Tutorials | Dealing with trojan-paralyzed systems
One of these days, either here or at other boards, you will encounter a situation similar to this:
That's the message you get when your AV program has quarantined or deleted a trojan horse (whose name in this case is mueexe.exe). What has happened is that the trojan took over the registry association to most .exe files (there are a few exceptions).
The first step is obviously to restore the association. Problem is, regedit.exe won't open, so it needs to be renamed to regedit.com in DOS (it will also work with a screensaver extension - .scr). However, editing the registry is something that the average user has little or no experience of, and in many cases has a real fear of.
The most comprehensive fix for this type of problem can be found here repairs the registry association (there are other exefix-type programs out there, but none that covers the bases more than this one). Edit-SI and Edit-WI simplify the process of editing out any trojan reference after the shell=explorer.exe in system.ini, or after the load= or run= lines in win.ini. Startup Log generates a text file to the desktop showing all trojan startup locations - useful for establishing if there is anything else on the system once the initial problem has been sorted out. Startup Log is also recommended if you think a system has been compromised in any way, or if your firewall is noting excessive activity. It's as much a way of eliminating a possible cause as it is a way of identifing a lurker.
With the early versions of SubSeven, the trojan file was non-configurable, so it was easy to spot files such as windos.exe, msrexe.exe, rundll16.exe etc.
The latest versions are configureable, so pretty much any strangely-named .exe is 99% (give or take ) likely to be a trojan. Examples - wixudcmxswuv.exe reported on the NoWonder Win95 forum, and hmgsixqrhbt.exe, which I dealt with via email. The simple fact is that few of the current AV programs are effective in dealing with these buggers, and, in many cases, actually exacerbate the problem.
Until they get their act together, it's better NOT to recommend using an AV program to get rid of trojans. If trojans can be identified using the Startup Log, it's much better to prevent the trojan from loading by deleting the startup string in the registry, or calls from win.ini, system.ini, autoexec.bat or the startup group, then deleting the trojan file itself. This can be achieved either via a manual edit, or by using MSCONFIG in Win98 or Startup Cop in Win95. These methods are not just limited to SubSeven trojans, I just used that particular breed of nasties as the variants seem to be the most "popular", for want of a better term (OK, widespread is better).
PrettyPark takes over the registry association in the same way, for example, with the computer looking for files32.vxd to open .exes.
I hope all this typing will prove to be useful in the future.
Please Note: if you have any questions about this tutorial please ask on our support forums
If you have written a tutorial of your own and would like to have it here on Cyber Tech Help all you have to do is Submit your tutorial and it will be reviewed by the Administrator.