HackFix - SubSeven - Fix v2.1 - 2.1 Gold + SubStealth - 2.1.3 MUIE + 2.1 Bonus

	Introduction
	About SubSeven
	Which Version?
	AntiVirus
Fixes
	v1.0 - 1.1
	v1.3 - 1.4 - 1.5
	v1.6
	v1.7
	v1.8
	v1.9 - 1.9b
	v2.0
	v2.1 - 2.1 Gold + SubStealth - 2.1.3 Mod + 2.1.3 MUIE + 2.1 Bonus
	v2.2b1
	Feedback
	Back to Main page

NOTE: You should print this page for reference before starting.

Sub7 has many flavors of v2.1. Most simply have added features, however the removal for the 2.1 family basically uses the same guidelines.

Please note that any/all filenames in this document are simply Default names. The trojan can be configured to use Any filename, or even to randomly pick a filename each time it infects a computer.
For this reason, you should always use the filenames provided by your antivirus software.

While the default filename is msrexe.exe, there are many reports of the filename mueexe.exe being found as well, for 2.1 Gold.
windos.exe is the name used by the MUIE versions, and win32.exe is used by SubStealth.
Also newer releases of this trojan default to pick random names.

The trojan can use 4 main methods to load itself.
Each and every trojan can be changed to use any combination of the below methods, so your infection may use only one, or it may use all of them, or anything in between.
You should check each location for the filename(s) reported by your antivirus software.

C:\Windows\Win.ini
At the top, look for two lines reading:
run=msrexe.exe load=msrexe.exe
If you see either file above (or the file reported by your antivirus software) then you will want to delete the lines in question.
Registry (You will need to run regedit to edit the registry.)
Follow the paths using regedit and find:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
each containing (default key name) WinLoader = MSREXE.EXE
Both of these should be deleted (Right click and choose Delete.)
C:\Windows\System.ini
In the System.ini file, the line containing:
shell=explore.exe msrexe.exe
should be changed to
shell=explore.exe
(I.e. simply removing msrexe.exe from the end of the line.)
Registry (.exe filetype handler)
The last, and most cleverly hidden method, is now known.
Using this method, any time you run an .exe file, windows will also reload the trojan into memory.
An additional side effect of this is, if you delete the trojan, windows will not know how to run Any .exe file.

Below is steps to remove the trojan safely, and to repair the damage to windows so the system can run .exe files.

Restart your computer in MS-DOS mode. All of the steps below will be carried out in DOS.

You should be at a C:\windows\> prompt.

Any text in Bold below means you should type it on the DOS line.
Make sure you are at the C:\Windows\> prompt now.
- rename windos.exe windos.___
  This is the trojan, and renaming it keeps windows from loading it again.
  From this point on, windows cannot run .exe files.
- cd ..
  Simply to move back one dir into C:\
- regedit /e file.reg hkey_classes_root\exefile\shell\open\command
  This will export the registry key that needs to be edited, and place it in a file.
- edit file.reg
  Opens the file in your text editor.
  
  In this file, look for the line that reads:
  @="WINDOS \"%1\" %*"
  And edit so it reads: (Take out WINDOS and the space after)
  @="\"%1\" %*"
  
  Save the file and exit edit.
- regedit file.reg
  This imports the edit you just made Back into the registry.
- exit
  You will now be taken back to windows.
Verify that you can indeed run an .exe program, without windows asking to find windos.
If windows asks to find windos, you will need to attempt these directions again.

Be sure to delete the c:\windows\windos.___ file once removal is successful.

After a reboot, you will find two files in c:\windows\, one named MSREXE.EXE, the other WINDOS.EXE.
You should delete both.

Also, new with 2.1 gold, there is a DLL left (used for key logging) which should be deleted as well, located in C:\windows\system\systray.dll

Hosted by www.Geocities.ws