# backdoor subseven trojan horse virus



## ATRIRISH (Feb 9, 2003)

Backdoor subseven trojan horse virus was detected using NAV 2003 virus scan. The virus was located in the temporary internet folder. This virus was quarantined because NAV could not fix it. I deleted the quarantined .exe file because I don't need it. I understand now that NAV may not be able to detect the virus again since the quarantined file was deleted. The virus may still be active. AS of right now I do not have any viruses detected on my computer. My firewall has been informing me that I have been attacked by the following IP address: 24.191.198.131. I have attached a notepad file that contains my startup list. I no longer load start up items when I start my computer or reboot. Is not loading start up items a good idea? My firewall NIS was disabled at the time the virus was detected. I believe I obtained the virus by down loading the rapid blaster software. In the startup list there is a hidden file named: c:\program files\rapidblaster\rb32xexe. Since I reactivated my firewall, this file has been trying to access the internet. I chose to block the access at all times. Since then I have uninstalled the Rapid Blaster software. Has the hidden file been deleted also as a result of the uninstallment? I used the spybot software search and destroy though I'm not sure if that would find all of the spyware on my machine. I hope you can help me in my quest to make sure that this virus has been removed from my machine. I believe that my firewall has been blocking the attacks.

Thanks for your help.


----------



## rugrat (Dec 17, 2001)

Let the Gurus here have a look, go here

http://www.lurkhere.com/~nicefiles/

and download start up list 1.51, run the program and copy and paste the reults as a reply to this thread. I am sure those who know will be able to detect anything unusual.

SeeYa and Welcome to TSG!!!


----------



## ATRIRISH (Feb 9, 2003)

I was advised to remove certain objects from internet explorer that might be a problem. This is the situation: I uninstalled rapid blaster, erased the offending objects from internet explorer. This virus is still attacking my computer. My firewall is default blocking these attempts. Do I have to worry if I am still being attacked? I have been scanning for viruses but NAV has not identified any since the one file that I deleted from quarantine. Is there a chance that my computer may still have this virus? If so, how can I find out?


----------



## rugrat (Dec 17, 2001)

Same advice, post the start up list. If you do have a virus running, it can usually be spotted. You can also go here,
http://housecall.trendmicro.com/

and run an online scan. Trojans are not always picked up by virus scanners.

Also see this thread,
http://forums.techguy.org/t110854/s830ad2c72cc9d22cbf6ec1d58cd42ff0.html

The start list is still the best first step.

SeeYa

EDIT, Just found the startup in your other post,

StartupList report, 2/8/2003, 9:00:40 PM
StartupList version: 1.51
Started from : C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RapidBlaster\rb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Desksite CMA = c:\program files\desksite\bin\cma.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
iamapp = C:\Program Files\Norton Internet Security\IAMAPP.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[DoMoreRunExe.DoMoreRun]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\DoMoreRunExe.ocx
CODEBASE = file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

[Musicnotes Viewer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\mnviewer.dll
CODEBASE = http://www.musicnotes.com/download/mnviewer.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\System32\macromed\Shockwave 8\Download.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[IEDial Class]
InProcServer32 = C:\WINDOWS\System32\IEAccess2.dll
CODEBASE = http://fr4-download.nocreditcard.com/download/Object/ieaccess2XP.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacscom.dll
CODEBASE = http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[RunExeActiveX.RunExe]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB

[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37636.7953472222

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Yahoo! Companion]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_6.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_6.cab

[AInst Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACTIVE~1.DLL
CODEBASE = http://216.129.173.30/xxxnaughty/activeinstaller.dll

--------------------------------------------------
End of report, 6,197 bytes
Report generated in 0.219 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## ATRIRISH (Feb 9, 2003)

I posted the startup list and you will find it in the attached file. Let me know if you got it.


----------



## rugrat (Dec 17, 2001)

Just saw that, hang around, I am sure some one who is better will have a look.


----------



## $teve (Oct 9, 2001)

rapidblaster is spyware........and you have a few nasties that want removing.
go here:http://beam.to/spybotsd

download "spybot" open the program,click the online tab and download any updates....next click on "settings"/"file sets" and uncheck "system internals" and "usage tracking"
then hit "check all"....everything checked in red let spybot "fix"
there may be some that cant be removed 1st run.......spybot will tell you this.re-boot and they will be removed.

run startuplist and post another list.

good luck


----------



## ATRIRISH (Feb 9, 2003)

$teve 

Thank you for your help regarding how to use the spy bot software. I had no clue how to use it. Spybot found 11 files and fixed them for me. I had to reboot to fix 1 particular file.
I attached the new startup list. Hopefully everything will be ok now.


----------



## $teve (Oct 9, 2001)

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
any idea what this could be?i did a search and im not quite sure about the result.is this a shared or works computer?

the good news is rapidblaster and IEAccess(which is used to download and install a premium rate dialer usually for porn sites) are now gone.
keep spybot updated and run once per week and along with NAV and NIS you should be fine.
anything else just ask.
take care


----------



## ATRIRISH (Feb 9, 2003)

$Steve,

I just got this computer last October so I am not very computer literate. I looked up Lanovation Prismxl from the google search engine and from what I understand, this file can be downloaded with any software. I also understand that it is geared for computer networks. My pc is not on a network it is purely a pc for the home. This file cannot be opened on its own. It has to be run with a program. It opened when I ran the AOL program. I tried to delete the file but could'nt. I then used the msconfig utility to not load sys services and to not launch startup after the next re-boot. Once I did that I was able to get rid of the questionable file. Once Prismxl is in a target computer, tasks can be sent to the computer from anywhere.

I wonder if this file came from a potential hacker who was hoping to remotely control my computer. That does not seem likely but I wonder.


----------



## $teve (Oct 9, 2001)

well im glad you got shut of it,it didnt ring true to me.....thats why i asked if you were on a company pc....it was late last night and i didnt have time to do an extensive search,i was just uncomfortable with the info i did find on it....it sounded like a "spy in the sky" sort of BOSS v worker program.
mental note made.
good luck


----------



## ATRIRISH (Feb 9, 2003)

I am still getting attacked by the backdoor subseven trojan horse. My firewall is default blocking it so that is good. The protocal is TCP inbound with a Remote address of 62.226.11.201. Can anything be done to stop these attacks? I attached my current startup list for review.


----------



## Rollin' Rog (Dec 9, 2000)

Those alerts are par for the course using any firewall. There are folks all over the internet scanning for vulnerable systems. Your firewall hears them knocking but doesn't let them know anyone's home.

You can just ignore it, only you and your firewall are seeing those probes. The "alerts" serve only an educational purpose, letting you know what a fine and upstanding job your firewall is doing keeping those intruders out.


----------



## honch_runner (Feb 16, 2003)

Rapid Blaster somehow made its way onto my PC and man, it really screwed things up. I couldn't delete/uninstall it, or even get into my registry. I finally used spybot and then one of the on-line trojan horse scanners to fix it. The online scanner found "malware.WORM_YAHA.K". After 2 hours, I was able to successfully uninstall Rapid Blaster, then Norton found "[email protected]" on a screen saver file that someone had downloaded on the PC earlier that day. You guys pointed me in the right direction...THANKS!


----------



## $teve (Oct 9, 2001)

your <IMG SRC=http://forums.techguy.org/attachment.php?s=&postid=729755>


----------



## ATRIRISH (Feb 9, 2003)

Should I change my IP address so that I don't get attacked at all? Or should I get a router? Frankly it drives me bonkers that my computer is being attacked by this Backdoor subseven virus even though my firewall is blocking it.


----------



## Rollin' Rog (Dec 9, 2000)

No, changing your IP (and your ISP would probably have to do that for you since you appear to be on cable) will not help unless you have reason to believe that it is known by a specific hacker. In any case you cannot really hide your IP.

In all likelihood, what you are seeing are simply blind probes. They don't really even see you or know you are there. Your IP exists among a block of IPs that are being systematically probed to see if there is an "answer". Your firewall prevents any answer from going out, so for all intents and purposes the probing scanner knows nothing of you. It's the same as if telephone numbers were being randomly dialed only the dialer never hears even a ring or a busy signal, but your phone knows they tried and tells you.

You have the option of ignoring or even turning off the alerts if they bother you.


----------



## ATRIRISH (Feb 9, 2003)

Will downloading and using more than one type of internet security software damage my computer? For example using Adawre in conjunction with NIS, spybot, and hacker eliminator. I don't think it would but I'm not sure.


----------



## Rollin' Rog (Dec 9, 2000)

There is nothing wrong with installing both Ad-Aware and Spybot and running periodic scans. I would not have either loading and running automatically at startup however. I'm not familiar with 'hacker eliminator' so I don't know if it will present any conflicts with NIS. Probably not, but frankly most of those type programs are unnecessary if you have both a trusted firewall and antivirus program installed.


----------



## peter77 (Feb 19, 2003)

norton antivirus doesn't defend against netbus (any version) I infected my own computer, all it did was mown and grown about it but it couldn't do anything, so I just removed the server using netbus so you could Try looking for server.exe and delete it in safe mode, or goto http://sub7.net and download the trojan, type localhost where the ip goes and there should be remove server in server setup.


----------



## ATRIRISH (Feb 9, 2003)

Does everything look ok with my startup list?


----------



## $teve (Oct 9, 2001)

looks fine............flush your downloaded prog files folder.....


----------



## ATRIRISH (Feb 9, 2003)

Steve,

What do you mean by Flush my download file folder? I don't know what flush means.


----------



## $teve (Oct 9, 2001)

like this.
tools/internet options/temp internet files......delete files.
or this.....

C:\windows.....
Scroll down until you find the Downloaded Program Files folder. Double-click to open this folder. 
On the menu bar (which is the toolbar with the words on it: File, Edit, etc.), choose Edit, then Select All. This will select all of the files in your temporary Internet files folder. 
On the menu bar again, choose File, then Delete. 
A dialog box will appear asking you if you are sure that you want to delete these files, and you click the Yes button. Now all of your downloaded program files have been sent to the Recycle Bin. Once you empty the Recycle Bin, you will have cleaned up a significant amount of your disk space.


----------



## taluson (Apr 19, 2003)

I got the rb32.exe from ie_plugin.exe. It was simple enough to delete. just hit ctrl-alt delete and stop it from running then delete it. other then that everyone else is right on. I got it trying to download cracks for software. would not let you download the crack without this plugin.saved as instead of installing once though.


----------



## kimsubong (May 15, 2003)

OK, I think I figured out an easy way to get rid of rb32.exe. First, go to it's location. (C:\program files\rb32\) You can't delete it, but you can cut and paste it. I cut and pasted it to my desktop just for ease. Then reboot your computer. I think won't start up because the file can't be found. Go and delete both the file and the folder.

This was an annoying one, and I hope this is actually a cure.


----------



## mender (Sep 5, 2003)

Hi from mender

Not sure how all this works since I'm a fairly new net surfer. 
I have recently contracted a virus that I can't seem to get rid of. What I have is : downloader.dyfica.b : I've tried several different anti virus programs and sweepers and to no avail can I ger rid of this . Can you shed any lite on this prob for me????? 

thank you 
mender


----------



## Rollin' Rog (Dec 9, 2000)

Welcome to TSG, but please start a NEW topic for your problem, describe it as fully as you can and post a HijackThis Scanlog to go with it:

http://www.tomcoyote.org/hjt/


----------

