Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Solved: Solved: I don't understand

1223 Views 13 Replies 4 Participants Last post by  NiteHawk
J
I run Symantec every week to check for viruses and stuff. Today, for the first time, I got a message saying that I have the "Backdoor.SubSeven" something or other. I went to the following page provided by Symantec (Backdoor.SubSeven ) and it tells me how to get rid of the thing.

Here's the problem.... I am computer retarded, like Ive mentioned before, and the directions provided here don't make any sense to me whatsoever. Im sure that if I even tried to follow what the page says, my computer will blow up.....

Can anyone here give me a really good easy to follow definition of what this Backdoor.SubSeven thing is, and WHY it's bad?

Also, can anyone help me by making the directions to get rid of it easy to understand?!

THANKS!
JessNElvis
Save
Like
Status
Not open for further replies.
1 - 14 of 14 Posts
Cookies
It's not that simple I'm afraid. There are several strains of Backdoor SubSeven.

Think of it as oranges. There are seedless oranges, tangelos, California oranges, Florida oranges, etc. See?

Does NAV (Norton Anti-Virus) quarantine it? This one's can be a bit persistent, and may allow one to take control of your computer. I think I'd move this up on my priority list :)

Tell us more please so we can help.
Save
Like
mobo
Hey wait you forgot clementines, navel, mandarin, jaffa, and a few others :D :D
Save
Like
Cookies
lol! :)
Save
Like
mobo
17 years in the food retail industry did that to me....:rolleyes:


And an old favorite..."Kumquats"
Save
Like
J
OK..... let me see

You can go to Tech24 and run either Symantec or McAffee virus scan. I run symantec every Sunday. I've never had problems. However, today I ran Symantec and it told me that it had detected 1 infected file. The program says that "c:\WINDOWS\kerne1.exe is infected with Backdoor.SubSeven ".

I go to the Symantec Security Response site for removal information. I found the "Backdoor.SubSeven" file in the glossary and read what it said about the virus. This is the link to that page:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven.html

This tells me what I'm supposed to do to get rid of the supposed virus. The only problem is, I read what it told me to do, and I don't understand.
It's telling me to copy redegit files and a bunch of .exe and do stuff in DOS and so on and so forth.
All I can manage is a point and double click every now and then.... a lot of what the instructions are telling me to do makes no sense to me......
THIS is my problem......

I think my computer is going to die.
See less See more
Save
Like
NiteHawk
OK, now that we have learned about oranges, back to how to get rid of the SubSeven trojan. :)

Removal of the Sub-Seven Trojan can be an involved process and also depends on your version of windows.

There are a number of people here that can help you remove it step by step. Lets start with a HiJack This log file.

Go to http://tomcoyote.org/hjt/ and download HiJackThis. Use Winzip to unzip it, then install and run it. To run, click the “Scan” button. When it's done the "Scan" button changes to "Save Log". Save the log file it creates (it should open in Notepad at that point). Copy and paste the results in your next post. IF you happen to be using a proxy server, please mention it in your post. Most of what it finds is harmless, so do not do anything yet.
Save
Like
J
Would I sound supid if I said "What the heck is a proxy server?"

OK- LOG!

Logfile of HijackThis v1.96.4
Scan saved at 12:37:48 AM, on 9/29/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\KERNE1.EXE
C:\WINDOWS\CDI.EXE
C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\HOOKTOOL.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 98\DMHKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\ICQ\ICQ.EXE
C:\PROGRAM FILES\KAZAA LITE\KAZAALITE.KPP
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe kerne1.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CDInterceptor] cdi.exe
O4 - HKLM\..\Run: [TBTray] tbtray.exe
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE" -minimized
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 98\DMHKEY.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.6795138889
See less See more
Save
Like
NiteHawk
In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe kerne1.exe

O4 - HKLM\..\Run: [CDInterceptor] cdi.exe


Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\WINDOWS\KERNE1.EXE

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Reboot into normal mode

Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks
See less See more
Save
Like
NiteHawk
Once you have done all the above steps, rescan with NAV and let's see what the results are.
Save
Like
J
I did what ya told me-
I ran my virus scan again and it didnt detect any viruses.... woohoo!
I do have another problem tho....
Since I did this, every time I turn on my computer I get a message:
"Cannot find the file 'kerne1.exe' (or one of its components). Makes sure the path and filename are correct...... yadda yadda yadda"

How do I now fix this?

Oh- and btw- here's the log:

Logfile of HijackThis v1.96.4
Scan saved at 10:34:16 PM, on 9/30/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\CDI.EXE
C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE
C:\WINDOWS\HOOKTOOL.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 98\DMHKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe kerne1.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CDInterceptor] cdi.exe
O4 - HKLM\..\Run: [TBTray] tbtray.exe
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\PROGRAM FILES\STOP-THE-POP-UP\STOPTHEPOP.EXE" -minimized
O4 - HKLM\..\Run: [AT-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 98\DMHKEY.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.6795138889
See less See more
Save
Like
NiteHawk
Have HJT fix this item.

F0 - system.ini: Shell=Explorer.exe kerne1.exe

Then reboot.

once back up use NotePad to open system.ini

The Shell line should look like this

F0 - system.ini: Shell=Explorer.exe
Save
Like
J
so- make sure I got this right....

to fix the error msg, I...
1- run hijackthis
2- click in the FO file thingy and tell it to fix
3- Reboot and it should be gone?
Save
Like
NiteHawk
That is correct. The "quick look see" of system.ini using NotPad is just a double check.
Save
Like
1 - 14 of 14 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top