Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Hacking Techniques :: fix21.txt

Fixing SubSeven 2.1 - 2,1 Gold + SubStealth - 2.1.3 MUIE + 2.1 Bonus BKI:

HackFix - SubSeven - Fix v2.1 - 2.1 Gold + SubStealth - 2.1.3 MUIE + 2.1

NOTE: You should print this page for reference before starting.

Sub7 has many flavors of v2.1. Most simply have added features, however the
removal for the 2.1 family basically uses the same guidelines.

Please note that any/all filenames in this document are simply Default
names. The trojan can be configured to use Any filename, or even to
randomly pick a filename each time it infects a computer.
For this reason, you should always use the filenames provided by your
antivirus software.

While the default filename is msrexe.exe, there are many reports of the
filename mueexe.exe being found as well, for 2.1 Gold.
windos.exe is the name used by the MUIE versions, and win32.exe is used by
Also newer releases of this trojan default to pick random names.

The trojan can use 4 main methods to load itself.
Each and every trojan can be changed to use any combination of the below
methods, so your infection may use only one, or it may use all of them, or
anything in between.
You should check each location for the filename(s) reported by your
antivirus software.

  1. C:\Windows\Win.ini
     At the top, look for two lines reading:
     If you see either file above (or the file reported by your antivirus
     software) then you will want to delete the lines in question.

  2. Registry (You will need to run regedit to edit the registry.)
     Follow the paths using regedit and find:
     each containing (default key name) WinLoader = MSREXE.EXE
     Both of these should be deleted (Right click and choose Delete.)

  3. C:\Windows\System.ini
     In the System.ini file, the line containing:
     shell=explore.exe msrexe.exe
     should be changed to
     (I.e. simply removing msrexe.exe from the end of the line.)

  4. Registry (.exe filetype handler)
     The last, and most cleverly hidden method, is now known.
     Using this method, any time you run an .exe file, windows will also
     reload the trojan into memory.
     An additional side effect of this is, if you delete the trojan,
     windows will not know how to run Any .exe file.

     Below is steps to remove the trojan safely, and to repair the damage
     to windows so the system can run .exe files.

     Restart your computer in MS-DOS mode. All of the steps below will be
     carried out in DOS.

     You should be at a C:\windows\> prompt.

     Any text in Bold below means you should type it on the DOS line.
     Make sure you are at the C:\Windows\> prompt now.

        o rename windos.exe windos.___
          This is the trojan, and renaming it keeps windows from loading it
          From this point on, windows cannot run .exe files.
        o cd ..
          Simply to move back one dir into C:\
        o regedit /e file.reg hkey_classes_root\exefile\shell\open\command
          This will export the registry key that needs to be edited, and
          place it in a file.
        o edit file.reg
          Opens the file in your text editor.

          In this file, look for the line that reads:
          @="WINDOS \"%1\" %*"
          And edit so it reads: (Take out WINDOS and the space after)
          @="\"%1\" %*"

          Save the file and exit edit.
        o regedit file.reg
          This imports the edit you just made Back into the registry.
        o exit
          You will now be taken back to windows.

     Verify that you can indeed run an .exe program, without windows asking
     to find windos.
     If windows asks to find windos, you will need to attempt these
     directions again.

     Be sure to delete the c:\windows\windos.___ file once removal is


     After a reboot, you will find two files in c:\windows\, one named
     MSREXE.EXE, the other WINDOS.EXE.
     You should delete both.

     Also, new with 2.1 gold, there is a DLL left (used for key logging)
     which should be deleted as well, located in

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH