?
Solved

Infection?

Posted on 2000-05-03
15
Medium Priority
?
419 Views
Last Modified: 2013-12-28
InoculateIT_PE, my anti-virus program, notified me that I have a Trojan, actually two (2) of them.

1. C:\WINDOWS\PWRSVM.EXE is infected with Win32.SubSeven.21.D ldr Trojan

2. C:\WINDOWS\XIDUMSS.EXE is infected with Win32.SubSeven.21.D ldr Trojan

The virus program deleted both files. I'm trying to reinstall fresh files to replace the infected files. I connot find these two files for anything. No one has them on their PC.

Were these files installed maliciously? Now, when I try to start an application, I get the following message:

XIDUMSS.EXE
This program is needed for opening files of type 'Application'.

Can anyone assist me?

Thankfully,
Erik Hundrieser
Los Angeles
0
Comment
Question by:ehundrieser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
15 Comments
 
LVL 1

Accepted Solution

by:
tjoiner earned 800 total points
ID: 2776381
This link to McAfee will give you a detailed explanation of what the virus was and what it did to your system.

http://vil.mcafee.com/dispVirus.asp?virus_k=10566

The reason you're getting that XIDUMSS.EXE error is because the registry key that controls how programs are started has been modified.

HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default)

This should be ""%1" %*"and yours has probably been changed to  "xidumss.exe "%1" %*

Check that. Your virus software probably deleted the xidumss.exe file, but windows still thinks it should use it to open applications, thus the error.

Use GREAT CAUTION in editing registry entries... it's not for the feint of heart.

Good luck

Tim
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2776391
Also, if you can't run REGEDIT due to the affects of the virus, that website also shows how you can create a registry file on another computer and copy it to yours to fix your problem. Look at step 11 on that web page.

Tim
0
 

Author Comment

by:ehundrieser
ID: 2776436
Tim, thanks! I will work on this tomorrow. Better bright and awake, than dull and tired when trying to do this. Your plan, and the info on McAfee's site, should take me to nirvana. <g> Will advise!

Erik
0
WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

 
LVL 1

Expert Comment

by:chev
ID: 2776448
If your not into hacking the registry here is the url of a freeware utility..http://softseek.zdnet.com/Utilities/Virus_Protection/Review_29741_index.html

Subseven 2.1d is quite a new version I would check back through emails and stuff like that for exe files and stuff that have been sent to you... Just to find out who got you in the first place..


0
 

Author Comment

by:ehundrieser
ID: 2779624
I have no access to regedit. I'm ready to do a clean install, unless I can access regedit to edit the registry.
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2779634
You don't need regedit. You can create a simple text file on another machine and then copy it via floppy to your c:\windows folder to fix your problem. From that web site I referenced earlier...

11) In the event that the trojan was deleted before making the registry changes, it is still possible to repair the registry. You will need access to another computer, or at a minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create a file called UNDO.REG with the following content (you can cut and paste):

REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

                 [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"


12) Save this file to the Windows folder of the affected system as the file
"UNDO.REG".

13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents of UNDO.REG should be now imported to the registry.

Try it.. you can't end up any worse than you already are!

good luck

Tim
0
 

Author Comment

by:ehundrieser
ID: 2779677
I have access to another PC. I would use notepad and Cut,Paste the above info that begins with REGEDIT 4. I would save the file to a floppy and name it UNDO.REG

I'd place the floppy into the affected machine and go to Windows Explorer and move the UNDO.REG file to C:\Windows folder.

Then to step 13 (as above)

Question: the format of my cut and paste. Should each of the 3 lines of text (starting with REGEDID 4) be on one line, followed by a blank line, or does that make a difference.

Sorry to be so anal. Better to be safe and ask. <g>

Erik
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2781121
It's actually five lines....

REGEDIT4

[HKEY_......
@="\"%1\" %*"

[HKEY_.......
@="\"%1\" %

and yes keep the blank lines just as they appear here.

Tim
0
 

Author Comment

by:ehundrieser
ID: 2781569
tjoiner, thanks for getting back to me. I'm glad I asked.

Since I have access to Windows Explorer, I'll try to save as many of my data files (spent most of yesterday doing just that), just in case. What are the chances for my system not to respond at all when I perform the aforementioned; any guess?
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2781666
The error in that one section of your registry shouldn't prevent you from installing the fix. It doesn't have to actually "start" another application to accomplish it, so it should bypass the remnants of that virus. I don't think you'll have any trouble.

If I were you though, I'd print out that web page ahead of time so you'll have a step by step guide to follow on what to click and when.

I'll be out of town till late Sunday.. hope everything goes okay...

Tim
0
 

Author Comment

by:ehundrieser
ID: 2781957
Thanks, I'll keep you posted. Speak with you when you get back. Hopefully I'll have good news!

Erik
0
 

Author Comment

by:ehundrieser
ID: 2783427
Tim, I'm up and running! Thanks for your help in staying with me on this. I appreciate it!
0
 
LVL 1

Expert Comment

by:tjoiner
ID: 2783521
Great! Glad you stuck with it too... I hate to see people reformat when there's even the smallest chance things can be salvaged.

Tim
0
 

Author Comment

by:ehundrieser
ID: 2784417
Tim, I agree with you.

Generally, I do a complete new install every 8-12 months, due to the amount of programs I install/uninstall. As you know the system becomes unstable due to all the leftover garbage from shareware, etc. I'm not knocking shareware, freeware, whateverware, it's just about any program that leaves leftovers in your registry after uninstalling.

Just prior to dealing with the virus, I was actually preparing to do a clean install. I'm glad that with your help I was able to work this through to completion. It always gives me pleasure to learn or be made aware of new processes.

Thanks again!
Erik
0
 

Author Comment

by:ehundrieser
ID: 2784432
Incidentally, actually, more importantly, I believe that the reason for my virus predicament was that sometime ago I messed with the default settings on my virus program (InoculateIT PE). I set it do delete the offending virus. Last night I switched back to all of the default settings. I'm very good at downloading and installing updates (every couple of days or so), but what good is that when the settings were not maximized. Another lesson learned!

Erik
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Determining the an SCCM package name from the Package ID
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question