Error on startup
Results 1 to 6 of 6

Thread: Error on startup

  1. #1
    Registered User
    Join Date
    Jul 2000
    Location
    Tampa, Florida
    Posts
    140

    Post Error on startup

    Everytime I boot up my customers system I get WIN32VXD.EXE error. It also gives the error in Safe Mode and even when I disable everything in Win.ini,sys.ini and startup. I can't run a Virus check in Windows (CD Doesn't work or in DOS because norton says it's out of space) The system is a PII 300, 40 GB Hard drive, 128 MB RAM, Win98 S.E
    Milkstache, what's that ?

  2. #2
    Registered User
    Join Date
    Oct 1999
    Location
    Clackamas, OR USA
    Posts
    5,422

    Post

    You could hook up the drive as a secondary on another system (with AV software running), boot into windows and scan this drive for viruses.
    "Badges? We don't need no stinking badges."

  3. #3
    Registered User Gabriel's Avatar
    Join Date
    Aug 2000
    Location
    Tel Aviv Israel
    Posts
    2,161

    Post

    I'm almost absolutly sure the file you mentioned is part of a Virus.
    I've seen it b4 but ican't say exactly what virus is it.
    Mcaffee viruscan will remove it for sure.
    Real stupidity beats Artifical Intelligence
    Avatar courtesy of A D E P T

  4. #4
    Charon
    Guest

    Post

    Sounds like the SubSeven virus.

    This is most commonly downloaded if you access the "fake" Microsoft download
    site at:

    http://www.microsoftdownloads.fsnet.co.uk/viprotct.htm

    This Trojan virus is the result of further development of the BackDoor-G Trojan
    (v1.0 - v1.9) and offers the usual access to the user's files and data on his
    system via the Internet.

    By default, the Trojan uses TCP port 27374, but this is configurable by the
    configuration program.

    It is normally distributed as a Win32 PE .exe dropper that may be disguised as a
    .jpg or .bmp picture. When run, this dropper installs two files in the Windows
    folder. These two files are the main server .exe files, normally called
    Msrexe.exe, and a loader program normally called Run.exe, Windos.exe, or
    Mueexe.exe.

    These file names are only the default names and can be changed by the Trojan's
    configuration program. The main server .exe file is identified as
    "BackDoor-G2.svr" or "BackDoor-G2.svr.gen." The loader program is identified as
    "BackDoor-G2.ldr."

    Two other files are associated with this Trojan: the configuration program and
    the client program. These are used to communicate with the main server program.
    These are identified as BackDoor-G2.cfg and BackDoor-G2.cli respectively. These
    files do not hook the operating system and may be safely deleted if detected on
    the system.

    Method of Infection
    -------------------

    This Trojan virus hooks into the host operating system in one or more of four
    different ways:

    - Adds the name of the main server .exe file to the run= line in the [Windows]
    section of of the Win.ini file.

    - Adds the name of the main server .exe file to the end of the shell= line in
    the [boot] section of the System.ini file.

    - Adds the main server .exe file to the registry under the

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

    keys.

    - Changes the way in which the operating system runs .exe files by changing the
    registry value at

    HKEY_CLASSES_ROOT\exefile\shell\open\command\(Defa ult)

    from ""%1" %*" to "mueexe.exe "%1" %*".
    This causes the operating system to run the loader program every time a program
    file is started. The main server .exe is then run (if it is not already
    running), and then runs the program file requested by the operating system.

    The Trojan also registers the .dl file extension as a program file type that can
    be run by the operating system just like any .exe file. This allows the attacker
    to download files onto the victim's system and run them. Because the extension
    is not usually associated with executable files, some virus scanners do not scan
    these files and the victim do not suspect these files.

    Removal Instructions
    --------------------

    One way is to rename the registry editing programs from their original .exe
    extensions to a .com extension. This bypasses the limitations created by
    removing the Trojan before editing the registry. For example, in Windows 95/98,
    the registry can be loaded and edited by using Regedit.exe. In Windows NT, you
    use Regedt32.exe. Rename these to a .com extension. They will still run and
    allow you remove references of Trojans and Internet worms.

    1. Identify and note the files associated with this Trojan as detected by the
    antivirus program. Do not remove the Trojan at this time. If you have already
    removed the Trojan, you will not be able to run the Regedit steps below on
    the system. Proceed instead to step 11.

    2. Start Registry Editor in Windows 95/98 by typing "regedit" (without the
    quotation marks) or in Windows NT by typing "regedt32" (without the quotation
    marks), and then press ENTER.

    3. Remove references to the Trojan from these keys:

    HKEY_CLASSES_ROOT\exefile\shell\open\command\

    HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command

    They should contain only the value, not including brackets, ["%1" %*].

    4. If applicable, remove any keys that run the main Trojan under the following
    keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\

    5. If applicable, delete the registry key if it exists for:

    HKEY_CLASSES_ROOT\.dl

    6. Quit Registry Editor.

    7. If applicable, edit the Win.ini file and remove the reference to the Trojan
    from the run= line in the [windows] section.

    8. If applicable, edit the System.ini file and remove the reference to the
    Trojan from the shell= line in the [boot] section. It should contain only the
    Explorer.exe file.

    9. Restart the computer.

    10. Delete the Trojan program(s). If you receive an error message saying that
    Windows is unable to delete the file because it is in use, you have made a
    mistake in the above process. Repeat steps 1 through 10, and then try again.

    11. If the Trojan was deleted before making the registry changes, it is still
    possible to repair the registry. You need access to another computer, or at
    a minimum, access to MS-DOS on the infected system. Using the MS-DOS Edit
    tool, create a file named Undo.reg with the following contents:

    REGEDIT4

    [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] @="\"%1\" %*"

    Save this file in the Windows folder on the infected computer as a file named
    Undo.reg.

    12. Click Start, click Run, type "undo.reg" (without the quotation marks), and
    then click OK.

    Hope this helps!

  5. #5
    Registered User
    Join Date
    Jul 2000
    Location
    Tampa, Florida
    Posts
    140

    Post

    Charon it worked liek a charm I just did the removal procedure you posted, and it went away. The computer is back to life. Thanks for posting that it helped a lot.
    Milkstache, what's that ?

  6. #6
    Registered User Gabriel's Avatar
    Join Date
    Aug 2000
    Location
    Tel Aviv Israel
    Posts
    2,161

    Post

    Originally posted by Charon:
    Sounds like the SubSeven virus.

    This is most commonly downloaded if you access the "fake" Microsoft download
    site at:

    http://www.microsoftdownloads.fsnet.co.uk/viprotct.htm

    This Trojan virus is the result of further development of the BackDoor-G Trojan
    (v1.0 - v1.9) and offers the usual access to the user's files and data on his
    system via the Internet.

    By default, the Trojan uses TCP port 27374, but this is configurable by the
    configuration program.

    It is normally distributed as a Win32 PE .exe dropper that may be disguised as a
    .jpg or .bmp picture. When run, this dropper installs two files in the Windows
    folder. These two files are the main server .exe files, normally called
    Msrexe.exe, and a loader program normally called Run.exe, Windos.exe, or
    Mueexe.exe.

    These file names are only the default names and can be changed by the Trojan's
    configuration program. The main server .exe file is identified as
    "BackDoor-G2.svr" or "BackDoor-G2.svr.gen." The loader program is identified as
    "BackDoor-G2.ldr."

    Two other files are associated with this Trojan: the configuration program and
    the client program. These are used to communicate with the main server program.
    These are identified as BackDoor-G2.cfg and BackDoor-G2.cli respectively. These
    files do not hook the operating system and may be safely deleted if detected on
    the system.

    Method of Infection
    Thank you for completing my information
    P.s. Next time give the http://vil.nai.com address (URL) and we all can enter easily...
    Real stupidity beats Artifical Intelligence
    Avatar courtesy of A D E P T

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •