-
October 10th, 2000, 10:21 AM
#1
Error on startup
Everytime I boot up my customers system I get WIN32VXD.EXE error. It also gives the error in Safe Mode and even when I disable everything in Win.ini,sys.ini and startup. I can't run a Virus check in Windows (CD Doesn't work or in DOS because norton says it's out of space) The system is a PII 300, 40 GB Hard drive, 128 MB RAM, Win98 S.E
Milkstache, what's that ?
-
October 10th, 2000, 05:59 PM
#2
You could hook up the drive as a secondary on another system (with AV software running), boot into windows and scan this drive for viruses.
"Badges? We don't need no stinking badges."
-
October 11th, 2000, 10:16 AM
#3
Registered User
I'm almost absolutly sure the file you mentioned is part of a Virus.
I've seen it b4 but ican't say exactly what virus is it.
Mcaffee viruscan will remove it for sure.
Real stupidity beats Artifical Intelligence
Avatar courtesy of A D E P T
-
October 11th, 2000, 11:46 AM
#4
Sounds like the SubSeven virus.
This is most commonly downloaded if you access the "fake" Microsoft download
site at:
http://www.microsoftdownloads.fsnet.co.uk/viprotct.htm
This Trojan virus is the result of further development of the BackDoor-G Trojan
(v1.0 - v1.9) and offers the usual access to the user's files and data on his
system via the Internet.
By default, the Trojan uses TCP port 27374, but this is configurable by the
configuration program.
It is normally distributed as a Win32 PE .exe dropper that may be disguised as a
.jpg or .bmp picture. When run, this dropper installs two files in the Windows
folder. These two files are the main server .exe files, normally called
Msrexe.exe, and a loader program normally called Run.exe, Windos.exe, or
Mueexe.exe.
These file names are only the default names and can be changed by the Trojan's
configuration program. The main server .exe file is identified as
"BackDoor-G2.svr" or "BackDoor-G2.svr.gen." The loader program is identified as
"BackDoor-G2.ldr."
Two other files are associated with this Trojan: the configuration program and
the client program. These are used to communicate with the main server program.
These are identified as BackDoor-G2.cfg and BackDoor-G2.cli respectively. These
files do not hook the operating system and may be safely deleted if detected on
the system.
Method of Infection
-------------------
This Trojan virus hooks into the host operating system in one or more of four
different ways:
- Adds the name of the main server .exe file to the run= line in the [Windows]
section of of the Win.ini file.
- Adds the name of the main server .exe file to the end of the shell= line in
the [boot] section of the System.ini file.
- Adds the main server .exe file to the registry under the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
keys.
- Changes the way in which the operating system runs .exe files by changing the
registry value at
HKEY_CLASSES_ROOT\exefile\shell\open\command\(Defa ult)
from ""%1" %*" to "mueexe.exe "%1" %*".
This causes the operating system to run the loader program every time a program
file is started. The main server .exe is then run (if it is not already
running), and then runs the program file requested by the operating system.
The Trojan also registers the .dl file extension as a program file type that can
be run by the operating system just like any .exe file. This allows the attacker
to download files onto the victim's system and run them. Because the extension
is not usually associated with executable files, some virus scanners do not scan
these files and the victim do not suspect these files.
Removal Instructions
--------------------
One way is to rename the registry editing programs from their original .exe
extensions to a .com extension. This bypasses the limitations created by
removing the Trojan before editing the registry. For example, in Windows 95/98,
the registry can be loaded and edited by using Regedit.exe. In Windows NT, you
use Regedt32.exe. Rename these to a .com extension. They will still run and
allow you remove references of Trojans and Internet worms.
1. Identify and note the files associated with this Trojan as detected by the
antivirus program. Do not remove the Trojan at this time. If you have already
removed the Trojan, you will not be able to run the Regedit steps below on
the system. Proceed instead to step 11.
2. Start Registry Editor in Windows 95/98 by typing "regedit" (without the
quotation marks) or in Windows NT by typing "regedt32" (without the quotation
marks), and then press ENTER.
3. Remove references to the Trojan from these keys:
HKEY_CLASSES_ROOT\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command
They should contain only the value, not including brackets, ["%1" %*].
4. If applicable, remove any keys that run the main Trojan under the following
keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\
5. If applicable, delete the registry key if it exists for:
HKEY_CLASSES_ROOT\.dl
6. Quit Registry Editor.
7. If applicable, edit the Win.ini file and remove the reference to the Trojan
from the run= line in the [windows] section.
8. If applicable, edit the System.ini file and remove the reference to the
Trojan from the shell= line in the [boot] section. It should contain only the
Explorer.exe file.
9. Restart the computer.
10. Delete the Trojan program(s). If you receive an error message saying that
Windows is unable to delete the file because it is in use, you have made a
mistake in the above process. Repeat steps 1 through 10, and then try again.
11. If the Trojan was deleted before making the registry changes, it is still
possible to repair the registry. You need access to another computer, or at
a minimum, access to MS-DOS on the infected system. Using the MS-DOS Edit
tool, create a file named Undo.reg with the following contents:
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] @="\"%1\" %*"
Save this file in the Windows folder on the infected computer as a file named
Undo.reg.
12. Click Start, click Run, type "undo.reg" (without the quotation marks), and
then click OK.
Hope this helps!
-
October 11th, 2000, 05:24 PM
#5
Charon it worked liek a charm I just did the removal procedure you posted, and it went away. The computer is back to life. Thanks for posting that it helped a lot.
Milkstache, what's that ?
-
October 12th, 2000, 08:34 AM
#6
Registered User
Originally posted by Charon:
Sounds like the SubSeven virus.
This is most commonly downloaded if you access the "fake" Microsoft download
site at:
http://www.microsoftdownloads.fsnet.co.uk/viprotct.htm
This Trojan virus is the result of further development of the BackDoor-G Trojan
(v1.0 - v1.9) and offers the usual access to the user's files and data on his
system via the Internet.
By default, the Trojan uses TCP port 27374, but this is configurable by the
configuration program.
It is normally distributed as a Win32 PE .exe dropper that may be disguised as a
.jpg or .bmp picture. When run, this dropper installs two files in the Windows
folder. These two files are the main server .exe files, normally called
Msrexe.exe, and a loader program normally called Run.exe, Windos.exe, or
Mueexe.exe.
These file names are only the default names and can be changed by the Trojan's
configuration program. The main server .exe file is identified as
"BackDoor-G2.svr" or "BackDoor-G2.svr.gen." The loader program is identified as
"BackDoor-G2.ldr."
Two other files are associated with this Trojan: the configuration program and
the client program. These are used to communicate with the main server program.
These are identified as BackDoor-G2.cfg and BackDoor-G2.cli respectively. These
files do not hook the operating system and may be safely deleted if detected on
the system.
Method of Infection
Thank you for completing my information
P.s. Next time give the http://vil.nai.com address (URL) and we all can enter easily...
Real stupidity beats Artifical Intelligence
Avatar courtesy of A D E P T
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks