Page 4 of 5 FirstFirst ... 2345 LastLast
Results 31 to 40 of 50

Thread: anyone here have sub7?

  1. #31
    Junior Member
    Join Date
    Oct 2001
    Posts
    5

    Post Ryan, read this..............

    If you want the trojans deleted automatically......... use one of these:

    MooSoft's THE CLEANER (YES, IT WORX, I HAVE IT, IT'S THE BEST AT DETECTING THOUSANDS OF DIFFERENT VARIANTS).

    Norton AntiVirus 2002

    Trojan Defence Suite (T.D.S.x)

    The author's alias is MobMan -of B.U.G. Mafia. One of his email addresses is Subseven@Flashmail.com

    BTW, DON'T EMAIL HIM ! Not only will you not get back a reply but you'll just waste your time and probably piss him off. He is working on 2 new versions of Sub7 including the soon to be released 2.3.

    Hey Ryan, after you read HOW TO MANUALLY REMOVE A TROJAN , (listed below), why don't you just use the trojan's client/remote to connect to your computer and just delete it ? If the server is pw protected run Sub7crack on it or use RatCracker. If those don't work, run Sub7Sniper or try and bruteforce it with something else. You might be able to just hit "enter" if the trojan installed on your computer is M.U.I.E............ or was it BONUS ? Yes, I've tried the Universal Master password and it doesn't work for any of the versions in the 2's......... The pass goes like 1980xxxxxxxxxx blah blah blah. Doesn't work, trust me. Anyways, here's a re-post that you obviously need to read ==>

    HOW TO MANUALLY REMOVE A TROJAN

    I actually think that the easiest way, (atleast for me), is to manually detect and erase the trojan from your system. Over the years I have been infected numerous times and have always manually removed them. If you want to give it a try ----- do this:

    goto: "RUN" => type "DOSPRMPT" => @ the cmd line type "NETSTAT -a"

    Below it will list all of the ports that your computer is using to try and establish a connection remotely. If you are offline when you run this cmd, ignore the nb ports like 137 and 138 and only look for other open ports like :3000, 27374, 1243, 666, 5782, etc........... These ports will be in the "Listening" state as they are listening for a connection from the client remotely via the net. Running the "NETSTAT -a" cmd online may confuse you as you will see alot of crap that looks like this:

    Proto Local Address Foreign Address State
    TCP default:26886 DEFAULT:0 LISTENING
    TCP default:1296 DEFAULT:0 LISTENING
    TCP default:1475 DEFAULT:0 LISTENING
    TCP default:1481 DEFAULT:0 LISTENING
    TCP default:1482 DEFAULT:0 LISTENING
    TCP default:1227 DEFAULT:0 LISTENING
    TCP default:1228 DEFAULT:0 LISTENING
    TCP default:1484 DEFAULT:0 LISTENING
    TCP default:1521 DEFAULT:0 LISTENING
    TCP default:1296 205.188.8.134:5190 ESTABLISHED
    TCP default:nbsession DEFAULT:0 LISTENING
    TCP default:1475 antionline.com:80 ESTABLISHED
    TCP default:1481 ads.antionline.com:80 CLOSE_WAIT
    TCP default:1482 ads.antionline.com:80 CLOSE_WAIT
    TCP default:1227 www.google.com:80 CLOSE_WAIT
    TCP default:1228 www.google.com:80 CLOSE_WAIT
    TCP default:1484 65.114.157.132:80 CLOSE_WAIT
    TCP default:1521 166.90.140.11:80 SYN_SENT
    UDP default:nbname *:*
    UDP default:nbdatagram *:*
    UDP default:1285 *:*
    UDP default:1210 *:*

    If someone has made a connection to the server (trojan) in your system, the state will read "established" with all of it's appropriate info. If you would like to see who is in your system just find the port from which you believe he is connected to you on, make sure the connection reads "established", and look at the "foreign address" that corresponds to it. From there you can run a "tracert", "net view", dns, whois, or whatever you think you will need to catch the person --- and or report him/her if necessary. I wouldn't advise getting online though until you are positive that you have NO trojan(s) in your system. If your suspicious after running the Netstat -a cmd, do this..............

    goto: "RUN" => type "MSCONFIG"=> then browse your WIN.INI, SYSTEM.INI, STARTUP, and the AUTOEXEC.BAT tabs, if you have one. Under the System.INI tab, look under "boot" and look for any weird .exe, .dl, .scr, .com, or .bat files that are listed ----- DON'T MESS WITH EXPLORER.EXE, USER.EXE, OR GDI.EXE ! These are system files core windows components. If you see something like this => shell=Explorer.exe "server.exe" then the trojan or server has added it'sself alongside explorer to startup with it. For Explorer.exe, GDI.exe, and User.exe, THERE SHOULD BE NO SECONDARY FILES BEING LISTED TO THE RIGHT OF THEM. Next is your WIN.ini tab. Simply check the Windows folder and see whether or not anything suspicious is under the load= or run= cmd's. Again, look for double entries --- ieg: explorer.exe "trojan.exe". Lastly is your STARTUP tab. Look for anything suspicious that is starting up as well as look again for double entries............. however, don't get them confused with parameters and/or switches like /autorun, SYSTEMBOOTHIDEPLAYER, or -r (read-only) -s (system) attributes. You can uncheck all of the startup boxes and your computer will still boot fine........ and of course most likely re-check the files that windows needed to force load -- meaning that mainly ScanRegistry, LoadPowerProfile, taskmonitor, etc......... should be alright. However, beware of the system tray file systray.exe as many trojans have been renamed and ran with this name. Check file sizes of the "suspicious" and when they were last accessed, created, and/or modified. Check the HKEY's under the registry editor for entries that the trojan could have made............ RUN=> "REGEDIT". Lastly, goto: RUN=> "MSINFO32"=> once loaded, go to SOFTWARE ENVIRONMENT and then to RUNNING TASKS. Under Running Tasks it will show you all of the programs that are currently being run by your system. Be very suspicious of files that are running with NO manufacturer listing, NO description, NO type, and NO Part of listing. It may or may not have the Version listing. In other words, reading from left to right, look for alot of blank spaces and gaps in the information on a particular file or file(s) that is/are running. Blank spaces are easy to spot as many of these files are ms files and have all the necessary information. If you are using Win 95 or Win 98, you would get the fields that I listed. If you are using Win ME, look for a blank version or weird filename that is running and investigate it. Never used XP, but if you are, simply close the process through ctrl-alt-delete and you can go from there. You can't manually delete a trojan if it is running in your system. The goal is to stop it from running and then delete it. If you found the trojan and all that you need to do is manually delete it, goto: SHUTDOWN then "Restart in Dos Mode" for 98 users. For WIN ME users, hold ctrl, F8, or F6 to get into the boot prompt that allows you to go to the command prompt. Once you're at the command prompt in DOS, change to the file's directory and delete it. Ieg: C:\> "cd C:\Windows" --or whatever directory it is in. Then, once in the directory, type "dir /p" and look at all the files. Try to pick out the file from list. The name might look like this "Trojan~1.exe" or something similar because of DOS's 8.3 format. Most likely though, the name of the trojan won't exceed 8 characters. If it does, expect the above name listing format. After you've found the file, type "erase trojan.exe". If done correctly the path at which you are currently at will repeat under the default path. If it says that the file is in use by WIN or the system and can't be deleted.......... try this ------> attrib -r -s -h C:\Windows\"trojan.exe". This insures that now the file can be deleted. Simply just do an erase trojan.exe and it is gone permanently. Type WIN to go back to windows and check the NETSTAT -a listing again in the DOS Prompt. If you want to try and connect yourself to the suspected trojan, look at the "listening" ports from the Netstat -a listing and apply them to TELNET. IEG:

    WHILE YOU'RE OFFLINE=>

    Proto Local Address Foreign Address State
    TCP default:26886 DEFAULT:0 LISTENING

    Port 26886 on your computer is listening for a connection. Goto: RUN=>TELNET=> goto the Connect tab and then to the REMOTE SYSTEM option. Under HOST NAME, type either LOCALHOST or 127.0.0.1 and under the PORT header type in the suspected port 26886. Hit Connect and if a connection is made, the trojan will read off information in your telnet window upon connection.............. ieg: "Sub7 2.1.4 M.U.I.E. connected. Date"/blah blah blah. If you get this, goto disconnect and you've found your trojan........... now all that you need to do is match it with it's filename as mentioned earlier in this article from checking the msconfig utility and the msinfo32 utility. If you connect to it and after a few seconds you get text that reads "PWD", a trojan is in your system and it is password protected ---set by the person that infected you so that no one else could connect to you or have access to your computer without knowing the password. If you get this, you can still delete it from DOS after you've found the trojan's filename, no sweat. Be aware that some trojans, such as SubSeven 2.2, only run when a connection to the internet is detected ------ which is really clever since running NETSTAT -a offline won't show you anything. Run the Netstat -a cmd online and again, look for "Listening" ports. Try ALL of the listening ports and if you see anything suspicious through telnet, you've found your trojan. All of this may sound quite confusing and/or out of order but this is how to do it, manually. Practice this once or twice and you'll never need trojan cleaners to do your work for you ! If you feel confident enough, infect yourself with a trojan that you yourself pwd protected and try and remove it manually offline. Keep repeating this under different circumstances like "LittleKnown", "NOTKNOWN", "REGRUNSERVICES", "MACHINERUNSERVICES" under EditServer if you're testing with SubSeven. Remember, if you can't delete it manually or just don't want to keep trying you can always just connect to yourself through Sub7's client (remote) and goto: "Server Options" and remove the server from there.

    Some trojans, such as the ICQ Trojan, startup from the programs that they are named after. The AOL Trojan does this also. They use the load programs option upon connection to the internet through that particular program. ICQ is known the most for this as some trojans you will find in loading under the load with ICQ options. You may also want to go ahead and check AOL or ICQ if you use these particular services. And lastly, some trojans will use winstart.bat, config.sys, and even mess around with your filetypes and their registered extensions under the Folder Options - "File Types" tab. Some of them will set themselves (the trojan) to be used as the default program or resource to open executable files such as explorer.exe. Go to the file types area and check to make sure that no trojan has made it's self the clone of explorer.exe when it comes to opening executable filetypes. The executable file types should only say "Exectuable" next to them and not "Opens with: tkswzquidsf.exe". Deleting the trojan manually could mess up your filesystem this way so I would reccomend using a cleaner for this one........... especially if you're using Win ME ! It should be safe to do through Win 98 though as you can always revert back to the default executable file launcher -- explorer.exe.

  2. #32
    it is gone. thanks anyways. also valhallin, did you read the original post? I think you will find what I am talking about. there is no way of scanning something before you download it. yes maybe you can scan a setup file but obviously I didn't (yes, maybe I was stupid not to). people make mistakes, nobodys perfect. this is what I hate about antionline, some are nice (willing to help) and some are total dicks that just want to cause trouble. if you want to cause trouble, make your own forum and say whatever you want there.

  3. #33
    Senior Member
    Join Date
    May 2002
    Posts
    135
    y dont u go to black codes they have stuff on it cuz i was just searchng and i found like a whole bunch of stuff that might help ya , or u can be super stupid and do what i did which is system restore HAHA! i learned my lesson

  4. #34
    this is what I hate about antionline, some are nice (willing to help) and some are total dicks that just want to cause trouble. if you want to cause trouble, make your own forum and say whatever you want there.
    well obviously you havn't read my other like 700 posts
    I don't start trouble - hence the greenies for helping peps....its just that when someone has been given help over & over & over again and they either
    1. don't listen
    2. choose to ignore it
    3. think they know better
    4. are too dumb to know what the advise means and in such cases shouldn't be allowed near a calculator never mind a computer


    right well thats my lil rant finished - please next time read the posts & then read them again - then try it for yourself & read them again and then give it another go & maybe read them some more...have a look on google as well - then read the posts again....try it again for yourself & have another look on google then have a final look on google - try it again for yourself....& if none of that works give your computer to the local charity shop!! Just don't bother AO again with your dumbass questions that have been answered over and over agin and only serve to eat up server space and bandwith

    now have a nice day

    v_Ln

  5. #35
    Banned
    Join Date
    Mar 2002
    Posts
    594
    Hey Ryan... you're a dumbass... "total dicks that want to cause trouble"... you're the dumbass that won't listen to twenty people telling you how to slove your problem and then you try to push it off on valhallen who is just trying to help you, one word for you: DUMBASS!

  6. #36
    Junior Member
    Join Date
    Apr 2002
    Posts
    28

    Thumbs up

    nice post btw BLitzKrieG0187

  7. #37
    I wouldn't have been so harsh if he hadn't have started the post off "you must be stupid" and stuff like "dumbass". That kind of stuff causes trouble. There you go again! jaguar291 trying to cause trouble. you won't get replies (like the ones on this thread) from me and I am sure other people if you don't say stuff like that. as a matter of fact, I am sorry valhallen for these replies. its just that when people say that **** it gets me mad. If you don't like the thread, ignore it rather then criticizing (and this does not only go for valhallen).works for me. when you criticize and give remarks it makes me mad which makes me post a bad remark then you post back and everyone else does then it repeats. I hope you all UNDERSTAND my meaning and as I posted in my last reply that the problem is under control. thankyou

  8. #38
    I wouldn't have been so harsh if he hadn't have started the post off "you must be stupid" and stuff like "dumbass".
    Ok so my opening postr wasn't the most flattering towards you - so sue me!

    That kind of stuff causes trouble
    No not listening to the advice given & then hurling insults at peps who are trying to helpp you causes trouble...

    you won't get replies (like the ones on this thread) from me
    right so what exactly do you call the posts your making in REPLY to the other posts?

    its just that when people say that **** it gets me mad
    Its just when people don't listen it gets me mad

    If you don't like the thread, ignore it rather then criticizing (and this does not only go for valhallen).works for me. when you criticize and give remarks it makes me mad which makes me post a bad remark then you post back and everyone else does then it repeats
    And yet you just keep on posting
    /me thinks Ryan is a lil bit of a glutton for punishment

    I hope you all UNDERSTAND my meaning and as I posted in my last reply that the problem is under control. thankyou
    Glad to hear its under control but I would like you to understand that the people replying to your questions are in NO WAY getting paid to do so - they are giving of their own freetime to help you out of the goodness of their heart!! The least you can do is heed their advice & read the posts making sure that you understand them....if you don't PM the person and ask for clarification....don't keep reposting a question thats been answered time & time again!
    And no Ryan thank you

    v_Ln

  9. #39
    "No not listening to the advice given & then hurling insults at peps who are trying to helpp you causes trouble..." hey like I said if you don't like it don't reply even if their is trouble started. its when you keep posting negative replies then the trouble gets deeper (or starts). I have tried to stop this conflict several times now but unfortunately some stubborn people won't stop posting their spam. Like I have said before the problem is under control, no need to worry and thank you to the people who donated help. I am stopping my replies to this post.

  10. #40
    Senior Member
    Join Date
    Apr 2002
    Posts
    380
    waaaaaaaaaah why don't you get over it and appreciate the site? Who cares who is starting trouble or not on a damn forum?
    [shadow]Scorp666, the Infamous Orgasmatron[/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •