Unsolved
This post is more than 5 years old
71 Posts
0
5922
April 16th, 2004 23:00
system32.exe virus that I cant remove
Hi, I've had a virus on my computer that infected the file 'System32.exe' I believe that this is an important file and that it is a running process. My friend's computers dont have system32.exe so I am wondering if I need that file. When my virus scan software detected it, it was not able to delete it because it was running, but when I ended the process, and deleted the file, I got an error message when I restarted my computer. I get a message saying System32.exe cannot be found. Is there a way to clean the virus or get rid of it without messing anythign up? Thank you.
No Events found!
PGPhantom
76 Posts
0
April 17th, 2004 00:00
Definitely a virus: Added as a result of the MARI , SYSXXX and other viruses. Mari is an Internet worm spreading with emails as an attached .exe file. Whereas SysXXX is a backdoor Trojan program that was written in the Delphi language, Backdoor.SysXXX gives a hacker complete access to your computer. By default, the Trojan opens two TCP ports, 31,556 and 6,051, that it uses to communicate with the hacker. The application notifies the hacker through email or ICQ. Also, Backdoor.SysXXX attempts to terminate various security products and system monitoring tools.
In the right pane, delete the value System32 C:\Windows\System32.exe or System32 C:\Winnt\System32.exe
In the right pane, double-click each of the following values and change them to the preferred settings:
RegisteredOwner
RegisteredOrganization
Be very careful in the registry as you can cause problems if you delete the wrong values. If you have antivirus software, update it and run a scan as it will catch this virus.
After that is clean - Go to: http://www.bleepingcomputer.com/forums/index.php?showtutorial=48 and run ad-aware on your computer
MOTO2000
71 Posts
0
April 17th, 2004 01:00
Texruss
2 Intern
•
3.4K Posts
0
April 17th, 2004 03:00
Hmm...my post disappeared...let me see if I can reconstruct. *;-)
Does this sound like it? Symantec post on W32.Kwbot.F.Worm
Farther down on that page:
********************************************************
Backdoor.Sdbot actions
When Backdoor.Sdbot, which is the Backdoor Trojan that the worm dropped, is executed, it does the following:
Copies itself as %System%\System32.exe.
Creates the value:
"Shell"="Explorer.exe %system%\System32.exe"
in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*******************************************************
And to answer your question...system32.exe is not a valid Windows file.
If you want a more professional analysis...download and install an analysis and repair tool called Hijackthis.
Go here and download the file: http://tomcoyote.com/hjt
Please unzip Hijackthis.zip into a new folder you create in the root level of the C: drive. Name this folder C:\HJT for best and safest results. (don't put in a temp folder, or the desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)
See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm
Run Hijackthis, click on the 'scan' button and then 'save log' button. Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
Stay in this thread for continuity. Reply to this message.
HTH (Hope that Helps)
Texruss
Message Edited by Texruss on 04-16-2004 11:56 PM