Backdoor Trojan, Backdoor SubSeven2 and IRC Worm Generic

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Ginnis12

Thread Starter
Joined
Nov 30, 2001
Messages
97
Ok I spent the evening trying to fix my cousin's computer. I was removing spyware and she said she had a problem with available memory. I checked it out and she has an 8 gig HD with only 61 MB available. So I scanned with her un-updated Norton and it detected a trojan virus. So I updated her Norton first then scanned the HD and it found the following viruses.

Pic.exe Backdoor.SubSeven2
Shawn1.jpg Backdoor Trojan
winsys98.bat IRC Worm Generic

Norton found them but was unable to remove and fix the problem...all it could do was quarrentine the files. Anyone have any advice?
 
Joined
Dec 9, 2000
Messages
45,855
The problem with available memory would seem to be from lack of hard drive space for the swap file and virtual memory use. A disk cleanup would be in order. For starters I would go to start>shutdown>restart in MS-DOS mode and at the c:\windows\> prompt enter each line:

smartdrv
deltree temp
deltree history
deltree tempor~1
exit


smartdrv is needed to speed the process. For each deltree there should be a prompt to confirm. If the target directory is correct, press 'y', otherwise reenter.

Unnecessary programs should be uninstalled.

To finish the cleaning of the infections it would help to know what specific files remain infected so we can determine whether they are system files which need to be replaced or simply virus installed files which can be deleted.

To determine whether any registry editing or patching needs to done, a post of the Startuplog.txt file which is created when startuplog.com is run will help. Just copy/paste the contents to a reply (stubbpaths.txt is not needed)

Also download the exefix08 file and run that if any problems with running exe files occur.

http://home.earthlink.net/~rmbox/Reticulated/Toys.html
 
Joined
Dec 9, 2000
Messages
45,855
The Reticulated Toys link contains a StartupLog.zip file. In that is the program Startuplog.com. When that is run it creates both a startuplog.txt file and a stubbpaths.txt file on the desktop. Just copy/paste the full contents of the Startuplog.txt file

If you need an unzipped version, use the Only IE link at the bottom of that page.

The Rx-Pack contains both startuplog.com and exefix08.com should you need that.
 

Ginnis12

Thread Starter
Joined
Nov 30, 2001
Messages
97
---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 12-06-2001 1:36:28.76p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.54) - Release Date 12/12/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"Systemtray"="c:\\windows\\systray.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"Adaptec DirectCD"="C:\\PROGRA~1\\HPCD-W~1\\DIRECTCD\\DIRECTCD.EXE"
"HP CD-Writer"="C:\\Program Files\\HP CD-Writer\\Mmenu\\hpcdtray.exe"
"EnsoniqMixer"="starter.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="C:\\WINDOWS\\SYSTEM\\mstask.exe"
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

;rem TShoot: run=hpfsched
run=fblqlge.exe

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

SET BLASTER=A220 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS
@ECHO OFF
rem
rem *** DO NOT EDIT THIS FILE! ***
rem
rem This file was created by the System Configuration Utility as
rem a placeholder for your AUTOEXEC.BAT file. Your actual
rem AUTOEXEC.BAT file has been saved under the name AUTOEXEC.TSH.
rem


==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@= Open Command Not Found...
(.hta file - NoRegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"=""

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

REM DOS MOUSE DRIVER ADDED BY MICROSOFT INTELLIPOINT MOUSE SETUP
LH C:\PROGRA~1\MICROS~1\MOUSE\mouse.exe
C:\SBPCI\APINIT




-=========================-
ICQ Inet Registry StartUp
-=========================-

Shows applications that start when connected to Inet


[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps]
"Launch Browser"="Yes"
"TempFile"="C:\\WINDOWS\\TEMP\\s3vu5jqn..html"


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS


==========================================================================
__________________________________________________________________________

- End -
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Okay

Had a look and have some things to ask.

For the following trojans:

Pic.exe Backdoor.SubSeven2
Shawn1.jpg Backdoor Trojan
winsys98.bat IRC Worm Generic

Did it say the location of them, and is this all the files that it found? It looks like, from the above, that these are in your Tempory Internet Files,

However, you have this in your win.ini

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

;rem TShoot: run=hpfsched
run=fblqlge.exe

load=
Now, the hpfsched is nothing to worry about, but what catches my eye is run=fblqlge.exe
Now, this looks like a program starting up from bootup. Just remember the name just in case. Jot it down somewhere.

Go to Find Files and type in win.ini

Go to the right of the = and delete the rest, so that it looks like

run=

Then, just close the Window, and save when prompted.

I was also going to say something about

TempFile"="C:\\WINDOWS\\TEMP\\s3vu5jqn..html

but we can clean your temp folder out later. Don't know what that is, but its in your ICQ registry entry, so I assume its for that.

Anyway, remove the win.ini entry as I suggested, doublecheck those files and if there are any more, and their locations.

Have you also done what Rollin' suggested for DOS?

Regards

eddie
 

Ginnis12

Thread Starter
Joined
Nov 30, 2001
Messages
97
yes I deleted the files in the smartdrv deltree in the DOS like Rollin' Rog suggested. What do we do next?
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Well, I have a feeling, like Rollin' may have had, that they were in your tempory files. However, can you run another scan, and tell me of all infected files, and their locations? It may take a while, but I'll be here all night.

eddie
 

Ginnis12

Thread Starter
Joined
Nov 30, 2001
Messages
97
I just pulled up the results from my last scan (instead of waiting another hour for it to scan), is this ok?

The Shawn1.jpg which is the Backdoor Trojan is located in
C:\Program Files\ICQ\Received Files\Slacker

Pic.exe the Backdoor.SubSeven2 Trojan is a Temp file and doesnt list a location.

Winsys98.bat the IRC Worm Generic is on the C:\ but doesn't list a specific location. When I viewed properties it said it's an
MS-DOS Batch File
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Thats okay.

I'll keep checking back every so often.

eddie
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Okay, you posted as I was. :p

Lets have a look.

I take it that you don't have show all extensions. Okay, go to


C:\Program Files\ICQ\Received Files\Slacker

and see if you can see the Shawn1.jpg. If you can, can you delete it? I am hoping that you haven't clicked it yet, as it may be a .js or .exe file.

If you cannot, we'll do that from DOS.

Now, the others:

Pic.exe the Backdoor.SubSeven2 Trojan is a Temp file.

This may be either in your Tempory Internet Files, in which case, you will have removed it thanks to Rollin'
If its not in there, it will be in your Temp Files. I think you can do that from Explorer as well. Just go to c:\windows\temp
and look for it and delete it.

Now, this little bugger:

Winsys98.bat the IRC Worm Generic is on the C:\

This will probably be in your actual C Drive. Rightclick in Explorer, choose Arrange Icons by Type
Now, look for Winsys98.bat
You may be able to delete this, but this one may be from DOS.


Ah, have a read of this:

http://www.ntsecurity.net/Panda/Index.cfm?FuseAction=Virus&VirusID=968

Its says:

If the equipment is not yet infected, it creates a file called TEMP.JPG. This file will be displayed through Microsoft Internet Explorer

So, you may not be infected yet.

I have also found this:

http://homepages.ihug.com.au/~lynnh/AVA1/htmls/models.html

Step 1: Hold ALT and hit R. Click VIEW - Script.ini. Then delete EVERYTHING you see in that window. Then click OK.
Step 2: type /unload -rs script.ini
Step 3: type /remove script.ini
Step 4: type //say $findfile(c:\,*.jpg.*,0) (Find all and /remove)
Step 5: type /remove c:\temp.jpg
Step 6: type /remove c:\WINSYS98.BAT
Step 7: type /play c:\autoexec.bat (You should see one or more lines saying @C:\WINSYS98.BAT... Delete ALL of these through notepad.)
Step 8: type /sreq ask
Lets leave the last bit for now, and see if you can remove the files.

Back in a tick

eddie
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Rephrase that. I think you're infected.

"Next, it copies itself as a file called WINSYS98.BAT"

Now, you have that, so its running. Is your Norton fully up to date? If not, do so, then run it and see if it can remove the files

We may need to do the last thing that I posted. I'll walk you through it

eddie
 

Ginnis12

Thread Starter
Joined
Nov 30, 2001
Messages
97
The only one I could find was the Shawn1.jpg
It looked to be in actual JPG form in the Received files of ICQ. So I just right clicked on the folder it was in (Shawn) and deleted the entire folder. As for the other two...I was unable to locate them on the C drive.

PS- I'm sure my cousin has already viewed the one in JPG format...so that means the virus has infected the computer right?
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Hang on, don't empty your recycle bin just yet. Have you read my last comment?

We may have to remove this thing manually

eddie
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top