1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] sub7 2.2a

Discussion in 'Virus & Other Malware Removal' started by miffed, Feb 1, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. miffed

    miffed Thread Starter

    Joined:
    Feb 1, 2003
    Messages:
    46
    ive been tagged - nightmare - i need help removing it as it has disabled norton, thecleaner, mcaffee,and all online scanners dont catch it - i also had joke:russianjep virus which is as it says a joke advert for a game also i had a worm cant remember name of it but it has gone now unless its the worm i still have an not sub7 - well all things i tried failed to clean them so i deleted my d: drive disconnected it then formatted me c: drive thing is this sub7 or worm jumped to my ram memory and when i tried an install of winxp again it just re-infected i tried to use norton from dos but it would not work - same with mcaffee oh and fix it utilities as well none work.... i have zone labs firewall now between me and the net and everytime i log on generic host process shows up blocked because it is listening i have the ip address of an outgoing connection too which is and has been named three different things - first it was realplayer.exe then mediaplayer.exe now it is called windvd mfc application all going to the same ip - i used a program called angry ip scanner to check where it is from and its south america using 15 jump points before getting to uk... this person is annoying me now as he has done alot of damage to my pc setup ---- any one here who can help me rid of this annoyance will be most welcome --- do u think i should sub7 him back as he has open ports and from what i can tell sub7 is quite lame in its setup making it open to joe public to mess with - at this moment in time i would virus him back if i could lol - nah im not like that but any help to rid please
     
  2. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
  3. miffed

    miffed Thread Starter

    Joined:
    Feb 1, 2003
    Messages:
    46
    here it is hope u can help


    StartupList report, 01/02/2003, 13:58:03
    StartupList version: 1.51
    Started from : C:\unzipped\startuplist151[1]\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\AOL 7.0\waol.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\imapi.exe
    C:\Program Files\Ahead\nero\nero.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\startuplist151[1]\StartupList.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    nwiz = nwiz.exe /install

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    [nView]
    NVIEW = rundll32.exe nview.dll,nViewLoadHook

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Norton SystemWorks One Button Checkup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

    [AV Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PAV.dll
    CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    [CSS Web Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\cssweb.dll
    CODEBASE = http://www.freedom.net/onlineviruscheck/cabs/cssweb.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [RavOnline Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\RAVONL~1.OCX
    CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

    --------------------------------------------------
    End of report, 4,376 bytes
    Report generated in 0.190 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. miffed

    miffed Thread Starter

    Joined:
    Feb 1, 2003
    Messages:
    46
    this is the full msconfig startup enabled

    StartupList report, 01/02/2003, 14:30:44
    StartupList version: 1.51
    Started from : C:\unzipped\startuplist151[1]\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AOL 7.0\aoltray.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\AOL 7.0\waol.exe
    C:\unzipped\startuplist151[1]\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    Fix-It AV = C:\PROGRA~1\Ontrack\Fix-It\MemCheck.exe
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    [nView]
    NVIEW = rundll32.exe nview.dll,nViewLoadHook

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Norton SystemWorks One Button Checkup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

    [AV Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PAV.dll
    CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    [CSS Web Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\cssweb.dll
    CODEBASE = http://www.freedom.net/onlineviruscheck/cabs/cssweb.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [RavOnline Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\RAVONL~1.OCX
    CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

    --------------------------------------------------
    End of report, 5,601 bytes
    Report generated in 0.181 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
    I don't see any sign of a virus or trojan.


    'generic host process' is a Windows XP service, Svchost.exe. You can allow it to connect. (It doesn't need server rights)

    As far as Real Player, Mediaplayer and WinDVD. They are probably looking for updates. Open each program and browse through the options and disable the 'automatic update' feature.


    You also have both Norton and McAfee running. This could be creating problems. You should either disable or uninstall one.
     
  6. miffed

    miffed Thread Starter

    Joined:
    Feb 1, 2003
    Messages:
    46
    well realplayer has been completely uninstalled and my firewall detected program changes maybe the hd dump got rid???
     
  7. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
    What program change did the firewall detect?
     
  8. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    First off-formatting the drive would delete sub7, and a program can't store itself in RAM.

    Second, dont be so sure you have the guys IP. I highly doubt it actually because, well you said yourself it was from Realplayer, Media Player, and Win DVD connections. Why would those programs connecting to an IP have anything to do with sub7?

    If you did have his IP, it would be useless anyway. These programs connecting to it show its a server-its supposed to have open ports. You cant drop a file through an open port, you have to send it to the computer. Besides, you wouldn't know if he was behind a firewall, proxy, or ISP Caching server.

    You sound like you have had many, many viruses. The only way you can get them is from opening files regardless of whether you know what they are or who they are from.
    Run an antivirus and if you dont know what a program is, dont run it.

    And there is nothing wrong with a program listening to a port.
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    miffed.............where or what leads you to think you have a trojan?
    your post mentioned subseven 2.2a............what program identified this?
    there is nothing in your startuplist that shows any infection.
    media player,windvd and realplayer will call home from time to time only to check for updates,this is normal and you can deny access via your firewall.
    you also have norton and mcafee running together,not such good bed partners.........norton is probably the better of the two....but choose one and ditch the other.
    defrag,empty temp folders,do a general clean up and come back with the result.
    ;)
     
  10. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    You wouldn't be able to see a Sub7 infection from a startuplist-the server program is just 1 file and can have any filename.
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    its not impossible to spot subseven from a startuplist....

    ....but as mentioned above....although the server portion can have any name, it's found in the WINDOWS directory, with one of the following.
    "server.exe" (328kb)
    "rundll16.exe" (328kb)
    "systray.dl" (328kb)
    "Task_bar.exe" (328kb)

    the second file is found in the WINDOWS\SYSTEM directory, with one of the following.
    "FAVPNMCFEE.dll" (35kb)
    "MVOKH_32.dll" (35kb)
    "nodll.exe" (35kb)
    "watching.dll" (35kb)

    if you find any of these you have subseven.
    let us know.
     
  12. miffed

    miffed Thread Starter

    Joined:
    Feb 1, 2003
    Messages:
    46
    in answer to steve - i was connected to a lan when someone was downloading off me - their norton discovered joke:russianjep so when i got home i ran my norton it wouldnt work so i used rav online scan and they found subseven2.2a in 3 files a worm which i think was one like sql but an older version and i had joke:russianjep in 2 file locations - i proceded to uninstal my norton and tried to install mcaffee but i kept getting an i/o error terminating my install so i tried norton again - same thing i/o error so i put on zone alarm and hey presto over 100 attacks in 1hr from the same ip address so i dumped both my hd's but forgot to pull battery on my motherboard after everythin was reinstalled i put zone alarm back on and kept getting what i thought were the trojan listening but it is my windows generic host process as im told that is normal - so ive come to the conclusion that when i dumped my drives i got rid of the peskey things :) so thank u to all who have helped me i am satisfied now that it has gone

    cheers

    ssteven bennett
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/116415

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice