1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

sub2_1C.exe Trojan virus

Discussion in 'Virus & Other Malware Removal' started by ree, Sep 11, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ree

    ree Thread Starter

    Joined:
    Oct 18, 2002
    Messages:
    33
    I've been having trouble surfing the web using my address bar I tried to reboot but kept getting server can't be found ; I ran spybot, adware, and my virus scan, it found this {sub2_1C.exe trojan horse virus }. I quarantined the virus as recommended by norton . So what should I do with it now ? Also eicar was submitted does it need repairing too so maybe if there's another problem it will alert me ? I"m still not able to get online with that computer . It has windows me , any help would be appreciated
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I would suggest you go to symantec read and follow the removal instructions. Your dat files must be pretty out of date since this is an older virus. Update them asap!
     
  3. ree

    ree Thread Starter

    Joined:
    Oct 18, 2002
    Messages:
    33
    Symantics suggested I go to safe mode and and do a full scan but my mouse doesn't work in safe mode can't do anything there any more suggestions ? Thank you
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Try housecall on line scan. That should assure you have removed the virus.

    Have you gotten the updates for Norton?

    Looks like eicar is just a tester so no need to worry about that.
     
  5. ree

    ree Thread Starter

    Joined:
    Oct 18, 2002
    Messages:
    33
    It was about a week ago the last time I updated my definitions I can't access the web now I keep geeting server can't be found
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Go get hijackthis and post a log so we can try and see what's going on.
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    if you cant get web access you may have to use another machine to d/l hijackthis(stating the obvious i know)
    ;)
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    My thinking is if you are posting you have access, somehow, to the web. That is always a question I have in this situation.

    :confused: ;)
     
  9. ree

    ree Thread Starter

    Joined:
    Oct 18, 2002
    Messages:
    33
    Ok yesterday I was surfing the web on the infected computer , then it froze up , so I restarted it and couldn't get back online, I kept getting cannot find server . I have another computer i'm using to get online with so how will I run hijack this for the infected one ?
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,330
    Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Put the Zip file on a floppy and then put the floppy in the problem PC and unzip it to the folder of your choice. For example, unzip it to "My Documents".

    Click on the Hijachthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy"

    Paste the log to floppy and take it back to the PC you are on now and Copy and Paste it from there to here.
     
  11. ree

    ree Thread Starter

    Joined:
    Oct 18, 2002
    Messages:
    33
    Sorry to be a pain but I don't have a file zipper on the infected computer , is it possible to download winzip on a cd and install it on it so I can run hijack this then ?
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,330
    Actually you can fit the HijackThis.exe on a floppy. It is only 153Kb. That would eliminate the need for WinZip on the affected PC.
     
  13. ree

    ree Thread Starter

    Joined:
    Oct 18, 2002
    Messages:
    33
    StartupList report, 9/12/2003, 9:00:27 AM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\MY DOCUMENTS\WINZIP\WINZIP32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
    CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NAV Agent = C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
    NPROTECT = C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    NPROTECT = C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    CSINJECT.EXE = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    SchedulingAgent = mstask.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Yahoo! Pager = C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=hpfsched

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 11/9/2003, 1:18:12)

    [Rename]
    NUL=c:\windows\cookies\[email protected][2].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][2].txt
    NUL=c:\windows\cookies\[email protected][2].txt
    NUL=c:\windows\cookies\[email protected][2].txt
    NUL=c:\windows\cookies\[email protected][2].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][2].txt
    NUL=c:\windows\cookies\[email protected][2].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][2].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\[email protected][1].txt

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Norton SystemWorks One Button Checkup.job
    Symantec NetDetect.job
    PCHealth Scheduler for Data Collection.job
    Norton AntiVirus 2002.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.5666319444

    [ExentInf Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EXENTCTL_0_0_0_1.OCX
    CODEBASE = http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab

    [sys Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL
    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 7,066 bytes
    Report generated in 0.082 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,330
    ree

    I don't see anything alarming in that startup list, but we need to see the default HJT scan not a startuplist. When you open HJT on the first window that opens click the "Scan" button there. That is the default HJT scan and this is the one we need to see.
     
  15. ree

    ree Thread Starter

    Joined:
    Oct 18, 2002
    Messages:
    33
    Logfile of HijackThis v1.91.2
    Scan saved at 10:13:05 PM, on 2/8/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.yahoo.com/search/ie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.rr.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.rr.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=proxy-server:8080;https=proxy-server:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=ams-server*
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {4C4871FD-30F6-4430-8834-BC75D58F1529} - C:\WINDOWS\SYSTEM\SBSRCH_V2.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /scheduler
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: Yahoo! Spades (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: Yahoo! Literati (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: Yahoo! Gin (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
    O16 - DPF: Yahoo! Pool 2 (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.5666319444
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/297a8f782d795cf4fe19/netzip/RdxIE601.cab
    O16 - DPF: {53E10C2C-43B2-4657-BA29-AAE179E7D35C} - http://207.44.176.11/auth/IE_InstllC.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/163993

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice