1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Solved: I don't understand

Discussion in 'Virus & Other Malware Removal' started by JessNElvis, Sep 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. JessNElvis

    JessNElvis Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    117
    I run Symantec every week to check for viruses and stuff. Today, for the first time, I got a message saying that I have the "Backdoor.SubSeven" something or other. I went to the following page provided by Symantec (Backdoor.SubSeven ) and it tells me how to get rid of the thing.

    Here's the problem.... I am computer retarded, like Ive mentioned before, and the directions provided here don't make any sense to me whatsoever. Im sure that if I even tried to follow what the page says, my computer will blow up.....

    Can anyone here give me a really good easy to follow definition of what this Backdoor.SubSeven thing is, and WHY it's bad?

    Also, can anyone help me by making the directions to get rid of it easy to understand?!

    THANKS!
    JessNElvis
     
  2. Cookies

    Cookies

    Joined:
    Jul 3, 2003
    Messages:
    489
    It's not that simple I'm afraid. There are several strains of Backdoor SubSeven.

    Think of it as oranges. There are seedless oranges, tangelos, California oranges, Florida oranges, etc. See?

    Does NAV (Norton Anti-Virus) quarantine it? This one's can be a bit persistent, and may allow one to take control of your computer. I think I'd move this up on my priority list :)

    Tell us more please so we can help.
     
  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Hey wait you forgot clementines, navel, mandarin, jaffa, and a few others :D :D
     
  4. Cookies

    Cookies

    Joined:
    Jul 3, 2003
    Messages:
    489
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    17 years in the food retail industry did that to me....:rolleyes:


    And an old favorite..."Kumquats"
     
  6. JessNElvis

    JessNElvis Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    117
    OK..... let me see

    You can go to Tech24 and run either Symantec or McAffee virus scan. I run symantec every Sunday. I've never had problems. However, today I ran Symantec and it told me that it had detected 1 infected file. The program says that "c:\WINDOWS\kerne1.exe is infected with Backdoor.SubSeven ".

    I go to the Symantec Security Response site for removal information. I found the "Backdoor.SubSeven" file in the glossary and read what it said about the virus. This is the link to that page:
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven.html

    This tells me what I'm supposed to do to get rid of the supposed virus. The only problem is, I read what it told me to do, and I don't understand.
    It's telling me to copy redegit files and a bunch of .exe and do stuff in DOS and so on and so forth.
    All I can manage is a point and double click every now and then.... a lot of what the instructions are telling me to do makes no sense to me......
    THIS is my problem......

    I think my computer is going to die.
     
  7. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    OK, now that we have learned about oranges, back to how to get rid of the SubSeven trojan. :)

    Removal of the Sub-Seven Trojan can be an involved process and also depends on your version of windows.

    There are a number of people here that can help you remove it step by step. Lets start with a HiJack This log file.

    Go to http://tomcoyote.org/hjt/ and download HiJackThis. Use Winzip to unzip it, then install and run it. To run, click the “Scan” button. When it's done the "Scan" button changes to "Save Log". Save the log file it creates (it should open in Notepad at that point). Copy and paste the results in your next post. IF you happen to be using a proxy server, please mention it in your post. Most of what it finds is harmless, so do not do anything yet.
     
  8. JessNElvis

    JessNElvis Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    117
    Would I sound supid if I said "What the heck is a proxy server?"

    OK- LOG!

    Logfile of HijackThis v1.96.4
    Scan saved at 12:37:48 AM, on 9/29/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\KERNE1.EXE
    C:\WINDOWS\CDI.EXE
    C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\HOOKTOOL.EXE
    C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 98\DMHKEY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\PROGRAM FILES\ICQ\ICQ.EXE
    C:\PROGRAM FILES\KAZAA LITE\KAZAALITE.KPP
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=Explorer.exe kerne1.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CDInterceptor] cdi.exe
    O4 - HKLM\..\Run: [TBTray] tbtray.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE" -minimized
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [VidSvr]
    O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 98\DMHKEY.EXE
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.6795138889
     
  9. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
    Next, close all browser Windows, and have HT fix all checked.

    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=Explorer.exe kerne1.exe

    O4 - HKLM\..\Run: [CDInterceptor] cdi.exe



    Next reboot into Safe Mode and remove the following files and folders that are bolded

    C:\WINDOWS\KERNE1.EXE

    See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

    Reboot into normal mode


    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  10. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Once you have done all the above steps, rescan with NAV and let's see what the results are.
     
  11. JessNElvis

    JessNElvis Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    117
    I did what ya told me-
    I ran my virus scan again and it didnt detect any viruses.... woohoo!
    I do have another problem tho....
    Since I did this, every time I turn on my computer I get a message:
    "Cannot find the file 'kerne1.exe' (or one of its components). Makes sure the path and filename are correct...... yadda yadda yadda"

    How do I now fix this?

    Oh- and btw- here's the log:

    Logfile of HijackThis v1.96.4
    Scan saved at 10:34:16 PM, on 9/30/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\CDI.EXE
    C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE
    C:\WINDOWS\HOOKTOOL.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 98\DMHKEY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=Explorer.exe kerne1.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CDInterceptor] cdi.exe
    O4 - HKLM\..\Run: [TBTray] tbtray.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE" -minimized
    O4 - HKLM\..\Run: [AT-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [VidSvr]
    O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 98\DMHKEY.EXE
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.6795138889
     
  12. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Have HJT fix this item.

    F0 - system.ini: Shell=Explorer.exe kerne1.exe

    Then reboot.

    once back up use NotePad to open system.ini

    The Shell line should look like this

    F0 - system.ini: Shell=Explorer.exe
     
  13. JessNElvis

    JessNElvis Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    117
    so- make sure I got this right....

    to fix the error msg, I...
    1- run hijackthis
    2- click in the FO file thingy and tell it to fix
    3- Reboot and it should be gone?
     
  14. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    That is correct. The "quick look see" of system.ini using NotPad is just a double check.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168162

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice