General discussion



By carrport46 ·
I was away for a couple of months and when I booted my DC (Windows 2000 Server) I got the following error message: winnt\system32\surte.exe
NTVDM CPU encountered an illegal instruction
CS:0da8 IP:0182 OP:6375 73 28 29. Does anyone know what all this is? I don't even have surte.exe on my other DC. I've worked on autoexec.nt, config.nt, and but that didn't help. Does anyone knows what starts surte.exe?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by brian.filipovitz In reply to NTVDM

You have a trojan on your system. I have listed the details of it below. You need to delete it and download a bunch of patches/the fix from Windows Update. It is a 16 bit app. Hence, the NTDVM error.

TrojanSpy.Win32.Tofger.j, Spy-Tofger

Troj/Tofger-C is used to start a proxy server, enabling a remote attacker to relay network traffic through the compromised computer and thereby hiding its real IP address when accessing internet sites.

The Trojan drops the files svchost.exe, msto32.dll and sysini.ini into the Windows folder and the files svchostc.exe and svchosts.exe into the Windows system folder.

In order to be executed automatically when Windows starts up Troj/Tofger-C creates the following registry entry pointing to the file svchost.exe: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Online Service

The Trojan may log the content of various windows to the file sysini.txt in the Windows folder and may also open a backdoor that allows a malicious user remote access to the infected computer.

The Trojan sets the registry entry HKLM\Software\Microsoft\Mserv\Idwin and attempts to start the two processes svchosts.exe -p and svchosts.exe -p where port1 is a random port number between 1200 and 10000 and port2 = port1 + 2.

Troj/Tofger-C registers itself as a service process. The Trojan creates internet shortcuts in the users Favorites folder pointing to adult web sites and attempts to download and run the file surte.exe from an internet address.

Collapse -

by carrport46 In reply to

Poster rated this answer.

Collapse -

by carrport46 In reply to NTVDM

This question was closed by the author

Related Discussions

Related Forums