Tech Support Forum banner
Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
someone on aol instant messenger sent me the a link and some time after clicking on it norton security came up and said there was a backdoor subseven trojan on my computer. is there a way someone can tell me without harming their computer?
this is the link: http://205.180.85.40/w/pc.cgi?mid=12844&sid=3564

i have no idea where it installed and i did read instructions at mcafee's site on how to remove it here but they were very confusing
this is mcafee's site: http://vil.nai.com/VIL/content/v_10566.htm

also i ran norton antivirus and 2 other trojan scan/removal programs and they didn't detect anything.
i, of course, chose the option to block the trojan..
but throughout the night i got messages from norton security
saying high risk, inbound applications were trying to access my computer. i blocked those, but i still would like to remove it but have no idea how.
 

·
Registered
Joined
·
1,691 Posts
The link you have above is clean. The method of infection must have been somthing else, normaly one cannot be infected by visiting a weblink, unless you agree download whatever its offering...

As far as removal as long as you used McAfee's "clean" option when it first poped up its should be gone. Which would be why no other programs would detect it. If you want to make absolutely (s/p?) sure use TDS.

http://tds.diamondcs.com.au/

if it that program does not find it, its not there. ;)
 

·
Global Moderator
Joined
·
51,325 Posts
As far as removal as long as you used McAfee's "clean" option when it first poped up its should be gone.
Since he said he had Norton AV, that might be difficult for him. :)
 

·
Premium Member
Joined
·
1,611 Posts
hey fonzbear , whats goin on?
hopefully following explanation might clear things up for ya..

subseven is a trojan that comes in two parts. Server and a remote. Server is the part that is sent to unfortunate victim via email or lets say ICQ. Once the victim opens up fake email or downloads fake file, server.exe is installed and the person on the other side can use remote to connect to server and manipulate victims machine. Third part of the trojan, EditServer.exe is used to setup server.exe before its sent out.

Here are some files to look for on an infected machine :

server.exe
rundll1.exe
systray.dl
Task_bar.exe
FAVPNMCFEE.dll
MVOKH_32.dll
nodll.exe
watching.dll

Now I think what happened to you is that norton on your machine removed Server.exe, otherwords, cleaned up your PC of the server part. When norton is saying that high risk inbound apps are trying to access your machine, its probably that same person trying to connect to the server they sent you....
Any of this makes sense ? Dont be afraid to ask...

hope this helps... :D
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top