sub2_1C.exe Trojan virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ree

Thread Starter
Joined
Oct 18, 2002
Messages
33
I've been having trouble surfing the web using my address bar I tried to reboot but kept getting server can't be found ; I ran spybot, adware, and my virus scan, it found this {sub2_1C.exe trojan horse virus }. I quarantined the virus as recommended by norton . So what should I do with it now ? Also eicar was submitted does it need repairing too so maybe if there's another problem it will alert me ? I"m still not able to get online with that computer . It has windows me , any help would be appreciated
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
I would suggest you go to symantec read and follow the removal instructions. Your dat files must be pretty out of date since this is an older virus. Update them asap!
 

ree

Thread Starter
Joined
Oct 18, 2002
Messages
33
Symantics suggested I go to safe mode and and do a full scan but my mouse doesn't work in safe mode can't do anything there any more suggestions ? Thank you
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Try housecall on line scan. That should assure you have removed the virus.

Have you gotten the updates for Norton?

Looks like eicar is just a tester so no need to worry about that.
 

ree

Thread Starter
Joined
Oct 18, 2002
Messages
33
It was about a week ago the last time I updated my definitions I can't access the web now I keep geeting server can't be found
 
Joined
Oct 9, 2001
Messages
9,396
if you cant get web access you may have to use another machine to d/l hijackthis(stating the obvious i know)
;)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
My thinking is if you are posting you have access, somehow, to the web. That is always a question I have in this situation.

:confused: ;)
 

ree

Thread Starter
Joined
Oct 18, 2002
Messages
33
Ok yesterday I was surfing the web on the infected computer , then it froze up , so I restarted it and couldn't get back online, I kept getting cannot find server . I have another computer i'm using to get online with so how will I run hijack this for the infected one ?
 
Joined
Jul 26, 2002
Messages
46,349
Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Put the Zip file on a floppy and then put the floppy in the problem PC and unzip it to the folder of your choice. For example, unzip it to "My Documents".

Click on the Hijachthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy"

Paste the log to floppy and take it back to the PC you are on now and Copy and Paste it from there to here.
 

ree

Thread Starter
Joined
Oct 18, 2002
Messages
33
Sorry to be a pain but I don't have a file zipper on the infected computer , is it possible to download winzip on a cd and install it on it so I can run hijack this then ?
 
Joined
Jul 26, 2002
Messages
46,349
Actually you can fit the HijackThis.exe on a floppy. It is only 153Kb. That would eliminate the need for WinZip on the affected PC.
 

ree

Thread Starter
Joined
Oct 18, 2002
Messages
33
StartupList report, 9/12/2003, 9:00:27 AM
StartupList version: 1.52
Started from : C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\MY DOCUMENTS\WINZIP\WINZIP32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NAV Agent = C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
NPROTECT = C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

NPROTECT = C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
CSINJECT.EXE = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 11/9/2003, 1:18:12)

[Rename]
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\[email protected][1].txt

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job
PCHealth Scheduler for Data Collection.job
Norton AntiVirus 2002.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.5666319444

[ExentInf Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EXENTCTL_0_0_0_1.OCX
CODEBASE = http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL
WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,066 bytes
Report generated in 0.082 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Jul 26, 2002
Messages
46,349
ree

I don't see anything alarming in that startup list, but we need to see the default HJT scan not a startuplist. When you open HJT on the first window that opens click the "Scan" button there. That is the default HJT scan and this is the one we need to see.
 

ree

Thread Starter
Joined
Oct 18, 2002
Messages
33
Logfile of HijackThis v1.91.2
Scan saved at 10:13:05 PM, on 2/8/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.rr.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=ams-server*
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4C4871FD-30F6-4430-8834-BC75D58F1529} - C:\WINDOWS\SYSTEM\SBSRCH_V2.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: Yahoo! Spades (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Literati (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Gin (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
O16 - DPF: Yahoo! Pool 2 (YInstStarter Class) - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37614.5666319444
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/297a8f782d795cf4fe19/netzip/RdxIE601.cab
O16 - DPF: {53E10C2C-43B2-4657-BA29-AAE179E7D35C} - http://207.44.176.11/auth/IE_InstllC.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top