1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Backdoor Trojan, Backdoor SubSeven2 and IRC Worm Generic

Discussion in 'Virus & Other Malware Removal' started by Ginnis12, Dec 6, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. Ginnis12

    Ginnis12 Thread Starter

    Joined:
    Nov 30, 2001
    Messages:
    97
    Ok I spent the evening trying to fix my cousin's computer. I was removing spyware and she said she had a problem with available memory. I checked it out and she has an 8 gig HD with only 61 MB available. So I scanned with her un-updated Norton and it detected a trojan virus. So I updated her Norton first then scanned the HD and it found the following viruses.

    Pic.exe Backdoor.SubSeven2
    Shawn1.jpg Backdoor Trojan
    winsys98.bat IRC Worm Generic

    Norton found them but was unable to remove and fix the problem...all it could do was quarrentine the files. Anyone have any advice?
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The problem with available memory would seem to be from lack of hard drive space for the swap file and virtual memory use. A disk cleanup would be in order. For starters I would go to start>shutdown>restart in MS-DOS mode and at the c:\windows\> prompt enter each line:

    smartdrv
    deltree temp
    deltree history
    deltree tempor~1
    exit


    smartdrv is needed to speed the process. For each deltree there should be a prompt to confirm. If the target directory is correct, press 'y', otherwise reenter.

    Unnecessary programs should be uninstalled.

    To finish the cleaning of the infections it would help to know what specific files remain infected so we can determine whether they are system files which need to be replaced or simply virus installed files which can be deleted.

    To determine whether any registry editing or patching needs to done, a post of the Startuplog.txt file which is created when startuplog.com is run will help. Just copy/paste the contents to a reply (stubbpaths.txt is not needed)

    Also download the exefix08 file and run that if any problems with running exe files occur.

    http://home.earthlink.net/~rmbox/Reticulated/Toys.html
     
  3. Ginnis12

    Ginnis12 Thread Starter

    Joined:
    Nov 30, 2001
    Messages:
    97
    Where can I get the Startup.txt list at?
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The Reticulated Toys link contains a StartupLog.zip file. In that is the program Startuplog.com. When that is run it creates both a startuplog.txt file and a stubbpaths.txt file on the desktop. Just copy/paste the full contents of the Startuplog.txt file

    If you need an unzipped version, use the Only IE link at the bottom of that page.

    The Rx-Pack contains both startuplog.com and exefix08.com should you need that.
     
  5. Ginnis12

    Ginnis12 Thread Starter

    Joined:
    Nov 30, 2001
    Messages:
    97
    ---------- C:\WINDOWS\desktop\StartUp.Log

    Start-Ups checked at 12-06-2001 1:36:28.76p
    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log for Windows 95/98 - Freeware by rmbox
    __________________________________________________________________________
    __________________________________________________________________________

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.54) - Release Date 12/12/2001

    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "Systemtray"="c:\\windows\\systray.exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
    "Adaptec DirectCD"="C:\\PROGRA~1\\HPCD-W~1\\DIRECTCD\\DIRECTCD.EXE"
    "HP CD-Writer"="C:\\Program Files\\HP CD-Writer\\Mmenu\\hpcdtray.exe"
    "EnsoniqMixer"="starter.exe"
    "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "SchedulingAgent"="C:\\WINDOWS\\SYSTEM\\mstask.exe"
    "ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    ;rem TShoot: run=hpfsched
    run=fblqlge.exe

    load=

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    SET BLASTER=A220 I7 D1 T2
    SET SNDSCAPE=C:\WINDOWS
    @ECHO OFF
    rem
    rem *** DO NOT EDIT THIS FILE! ***
    rem
    rem This file was created by the System Configuration Utility as
    rem a placeholder for your AUTOEXEC.BAT file. Your actual
    rem AUTOEXEC.BAT file has been saved under the name AUTOEXEC.TSH.
    rem


    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @= Open Command Not Found...
    (.hta file - NoRegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -=========================-
    HKU (.Default) Run - Registry
    -=========================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


    -==============================-
    HKU (.Default) RunOnce - Registry
    -==============================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    -================================-
    StubPaths - Registry (Partial Listing)
    -================================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
    "StubPath"=""

    -=================-
    DOSSTART.BAT File - (c:\windows\dosstart.bat)
    -=================-

    REM DOS MOUSE DRIVER ADDED BY MICROSOFT INTELLIPOINT MOUSE SETUP
    LH C:\PROGRA~1\MICROS~1\MOUSE\mouse.exe
    C:\SBPCI\APINIT




    -=========================-
    ICQ Inet Registry StartUp
    -=========================-

    Shows applications that start when connected to Inet


    [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps]
    "Launch Browser"="Yes"
    "TempFile"="C:\\WINDOWS\\TEMP\\s3vu5jqn..html"


    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-

    SCRNSAVE.EXE=

    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    COMSPEC=C:\WINDOWS\COMMAND.COM
    windir=C:\WINDOWS


    ==========================================================================
    __________________________________________________________________________

    - End -
     
  6. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,144
    Okay

    Had a look and have some things to ask.

    For the following trojans:

    Pic.exe Backdoor.SubSeven2
    Shawn1.jpg Backdoor Trojan
    winsys98.bat IRC Worm Generic

    Did it say the location of them, and is this all the files that it found? It looks like, from the above, that these are in your Tempory Internet Files,

    However, you have this in your win.ini

    Now, the hpfsched is nothing to worry about, but what catches my eye is run=fblqlge.exe
    Now, this looks like a program starting up from bootup. Just remember the name just in case. Jot it down somewhere.

    Go to Find Files and type in win.ini

    Go to the right of the = and delete the rest, so that it looks like

    run=

    Then, just close the Window, and save when prompted.

    I was also going to say something about

    TempFile"="C:\\WINDOWS\\TEMP\\s3vu5jqn..html

    but we can clean your temp folder out later. Don't know what that is, but its in your ICQ registry entry, so I assume its for that.

    Anyway, remove the win.ini entry as I suggested, doublecheck those files and if there are any more, and their locations.

    Have you also done what Rollin' suggested for DOS?

    Regards

    eddie
     
  7. Ginnis12

    Ginnis12 Thread Starter

    Joined:
    Nov 30, 2001
    Messages:
    97
    yes I deleted the files in the smartdrv deltree in the DOS like Rollin' Rog suggested. What do we do next?
     
  8. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,144
    Well, I have a feeling, like Rollin' may have had, that they were in your tempory files. However, can you run another scan, and tell me of all infected files, and their locations? It may take a while, but I'll be here all night.

    eddie
     
  9. Ginnis12

    Ginnis12 Thread Starter

    Joined:
    Nov 30, 2001
    Messages:
    97
    I'll scan right now and post it asap. Thanks for your help!!
     
  10. Ginnis12

    Ginnis12 Thread Starter

    Joined:
    Nov 30, 2001
    Messages:
    97
    I just pulled up the results from my last scan (instead of waiting another hour for it to scan), is this ok?

    The Shawn1.jpg which is the Backdoor Trojan is located in
    C:\Program Files\ICQ\Received Files\Slacker

    Pic.exe the Backdoor.SubSeven2 Trojan is a Temp file and doesnt list a location.

    Winsys98.bat the IRC Worm Generic is on the C:\ but doesn't list a specific location. When I viewed properties it said it's an
    MS-DOS Batch File
     
  11. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,144
    Thats okay.

    I'll keep checking back every so often.

    eddie
     
  12. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,144
    Okay, you posted as I was. :p

    Lets have a look.

    I take it that you don't have show all extensions. Okay, go to


    C:\Program Files\ICQ\Received Files\Slacker

    and see if you can see the Shawn1.jpg. If you can, can you delete it? I am hoping that you haven't clicked it yet, as it may be a .js or .exe file.

    If you cannot, we'll do that from DOS.

    Now, the others:

    Pic.exe the Backdoor.SubSeven2 Trojan is a Temp file.

    This may be either in your Tempory Internet Files, in which case, you will have removed it thanks to Rollin'
    If its not in there, it will be in your Temp Files. I think you can do that from Explorer as well. Just go to c:\windows\temp
    and look for it and delete it.

    Now, this little bugger:

    Winsys98.bat the IRC Worm Generic is on the C:\

    This will probably be in your actual C Drive. Rightclick in Explorer, choose Arrange Icons by Type
    Now, look for Winsys98.bat
    You may be able to delete this, but this one may be from DOS.


    Ah, have a read of this:

    http://www.ntsecurity.net/Panda/Index.cfm?FuseAction=Virus&VirusID=968

    Its says:

    If the equipment is not yet infected, it creates a file called TEMP.JPG. This file will be displayed through Microsoft Internet Explorer

    So, you may not be infected yet.

    I have also found this:

    http://homepages.ihug.com.au/~lynnh/AVA1/htmls/models.html

    Lets leave the last bit for now, and see if you can remove the files.

    Back in a tick

    eddie
     
  13. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,144
    Rephrase that. I think you're infected.

    "Next, it copies itself as a file called WINSYS98.BAT"

    Now, you have that, so its running. Is your Norton fully up to date? If not, do so, then run it and see if it can remove the files

    We may need to do the last thing that I posted. I'll walk you through it

    eddie
     
  14. Ginnis12

    Ginnis12 Thread Starter

    Joined:
    Nov 30, 2001
    Messages:
    97
    The only one I could find was the Shawn1.jpg
    It looked to be in actual JPG form in the Received files of ICQ. So I just right clicked on the folder it was in (Shawn) and deleted the entire folder. As for the other two...I was unable to locate them on the C drive.

    PS- I'm sure my cousin has already viewed the one in JPG format...so that means the virus has infected the computer right?
     
  15. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,144
    Hang on, don't empty your recycle bin just yet. Have you read my last comment?

    We may have to remove this thing manually

    eddie
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/60872

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice