Better a bottle in front of me than a frontal lobotomy.
HackFix - SubSeven - Fix v2.1 - 2.1 Gold + SubStealth - 2.1.3 MUIE + 2.1
Bonus
NOTE: You should print this page for reference before starting.
Sub7 has many flavors of v2.1. Most simply have added features, however the
removal for the 2.1 family basically uses the same guidelines.
Please note that any/all filenames in this document are simply Default
names. The trojan can be configured to use Any filename, or even to
randomly pick a filename each time it infects a computer.
For this reason, you should always use the filenames provided by your
antivirus software.
While the default filename is msrexe.exe, there are many reports of the
filename mueexe.exe being found as well, for 2.1 Gold.
windos.exe is the name used by the MUIE versions, and win32.exe is used by
SubStealth.
Also newer releases of this trojan default to pick random names.
The trojan can use 4 main methods to load itself.
Each and every trojan can be changed to use any combination of the below
methods, so your infection may use only one, or it may use all of them, or
anything in between.
You should check each location for the filename(s) reported by your
antivirus software.
1. C:\Windows\Win.ini
At the top, look for two lines reading:
run=msrexe.exe
load=msrexe.exe
If you see either file above (or the file reported by your antivirus
software) then you will want to delete the lines in question.
2. Registry (You will need to run regedit to edit the registry.)
Follow the paths using regedit and find:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
each containing (default key name) WinLoader = MSREXE.EXE
Both of these should be deleted (Right click and choose Delete.)
3. C:\Windows\System.ini
In the System.ini file, the line containing:
shell=explore.exe msrexe.exe
should be changed to
shell=explore.exe
(I.e. simply removing msrexe.exe from the end of the line.)
4. Registry (.exe filetype handler)
The last, and most cleverly hidden method, is now known.
Using this method, any time you run an .exe file, windows will also
reload the trojan into memory.
An additional side effect of this is, if you delete the trojan,
windows will not know how to run Any .exe file.
Below is steps to remove the trojan safely, and to repair the damage
to windows so the system can run .exe files.
Restart your computer in MS-DOS mode. All of the steps below will be
carried out in DOS.
You should be at a C:\windows\> prompt.
Any text in Bold below means you should type it on the DOS line.
Make sure you are at the C:\Windows\> prompt now.
o rename windos.exe windos.___
This is the trojan, and renaming it keeps windows from loading it
again.
From this point on, windows cannot run .exe files.
o cd ..
Simply to move back one dir into C:\
o regedit /e file.reg hkey_classes_root\exefile\shell\open\command
This will export the registry key that needs to be edited, and
place it in a file.
o edit file.reg
Opens the file in your text editor.
In this file, look for the line that reads:
@="WINDOS \"%1\" %*"
And edit so it reads: (Take out WINDOS and the space after)
@="\"%1\" %*"
Save the file and exit edit.
o regedit file.reg
This imports the edit you just made Back into the registry.
o exit
You will now be taken back to windows.
Verify that you can indeed run an .exe program, without windows asking
to find windos.
If windows asks to find windos, you will need to attempt these
directions again.
Be sure to delete the c:\windows\windos.___ file once removal is
successful.
----------------------------------------------------------------------
After a reboot, you will find two files in c:\windows\, one named
MSREXE.EXE, the other WINDOS.EXE.
You should delete both.
Also, new with 2.1 gold, there is a DLL left (used for key logging)
which should be deleted as well, located in
C:\windows\system\systray.dll
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2013 AOH
