Solved: Solved: I don't understand

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

JessNElvis

Thread Starter
Joined
Sep 8, 2003
Messages
117
I run Symantec every week to check for viruses and stuff. Today, for the first time, I got a message saying that I have the "Backdoor.SubSeven" something or other. I went to the following page provided by Symantec (Backdoor.SubSeven ) and it tells me how to get rid of the thing.

Here's the problem.... I am computer retarded, like Ive mentioned before, and the directions provided here don't make any sense to me whatsoever. Im sure that if I even tried to follow what the page says, my computer will blow up.....

Can anyone here give me a really good easy to follow definition of what this Backdoor.SubSeven thing is, and WHY it's bad?

Also, can anyone help me by making the directions to get rid of it easy to understand?!

THANKS!
JessNElvis
 
Joined
Jul 3, 2003
Messages
489
It's not that simple I'm afraid. There are several strains of Backdoor SubSeven.

Think of it as oranges. There are seedless oranges, tangelos, California oranges, Florida oranges, etc. See?

Does NAV (Norton Anti-Virus) quarantine it? This one's can be a bit persistent, and may allow one to take control of your computer. I think I'd move this up on my priority list :)

Tell us more please so we can help.
 
Joined
Feb 23, 2003
Messages
16,274
Hey wait you forgot clementines, navel, mandarin, jaffa, and a few others :D :D
 
Joined
Feb 23, 2003
Messages
16,274
17 years in the food retail industry did that to me....:rolleyes:


And an old favorite..."Kumquats"
 

JessNElvis

Thread Starter
Joined
Sep 8, 2003
Messages
117
OK..... let me see

You can go to Tech24 and run either Symantec or McAffee virus scan. I run symantec every Sunday. I've never had problems. However, today I ran Symantec and it told me that it had detected 1 infected file. The program says that "c:\WINDOWS\kerne1.exe is infected with Backdoor.SubSeven ".

I go to the Symantec Security Response site for removal information. I found the "Backdoor.SubSeven" file in the glossary and read what it said about the virus. This is the link to that page:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven.html

This tells me what I'm supposed to do to get rid of the supposed virus. The only problem is, I read what it told me to do, and I don't understand.
It's telling me to copy redegit files and a bunch of .exe and do stuff in DOS and so on and so forth.
All I can manage is a point and double click every now and then.... a lot of what the instructions are telling me to do makes no sense to me......
THIS is my problem......

I think my computer is going to die.
 
Joined
Mar 9, 2003
Messages
4,699
OK, now that we have learned about oranges, back to how to get rid of the SubSeven trojan. :)

Removal of the Sub-Seven Trojan can be an involved process and also depends on your version of windows.

There are a number of people here that can help you remove it step by step. Lets start with a HiJack This log file.

Go to http://tomcoyote.org/hjt/ and download HiJackThis. Use Winzip to unzip it, then install and run it. To run, click the “Scan” button. When it's done the "Scan" button changes to "Save Log". Save the log file it creates (it should open in Notepad at that point). Copy and paste the results in your next post. IF you happen to be using a proxy server, please mention it in your post. Most of what it finds is harmless, so do not do anything yet.
 

JessNElvis

Thread Starter
Joined
Sep 8, 2003
Messages
117
Would I sound supid if I said "What the heck is a proxy server?"

OK- LOG!

Logfile of HijackThis v1.96.4
Scan saved at 12:37:48 AM, on 9/29/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\KERNE1.EXE
C:\WINDOWS\CDI.EXE
C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\HOOKTOOL.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 98\DMHKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\ICQ\ICQ.EXE
C:\PROGRAM FILES\KAZAA LITE\KAZAALITE.KPP
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe kerne1.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CDInterceptor] cdi.exe
O4 - HKLM\..\Run: [TBTray] tbtray.exe
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE" -minimized
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 98\DMHKEY.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.6795138889
 
Joined
Mar 9, 2003
Messages
4,699
In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe kerne1.exe

O4 - HKLM\..\Run: [CDInterceptor] cdi.exe



Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\WINDOWS\KERNE1.EXE

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Reboot into normal mode


Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks
 
Joined
Mar 9, 2003
Messages
4,699
Once you have done all the above steps, rescan with NAV and let's see what the results are.
 

JessNElvis

Thread Starter
Joined
Sep 8, 2003
Messages
117
I did what ya told me-
I ran my virus scan again and it didnt detect any viruses.... woohoo!
I do have another problem tho....
Since I did this, every time I turn on my computer I get a message:
"Cannot find the file 'kerne1.exe' (or one of its components). Makes sure the path and filename are correct...... yadda yadda yadda"

How do I now fix this?

Oh- and btw- here's the log:

Logfile of HijackThis v1.96.4
Scan saved at 10:34:16 PM, on 9/30/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\CDI.EXE
C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE
C:\WINDOWS\HOOKTOOL.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 98\DMHKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe kerne1.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CDInterceptor] cdi.exe
O4 - HKLM\..\Run: [TBTray] tbtray.exe
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE" -minimized
O4 - HKLM\..\Run: [AT-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 98\DMHKEY.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.6795138889
 
Joined
Mar 9, 2003
Messages
4,699
Have HJT fix this item.

F0 - system.ini: Shell=Explorer.exe kerne1.exe

Then reboot.

once back up use NotePad to open system.ini

The Shell line should look like this

F0 - system.ini: Shell=Explorer.exe
 

JessNElvis

Thread Starter
Joined
Sep 8, 2003
Messages
117
so- make sure I got this right....

to fix the error msg, I...
1- run hijackthis
2- click in the FO file thingy and tell it to fix
3- Reboot and it should be gone?
 
Joined
Mar 9, 2003
Messages
4,699
That is correct. The "quick look see" of system.ini using NotPad is just a double check.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top