1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

backdoor subseven trojan horse virus

Discussion in 'Virus & Other Malware Removal' started by ATRIRISH, Feb 8, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ATRIRISH

    ATRIRISH Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    15
    Backdoor subseven trojan horse virus was detected using NAV 2003 virus scan. The virus was located in the temporary internet folder. This virus was quarantined because NAV could not fix it. I deleted the quarantined .exe file because I don't need it. I understand now that NAV may not be able to detect the virus again since the quarantined file was deleted. The virus may still be active. AS of right now I do not have any viruses detected on my computer. My firewall has been informing me that I have been attacked by the following IP address: 24.191.198.131. I have attached a notepad file that contains my startup list. I no longer load start up items when I start my computer or reboot. Is not loading start up items a good idea? My firewall NIS was disabled at the time the virus was detected. I believe I obtained the virus by down loading the rapid blaster software. In the startup list there is a hidden file named: c:\program files\rapidblaster\rb32xexe. Since I reactivated my firewall, this file has been trying to access the internet. I chose to block the access at all times. Since then I have uninstalled the Rapid Blaster software. Has the hidden file been deleted also as a result of the uninstallment? I used the spybot software search and destroy though I'm not sure if that would find all of the spyware on my machine. I hope you can help me in my quest to make sure that this virus has been removed from my machine. I believe that my firewall has been blocking the attacks.

    Thanks for your help.
     
  2. rugrat

    rugrat

    Joined:
    Dec 16, 2001
    Messages:
    1,869
    Let the Gurus here have a look, go here

    http://www.lurkhere.com/~nicefiles/

    and download start up list 1.51, run the program and copy and paste the reults as a reply to this thread. I am sure those who know will be able to detect anything unusual.

    SeeYa and Welcome to TSG!!!
     
  3. ATRIRISH

    ATRIRISH Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    15
    I was advised to remove certain objects from internet explorer that might be a problem. This is the situation: I uninstalled rapid blaster, erased the offending objects from internet explorer. This virus is still attacking my computer. My firewall is default blocking these attempts. Do I have to worry if I am still being attacked? I have been scanning for viruses but NAV has not identified any since the one file that I deleted from quarantine. Is there a chance that my computer may still have this virus? If so, how can I find out?
     
  4. rugrat

    rugrat

    Joined:
    Dec 16, 2001
    Messages:
    1,869
    Same advice, post the start up list. If you do have a virus running, it can usually be spotted. You can also go here,
    http://housecall.trendmicro.com/

    and run an online scan. Trojans are not always picked up by virus scanners.

    Also see this thread,
    http://forums.techguy.org/t110854/s830ad2c72cc9d22cbf6ec1d58cd42ff0.html

    The start list is still the best first step.

    SeeYa

    EDIT, Just found the startup in your other post,

    StartupList report, 2/8/2003, 9:00:40 PM
    StartupList version: 1.51
    Started from : C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\NMSSvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Norton Internet Security\ATRACK.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\RapidBlaster\rb32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Desksite CMA = c:\program files\desksite\bin\cma.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    iamapp = C:\Program Files\Norton Internet Security\IAMAPP.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [DoMoreRunExe.DoMoreRun]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\DoMoreRunExe.ocx
    CODEBASE = file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

    [Musicnotes Viewer]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\mnviewer.dll
    CODEBASE = http://www.musicnotes.com/download/mnviewer.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\System32\macromed\Shockwave 8\Download.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [IEDial Class]
    InProcServer32 = C:\WINDOWS\System32\IEAccess2.dll
    CODEBASE = http://fr4-download.nocreditcard.com/download/Object/ieaccess2XP.cab

    [Yahoo! Audio Conferencing]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacscom.dll
    CODEBASE = http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

    [RunExeActiveX.RunExe]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RunExeActiveX.ocx
    CODEBASE = hcp://system/RunExeActiveX.CAB

    [StartFirstControl.CheckFirst]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\StartFirstControl.ocx
    CODEBASE = hcp://system/StartFirstControl.CAB

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37636.7953472222

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Yahoo! Companion]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_6.dll
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_6.cab

    [AInst Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACTIVE~1.DLL
    CODEBASE = http://216.129.173.30/xxxnaughty/activeinstaller.dll

    --------------------------------------------------
    End of report, 6,197 bytes
    Report generated in 0.219 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. ATRIRISH

    ATRIRISH Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    15
    I posted the startup list and you will find it in the attached file. Let me know if you got it.
     

    Attached Files:

  6. rugrat

    rugrat

    Joined:
    Dec 16, 2001
    Messages:
    1,869
    Just saw that, hang around, I am sure some one who is better will have a look.
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    rapidblaster is spyware........and you have a few nasties that want removing.
    go here:http://beam.to/spybotsd

    download "spybot" open the program,click the online tab and download any updates....next click on "settings"/"file sets" and uncheck "system internals" and "usage tracking"
    then hit "check all"....everything checked in red let spybot "fix"
    there may be some that cant be removed 1st run.......spybot will tell you this.re-boot and they will be removed.

    run startuplist and post another list.

    good luck ;)
     
  8. ATRIRISH

    ATRIRISH Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    15
    $teve

    Thank you for your help regarding how to use the spy bot software. I had no clue how to use it. Spybot found 11 files and fixed them for me. I had to reboot to fix 1 particular file.
    I attached the new startup list. Hopefully everything will be ok now.
     

    Attached Files:

  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    any idea what this could be?i did a search and im not quite sure about the result.is this a shared or works computer?

    the good news is rapidblaster and IEAccess(which is used to download and install a premium rate dialer usually for porn sites):rolleyes: are now gone.
    keep spybot updated and run once per week and along with NAV and NIS you should be fine.
    anything else just ask.
    take care;)
     
  10. ATRIRISH

    ATRIRISH Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    15
    $Steve,

    I just got this computer last October so I am not very computer literate. I looked up Lanovation Prismxl from the google search engine and from what I understand, this file can be downloaded with any software. I also understand that it is geared for computer networks. My pc is not on a network it is purely a pc for the home. This file cannot be opened on its own. It has to be run with a program. It opened when I ran the AOL program. I tried to delete the file but could'nt. I then used the msconfig utility to not load sys services and to not launch startup after the next re-boot. Once I did that I was able to get rid of the questionable file. Once Prismxl is in a target computer, tasks can be sent to the computer from anywhere.

    I wonder if this file came from a potential hacker who was hoping to remotely control my computer. That does not seem likely but I wonder.
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    well im glad you got shut of it,it didnt ring true to me.....thats why i asked if you were on a company pc....it was late last night and i didnt have time to do an extensive search,i was just uncomfortable with the info i did find on it....it sounded like a "spy in the sky" sort of BOSS v worker program.
    mental note made.
    good luck
    ;)
     
  12. ATRIRISH

    ATRIRISH Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    15
    I am still getting attacked by the backdoor subseven trojan horse. My firewall is default blocking it so that is good. The protocal is TCP inbound with a Remote address of 62.226.11.201. Can anything be done to stop these attacks? I attached my current startup list for review.
     

    Attached Files:

  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Those alerts are par for the course using any firewall. There are folks all over the internet scanning for vulnerable systems. Your firewall hears them knocking but doesn't let them know anyone's home.

    You can just ignore it, only you and your firewall are seeing those probes. The "alerts" serve only an educational purpose, letting you know what a fine and upstanding job your firewall is doing keeping those intruders out. :)
     
  14. honch_runner

    honch_runner

    Joined:
    Feb 16, 2003
    Messages:
    8
    Rapid Blaster somehow made its way onto my PC and man, it really screwed things up. I couldn't delete/uninstall it, or even get into my registry. I finally used spybot and then one of the on-line trojan horse scanners to fix it. The online scanner found "malware.WORM_YAHA.K". After 2 hours, I was able to successfully uninstall Rapid Blaster, then Norton found "[email protected]" on a screen saver file that someone had downloaded on the PC earlier that day. You guys pointed me in the right direction...THANKS!
     
  15. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    your <IMG SRC=http://forums.techguy.org/attachment.php?s=&postid=729755>
     

    Attached Files:

  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/117811

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice