I recently removed a version of the SubSeven trojan from my computer, but everytime I boot up my firewall (BlackIce) reports an ICQ pager signal coming from my IP address. It seems that there is a remnant of the trojan left that is trying to signal others that my machine is available. I cleared all of the pertinent entries from win.ini, system.ini and the registry, and my virus software no longer reports any problems. I don't even have ICQ on my machine. Does anyone know how to prevent this pager signal?

Hi Loren, That 'pager signal' is probably a non viral server program that has been modified by the trojan author. Go here and download, unzip and run StartupList. Copy and paste the results in a reply. StartupList

This is a persistant little bug. I ran StartupList and it showed a file in Windows/System called tomb.exe. This was the first occurance of the server that I had observed. I deleted it and the registry entries (also win.ini and system.ini entries), and when I rebooted, it was replaced by a file called tjev.exe. Deleted it and the registry and ini entries, rebooted and now it shows up as lmrinf.exe. Here is the report from StartList: StartupList report, 1/27/2003, 8:49:09 AM StartupList version: 1.51 Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.exe Detected: Windows ME (Win9x 4.90.3000) Detected: Internet Explorer v5.50 (5.50.4134.0100) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\SSDPSRV.exe C:\PROGRAM FILES\ISS\BLACKICE\BLACKD.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\LMRINF.exe C:\WINDOWS\SYSTEM\LMRINF.exe C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\SYSTEM\HIDSERV.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.exe C:\WINDOWS\SYSTEM\HPSYSDRV.exe C:\WINDOWS\DELAYRUN.exe C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.exe C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.exe C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.exe C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.exe C:\PROGRAM FILES\INTUIT\QAGENT\QAGENT.exe C:\PROGRAM FILES\DAP\DAP.exe C:\WINDOWS\SYSTEM\VETMSG9X.exe C:\PROGRAM FILES\ETRUST EZ ANTIVIRUS\VETTRAY.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\PROGRAM FILES\ISS\BLACKICE\BLACKICE.exe C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\DESKTOP\STARTUPLIST.exe --------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = C:\WINDOWS\scanregw.exe /autorun TaskMonitor = C:\WINDOWS\taskmon.exe PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s SystemTray = SysTray.exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme Hidserv = Hidserv.exe run Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe hpsysdrv = c:\windows\system\hpsysdrv.exe Delay = C:\WINDOWS\delayrun.exe Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.exe POINTER = point32.exe QAGENT = C:\Program Files\Intuit\QAgent\QAGENT.exe DownloadAccelerator = C:\PROGRA~1\DAP\DAP.exe /STARTUP IgfxTray = C:\WINDOWS\SYSTEM\igfxtray.exe HotKeysCmds = C:\WINDOWS\SYSTEM\hkcmd.exe Vet Alert = C:\WINDOWS\System\VetMsg9x.exe VetTray = C:\PROGRA~1\ETRUST~1\VETTRAY.exe RunDLL25 = C:\WINDOWS\SYSTEM\lmrinf.exe --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SchedulingAgent = mstask.exe SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe LoadBlackD = "C:\PROGRAM FILES\ISS\BLACKICE\BLACKD.exe" RunDLL25 = C:\WINDOWS\SYSTEM\lmrinf.exe --------------------- C:\WINDOWS\WININIT.BAK listing: (Created 26/1/2003, 22:13:28) --------------------- C:\AUTOEXEC.BAT listing: SET windir=C:\WINDOWS SET winbootdir=C:\WINDOWS SET COMSPEC=C:\WINDOWS\COMMAND.COM SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\; SET PROMPT=$p$g SET TEMP=C:\WINDOWS\TEMP SET TMP=C:\WINDOWS\TEMP --------------------- C:\WINDOWS\WINSTART.BAT listing: C:\WINDOWS\tmpcpyis.bat --------------------- Enumerating Browser Helper Objects: (no name) - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} (no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP4,0,2,4.DLL - {EF99BD32-C1FB-11D2-892F-0090271D4F88} --------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job PCHealth Scheduler for Data Collection.job --------------------- Enumerating Download Program Files: [CV3 Class] InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL CODEBASE = http://windowsupdate.microsoft.com/R932/V31Controls/x86/mil/en/actsetup.cab [TSCCInstall Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TSCCINST.DLL CODEBASE = http://www.techsmith.com/codec/tsccinst.cab [DFRun Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IEGATOR.DLL CODEBASE = http://webpdp.gator.com/v3/download/iegator_3124_hd3ptdm.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab --------------------- End of report, 5,689 bytes Report generated in 0.929 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

Hello Loren try this site very good also visi their home page..... http://www.anti-trojan.net/en/download.aspxere

Hi Loren, I see this is being a persistant bugger. I can't believe your ETrust isn't picking this up. The only thing I see loading is lmrinf.exe. Which you already know about. Go here and run an online scan and let me know what housecall lists for the virus. Housecall Make sure you disable your ETrust auto protect when running housecall. Another thing that you need to disable is: SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe This is Microsoft's UPnP server. You do not need this running.(basically, you have a wide open port) The easiest way to disable it is to download and run GRC's Unplug n' Pray from here. Unplug n' Pray

I think it's gone! Housecall found four files identified as subseven backdoors that eTrust AV and AntiTrojan v5.5 missed. Deleting those still didn't eliminate the ICQ Pager signal, so I poked around in the Windows/System folder some more. I found several files with random letter sequences for names (djfkls.fsd, eiowwof.vnd, aoskewl.wnj, etc.). All of them were 1Kb in size and were dated as last modified since December 17, 2002. The files that were showing up in the win.ini and system.ini settings also had a 12/17 date, so I did a search of the whole computer for files with that date. I found a file in the root directory of C: named explorer.exe dated 12/17/02 that was the same size as all of the subseven servers I was finding, 59Kb. This file was listed in the shell= line of the system.ini file. I changed that line to shell=c:\windows\explorer.exe, rebooted and deleted the file in the root directory. I then deleted all of the files in the Windows\System folder with random letter names that were 1Kb in size and dated since 12/17/02. Everything seems to be running ok with no pager warnings. I did unload and reinstall a fresh copy of BlackIce just to make sure it wasn't tampered with. I'll do the same to eTrust AV. Thanks for all your help. The resources you pointed me to were a big help. Loren

Hi Loren, Glad you got it sorted out. What you may want to do is open regedit and do a search for C:\Explorer.exe. I don't think it was loading from the system.ini. Your startuplist is showing the normal C:\Windows\Explorer.exe loading. A normal system.ini entry will read: Shell=Explorer.exe C:\Explorer.exe may be loading from here: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer Be careful of what you delete..Be sure to backup the registry first.