backdoor subseven trojan horse virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ATRIRISH

Thread Starter
Joined
Feb 8, 2003
Messages
15
Backdoor subseven trojan horse virus was detected using NAV 2003 virus scan. The virus was located in the temporary internet folder. This virus was quarantined because NAV could not fix it. I deleted the quarantined .exe file because I don't need it. I understand now that NAV may not be able to detect the virus again since the quarantined file was deleted. The virus may still be active. AS of right now I do not have any viruses detected on my computer. My firewall has been informing me that I have been attacked by the following IP address: 24.191.198.131. I have attached a notepad file that contains my startup list. I no longer load start up items when I start my computer or reboot. Is not loading start up items a good idea? My firewall NIS was disabled at the time the virus was detected. I believe I obtained the virus by down loading the rapid blaster software. In the startup list there is a hidden file named: c:\program files\rapidblaster\rb32xexe. Since I reactivated my firewall, this file has been trying to access the internet. I chose to block the access at all times. Since then I have uninstalled the Rapid Blaster software. Has the hidden file been deleted also as a result of the uninstallment? I used the spybot software search and destroy though I'm not sure if that would find all of the spyware on my machine. I hope you can help me in my quest to make sure that this virus has been removed from my machine. I believe that my firewall has been blocking the attacks.

Thanks for your help.
 
Joined
Dec 16, 2001
Messages
1,869
Let the Gurus here have a look, go here

http://www.lurkhere.com/~nicefiles/

and download start up list 1.51, run the program and copy and paste the reults as a reply to this thread. I am sure those who know will be able to detect anything unusual.

SeeYa and Welcome to TSG!!!
 

ATRIRISH

Thread Starter
Joined
Feb 8, 2003
Messages
15
I was advised to remove certain objects from internet explorer that might be a problem. This is the situation: I uninstalled rapid blaster, erased the offending objects from internet explorer. This virus is still attacking my computer. My firewall is default blocking these attempts. Do I have to worry if I am still being attacked? I have been scanning for viruses but NAV has not identified any since the one file that I deleted from quarantine. Is there a chance that my computer may still have this virus? If so, how can I find out?
 
Joined
Dec 16, 2001
Messages
1,869
Same advice, post the start up list. If you do have a virus running, it can usually be spotted. You can also go here,
http://housecall.trendmicro.com/

and run an online scan. Trojans are not always picked up by virus scanners.

Also see this thread,
http://forums.techguy.org/t110854/s830ad2c72cc9d22cbf6ec1d58cd42ff0.html

The start list is still the best first step.

SeeYa

EDIT, Just found the startup in your other post,

StartupList report, 2/8/2003, 9:00:40 PM
StartupList version: 1.51
Started from : C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RapidBlaster\rb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Desksite CMA = c:\program files\desksite\bin\cma.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
iamapp = C:\Program Files\Norton Internet Security\IAMAPP.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[DoMoreRunExe.DoMoreRun]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\DoMoreRunExe.ocx
CODEBASE = file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

[Musicnotes Viewer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\mnviewer.dll
CODEBASE = http://www.musicnotes.com/download/mnviewer.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\System32\macromed\Shockwave 8\Download.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[IEDial Class]
InProcServer32 = C:\WINDOWS\System32\IEAccess2.dll
CODEBASE = http://fr4-download.nocreditcard.com/download/Object/ieaccess2XP.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacscom.dll
CODEBASE = http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[RunExeActiveX.RunExe]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB

[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37636.7953472222

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Yahoo! Companion]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_6.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_6.cab

[AInst Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACTIVE~1.DLL
CODEBASE = http://216.129.173.30/xxxnaughty/activeinstaller.dll

--------------------------------------------------
End of report, 6,197 bytes
Report generated in 0.219 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Dec 16, 2001
Messages
1,869
Just saw that, hang around, I am sure some one who is better will have a look.
 
Joined
Oct 9, 2001
Messages
9,396
rapidblaster is spyware........and you have a few nasties that want removing.
go here:http://beam.to/spybotsd

download "spybot" open the program,click the online tab and download any updates....next click on "settings"/"file sets" and uncheck "system internals" and "usage tracking"
then hit "check all"....everything checked in red let spybot "fix"
there may be some that cant be removed 1st run.......spybot will tell you this.re-boot and they will be removed.

run startuplist and post another list.

good luck ;)
 

ATRIRISH

Thread Starter
Joined
Feb 8, 2003
Messages
15
$teve

Thank you for your help regarding how to use the spy bot software. I had no clue how to use it. Spybot found 11 files and fixed them for me. I had to reboot to fix 1 particular file.
I attached the new startup list. Hopefully everything will be ok now.
 

Attachments

Joined
Oct 9, 2001
Messages
9,396
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
any idea what this could be?i did a search and im not quite sure about the result.is this a shared or works computer?

the good news is rapidblaster and IEAccess(which is used to download and install a premium rate dialer usually for porn sites):rolleyes: are now gone.
keep spybot updated and run once per week and along with NAV and NIS you should be fine.
anything else just ask.
take care;)
 

ATRIRISH

Thread Starter
Joined
Feb 8, 2003
Messages
15
$Steve,

I just got this computer last October so I am not very computer literate. I looked up Lanovation Prismxl from the google search engine and from what I understand, this file can be downloaded with any software. I also understand that it is geared for computer networks. My pc is not on a network it is purely a pc for the home. This file cannot be opened on its own. It has to be run with a program. It opened when I ran the AOL program. I tried to delete the file but could'nt. I then used the msconfig utility to not load sys services and to not launch startup after the next re-boot. Once I did that I was able to get rid of the questionable file. Once Prismxl is in a target computer, tasks can be sent to the computer from anywhere.

I wonder if this file came from a potential hacker who was hoping to remotely control my computer. That does not seem likely but I wonder.
 
Joined
Oct 9, 2001
Messages
9,396
well im glad you got shut of it,it didnt ring true to me.....thats why i asked if you were on a company pc....it was late last night and i didnt have time to do an extensive search,i was just uncomfortable with the info i did find on it....it sounded like a "spy in the sky" sort of BOSS v worker program.
mental note made.
good luck
;)
 

ATRIRISH

Thread Starter
Joined
Feb 8, 2003
Messages
15
I am still getting attacked by the backdoor subseven trojan horse. My firewall is default blocking it so that is good. The protocal is TCP inbound with a Remote address of 62.226.11.201. Can anything be done to stop these attacks? I attached my current startup list for review.
 

Attachments

Joined
Dec 9, 2000
Messages
45,855
Those alerts are par for the course using any firewall. There are folks all over the internet scanning for vulnerable systems. Your firewall hears them knocking but doesn't let them know anyone's home.

You can just ignore it, only you and your firewall are seeing those probes. The "alerts" serve only an educational purpose, letting you know what a fine and upstanding job your firewall is doing keeping those intruders out. :)
 
Joined
Feb 16, 2003
Messages
8
Rapid Blaster somehow made its way onto my PC and man, it really screwed things up. I couldn't delete/uninstall it, or even get into my registry. I finally used spybot and then one of the on-line trojan horse scanners to fix it. The online scanner found "malware.WORM_YAHA.K". After 2 hours, I was able to successfully uninstall Rapid Blaster, then Norton found "[email protected]" on a screen saver file that someone had downloaded on the PC earlier that day. You guys pointed me in the right direction...THANKS!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top