thanks for getting back to me. I'm glad I asked.
Since I have access to Windows Explorer, I'll try to save as many of my data files (spent most of yesterday doing just that), just in case. What are the chances for my system not to respond at all when I perform the aforementioned; any guess?
Since I have access to Windows Explorer, I'll try to save as many of my data files (spent most of yesterday doing just that), just in case. What are the chances for my system not to respond at all when I perform the aforementioned; any guess?
The error in that one section of your registry shouldn't prevent you from installing the fix. It doesn't have to actually "start" another application to accomplish it, so it should bypass the remnants of that virus. I don't think you'll have any trouble.
If I were you though, I'd print out that web page ahead of time so you'll have a step by step guide to follow on what to click and when.
I'll be out of town till late Sunday.. hope everything goes okay...
Tim
If I were you though, I'd print out that web page ahead of time so you'll have a step by step guide to follow on what to click and when.
I'll be out of town till late Sunday.. hope everything goes okay...
Tim
ASKER
Thanks, I'll keep you posted. Speak with you when you get back. Hopefully I'll have good news!
Erik
Erik
ASKER
Tim, I'm up and running! Thanks for your help in staying with me on this. I appreciate it!
Great! Glad you stuck with it too... I hate to see people reformat when there's even the smallest chance things can be salvaged.
Tim
Tim
ASKER
Tim, I agree with you.
Generally, I do a complete new install every 8-12 months, due to the amount of programs I install/uninstall. As you know the system becomes unstable due to all the leftover garbage from shareware, etc. I'm not knocking shareware, freeware, whateverware, it's just about any program that leaves leftovers in your registry after uninstalling.
Just prior to dealing with the virus, I was actually preparing to do a clean install. I'm glad that with your help I was able to work this through to completion. It always gives me pleasure to learn or be made aware of new processes.
Thanks again!
Erik
Generally, I do a complete new install every 8-12 months, due to the amount of programs I install/uninstall. As you know the system becomes unstable due to all the leftover garbage from shareware, etc. I'm not knocking shareware, freeware, whateverware, it's just about any program that leaves leftovers in your registry after uninstalling.
Just prior to dealing with the virus, I was actually preparing to do a clean install. I'm glad that with your help I was able to work this through to completion. It always gives me pleasure to learn or be made aware of new processes.
Thanks again!
Erik
ASKER
Incidentally, actually, more importantly, I believe that the reason for my virus predicament was that sometime ago I messed with the default settings on my virus program (InoculateIT PE). I set it do delete the offending virus. Last night I switched back to all of the default settings. I'm very good at downloading and installing updates (every couple of days or so), but what good is that when the settings were not maximized. Another lesson learned!
Erik
Erik
Tim