(thing) by Morte Sun Oct 01 2000 at 21:00:57
Of course, we all know the cruel, vicous patch that works for an evil program, Sub7.

Once you hack (or get hacked by) someone, the computer's condition/friendship with the person can change. The results are usually negative, either for the hacker, or the hacked, or both.

Ok, enough bullshit, here's text on removing the Sub7 server...


New to this version is another way to load the trojan. With All options to load ON, you should use the folowing checklist:

Win.ini (Labeled win.ini in setup/configure)
At top, run=msrexe.exe should be removed.
This is the only load method on by default.

Registry (Labeled Run and RunServices in setup/configure)
Follow the paths using regedit and find:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Each containing (default key name) WinLoader = MSREXE.EXE
Both of these should be deleted (Right click and choose Delete.)

System.ini (Labeled 'Less known method' in setup/configure)
In c:\windows\System.ini file, the line containing:
shell=explore.exe msrexe.exe
should be changed to
shell=explore.exe
(I.e. simply removing msrexe.exe from the end of the line.)

Registry (Labeled 'NOT known method' in setup/configure)
The last, and most cleverly hidden method, is now known.

Restart your computer in MS-DOS mode. All of the steps below will be carried out in DOS.

You should be at a C:\windows\> prompt.

Any text in Bold means you should type it on the DOS line.
Make sure you are at the C:\Windows\> prompt now.

rename windos.exe windos.___
This is the trojan, and renaming it keeps windows from loading it again.
From this point on, windows cannot run .exe and .bat files.

cd ..
Simply to move back one dir into C:\

regedit /e file.reg hkey_classes_root\exefile\shell\open\command This will export the registry key that needs to be edited, and place it in a file.

edit file.reg
Opens the file in your text editor.

In this file, look for the line that reads:
@="WINDOS \"%1\" %*"
And edit so it reads: (Take out WINDOS and the space after)
@="\"%1\" %*"

Save the file and exit edit.

regedit file.reg
This imports the edit you just made Back into the registry.

exit
You will now be taken back to windows.


Verify that you can indeed run an .exe program, without windows asking to find shell32.
If windows asks to find shell32, you will need to attempt these directions again.

Be sure to delete the c:\windows\windos.___ file once removal is successful.


After a reboot, you will find two files in c:\windows\, one named MSREXE.EXE, the other WINDOS.EXE.
You should delete both.
Also, new with 2.1 gold, there is a DLL left (used for key logging) which should be deleted as well, located in C:\windows\system\systray.dll
del.icio.us Facebook Digg StumbleUpon Reddit (I like it!)
Y'know, if you log in, you can write something here, or contact authors directly on the site. Create a New User if you don't already have an account.