Computer Help Community

Community

Cyber Tech Help Community

New Tutorials

PC Tutorials

New Downloads

More Downloads
PC Downloads

Member Testimonials

Open Member Quote   I came to this board a irritable and confused person, after becoming a member and spending time here I am now a calm and more organized person. CTH has offered me great tech support and gave me an example to follow. I just wanted the staff here to know that this site is practically a life changing experience. Thanks to all who participate and work at CTH. - Vercades  Close Member Quote
Member Testimonials
MY CYBER TECH HELP

LATEST TOPICS

Tech Help Community

Free Antivirus Scan

Free Virus Scan and a listing of the top 10 viruses in the wild - Free Antivirus Scan
Free Online Antivirus Scan

File Extension Database

Find what program a filetype belongs to in our searchable File Extension Database.
File Extension Database

Related Microsoft Links

Services
Cyber Tech Help Community

To the top of the page to top

 



Tutorials | Dealing with trojan-paralyzed systems

Publish date: 18:46 Thursday, 28th July 2005
Written by: HKED
Audience intended for: Windows ME Users, Windows 98 Users, Windows 95 Users
Category: Windows

Go up a levelGo up a level

Hi all!

One of these days, either here or at other boards, you will encounter a situation similar to this:

TrojanPic

That's the message you get when your AV program has quarantined or deleted a trojan horse (whose name in this case is mueexe.exe). What has happened is that the trojan took over the registry association to most .exe files (there are a few exceptions).

The first step is obviously to restore the association. Problem is, regedit.exe won't open, so it needs to be renamed to regedit.com in DOS (it will also work with a screensaver extension - .scr). However, editing the registry is something that the average user has little or no experience of, and in many cases has a real fear of.

The most comprehensive fix for this type of problem can be found here repairs the registry association (there are other exefix-type programs out there, but none that covers the bases more than this one). Edit-SI and Edit-WI simplify the process of editing out any trojan reference after the shell=explorer.exe in system.ini, or after the load= or run= lines in win.ini. Startup Log generates a text file to the desktop showing all trojan startup locations - useful for establishing if there is anything else on the system once the initial problem has been sorted out. Startup Log is also recommended if you think a system has been compromised in any way, or if your firewall is noting excessive activity. It's as much a way of eliminating a possible cause as it is a way of identifing a lurker.

With the early versions of SubSeven, the trojan file was non-configurable, so it was easy to spot files such as windos.exe, msrexe.exe, rundll16.exe etc.

The latest versions are configureable, so pretty much any strangely-named .exe is 99% (give or take ) likely to be a trojan. Examples - wixudcmxswuv.exe reported on the NoWonder Win95 forum, and hmgsixqrhbt.exe, which I dealt with via email. The simple fact is that few of the current AV programs are effective in dealing with these buggers, and, in many cases, actually exacerbate the problem.

Until they get their act together, it's better NOT to recommend using an AV program to get rid of trojans. If trojans can be identified using the Startup Log, it's much better to prevent the trojan from loading by deleting the startup string in the registry, or calls from win.ini, system.ini, autoexec.bat or the startup group, then deleting the trojan file itself. This can be achieved either via a manual edit, or by using MSCONFIG in Win98 or Startup Cop in Win95. These methods are not just limited to SubSeven trojans, I just used that particular breed of nasties as the variants seem to be the most "popular", for want of a better term (OK, widespread is better).

PrettyPark takes over the registry association in the same way, for example, with the computer looking for files32.vxd to open .exes.

I hope all this typing will prove to be useful in the future.

 

Please Note: if you have any questions about this tutorial please ask on our support forums
If you have written a tutorial of your own and would like to have it here on Cyber Tech Help all you have to do is Submit your tutorial and it will be reviewed by the Administrator.