SubSeven Virus Essay, Research Paper
How do I remove SubSeven? Removing SubSeven is a two-step procedure due to you
having to shutdown and delete the trojan. Firstly, boot into MS-DOS mode. Do
this by shutting down your computer and starting it up again. While its loading
press F8 multiple times until you get a text based list. This will have an
option called "Command prompt only". This is MS-DOS so move the
highlighter onto that and press enter. This will load DOS and you will be
prompted with C:\*. You are now in DOS mode. Now that you’re in DOS, type cd
windows. This will take you into the Windows directory. It will look like
something like this: Now you must delete some files. You can do this by typing
the following commands exactly as they appear below: del SysTra~1.Exe del
nodll.exe del systray.exe del kernel16.dl del kerne132.dl del rundll16.exe del
nodll.exe Note: Some files will have the error "File not Found". Once
you have done that, type exit. This will take you back to Windows. Now when you
run Windows, you may find errors saying some file is not found. This is due to
that the trojan is designed to run every time you start Windows, but you deleted
the trojan so it cant run anymore. It’s now time to remove the parts added onto
your computer which make the trojan start every time you boot. Click on the
Start menu, and then click on Run. In run, you will be required to type in
regedit. The following is what it should look like: Now regedit, the Windows
Registry Editor, should open. This is the heart of your computer, so don’t
delete anything you dont need to delete. When regedit starts, you will see a
file-like tree on the left hand panel. Expand the folders to follow the path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run At the end,
click on ‘Run’ once, and the right hand panel should change. It should look
similar to the following: Look on the right of the regedit box for the
following: SystemTrayIcon = "C:\WINDOWS\SysTrayIcon.Exe" SystemTray =
"SysTray.Exe" Kernel16 = "kernel16.dl" RegistryScan =
"rundll16.exe" If you have one of these, click on it once with the
left mouse button, then right click on it. When the menu item appears, click on
delete. It will then dissappear from regedit. After you’ve done this, close
regedit and reboot your computer Note: Some versions of SubSeven won’t add
anything to regedit, so if you don’t see any of the lines above, just proceed to
the next step. Now its time to check the Win.ini file. This loads every boot and
some versions of SubSeven add a line to the Win.ini file. Go to the Start menu,
Programs, click on Accessories and then click on Notepad. Notepad is a text
editor and will help you to edit Win.ini. Now that you are in Notepad, click on
File. A dialogue box will appear, then click Open. In the Open window, navigate
into the Windows directory, click on Win.ini and click open (c:\windows\win.ini).
This is what this should look like: Win.ini should open. At the top of it should
be the SubSeven line, so if you see the following, delete it: run=nodll Click on
File again and go to Save. Next, click to File and Open again and select the
file system.ini. This is only in one version of SubSeven, so if the following
isn’t there, don’t worry. There should be a line in the System.ini saying
"shell=explorer.exe". This is okay, but if it says "shell=explorer.exe
-trojan_name_here-.exe", delete the bit saying "-trojan_name_here-.exe"
so the line will end up as "shell=explorer.exe". Save the file from
the File menu. Note: The "trojan_name_here-.exe" could be any file
name Now you have successfully removed SubSeven, but before you’re finished,
reboot your machine. Congratulations – you are no longer infected. How do I
remove SubSeven? Removing SubSeven is a two-step procedure due to you having to
shutdown and delete the trojan. Firstly, boot into MS-DOS mode. Do this by
shutting down your computer and starting it up again. While its loading press F8
multiple times until you get a text based list. This will have an option called
"Command prompt only". This is MS-DOS so move the highlighter onto
that and press enter. This will load DOS and you will be prompted with C:\*. You
are now in DOS mode. Now that you’re in DOS, type cd windows. This will take you
into the Windows directory. It will look like something like this: Now you must
delete some files. You can do this by typing the following commands exactly as
they appear below: del SysTra~1.Exe del nodll.exe del systray.exe del
kernel16.dl del kerne132.dl del rundll16.exe del nodll.exe Note: Some files will
have the error "File not Found". Once you have done that, type exit.
This will take you back to Windows. Now when you run Windows, you may find
errors saying some file is not found. This is due to that the trojan is designed
to run every time you start Windows, but you deleted the trojan so it cant run
anymore. It’s now time to remove the parts added onto your computer which make
the trojan start every time you boot. Click on the Start menu, and then click on
Run. In run, you will be required to type in regedit. The following is what it
should look like: Now regedit, the Windows Registry Editor, should open. This is
the heart of your computer, so don’t delete anything you dont need to delete.
When regedit starts, you will see a file-like tree on the left hand panel.
Expand the folders to follow the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
At the end, click on ‘Run’ once, and the right hand panel should change. It
should look similar to the following: Look on the right of the regedit box for
the following: SystemTrayIcon = "C:\WINDOWS\SysTrayIcon.Exe"
SystemTray = "SysTray.Exe" Kernel16 = "kernel16.dl"
RegistryScan = "rundll16.exe" If you have one of these, click on it
once with the left mouse button, then right click on it. When the menu item
appears, click on delete. It will then dissappear from regedit. After you’ve
done this, close regedit and reboot your computer Note: Some versions of
SubSeven won’t add anything to regedit, so if you don’t see any of the lines
above, just proceed to the next step. Now its time to check the Win.ini file.
This loads every boot and some versions of SubSeven add a line to the Win.ini
file. Go to the Start menu, Programs, click on Accessories and then click on
Notepad. Notepad is a text editor and will help you to edit Win.ini. Now that
you are in Notepad, click on File. A dialogue box will appear, then click Open.
In the Open window, navigate into the Windows directory, click on Win.ini and
click open (c:\windows\win.ini). This is what this should look like: Win.ini
should open. At the top of it should be the SubSeven line, so if you see the
following, delete it: run=nodll Click on File again and go to Save. Next, click
to File and Open again and select the file system.ini. This is only in one
version of SubSeven, so if the following isn’t there, don’t worry. There should
be a line in the System.ini saying "shell=explorer.exe". This is okay,
but if it says "shell=explorer.exe -trojan_name_here-.exe", delete the
bit saying "-trojan_name_here-.exe" so the line will end up as
"shell=explorer.exe". Save the file from the File menu. Note: The
"trojan_name_here-.exe" could be any file name Now you have
successfully removed SubSeven, but before you’re finished, reboot your machine.
Congratulations – you are no longer infected. How do I remove SubSeven? Removing
SubSeven is a two-step procedure due to you having to shutdown and delete the
trojan. Firstly, boot into MS-DOS mode. Do this by shutting down your computer
and starting it up again. While its loading press F8 multiple times until you
get a text based list. This will have an option called "Command prompt
only". This is MS-DOS so move the highlighter onto that and press enter.
This will load DOS and you will be prompted with C:\*. You are now in DOS mode.
Now that you’re in DOS, type cd windows. This will take you into the Windows
directory. It will look like something like this: Now you must delete some
files. You can do this by typing the following commands exactly as they appear
below: del SysTra~1.Exe del nodll.exe del systray.exe del kernel16.dl del
kerne132.dl del rundll16.exe del nodll.exe Note: Some files will have the error
"File not Found". Once you have done that, type exit. This will take
you back to Windows. Now when you run Windows, you may find errors saying some
file is not found. This is due to that the trojan is designed to run every time
you start Windows, but you deleted the trojan so it cant run anymore. It’s now
time to remove the parts added onto your computer which make the trojan start
every time you boot. Click on the Start menu, and then click on Run. In run, you
will be required to type in regedit. The following is what it should look like:
Now regedit, the Windows Registry Editor, should open. This is the heart of your
computer, so don’t delete anything you dont need to delete. When regedit starts,
you will see a file-like tree on the left hand panel. Expand the folders to
follow the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
At the end, click on ‘Run’ once, and the right hand panel should change. It
should look similar to the following: Look on the right of the regedit box for
the following: SystemTrayIcon = "C:\WINDOWS\SysTrayIcon.Exe"
SystemTray = "SysTray.Exe" Kernel16 = "kernel16.dl"
RegistryScan = "rundll16.exe" If you have one of these, click on it
once with the left mouse button, then right click on it. When the menu item
appears, click on delete. It will then dissappear from regedit. After you’ve
done this, close regedit and reboot your computer Note: Some versions of
SubSeven won’t add anything to regedit, so if you don’t see any of the lines
above, just proceed to the next step. Now its time to check the Win.ini file.
This loads every boot and some versions of SubSeven add a line to the Win.ini
file. Go to the Start menu, Programs, click on Accessories and then click on
Notepad. Notepad is a text editor and will help you to edit Win.ini. Now that
you are in Notepad, click on File. A dialogue box will appear, then click Open.
In the Open window, navigate into the Windows directory, click on Win.ini and
click open (c:\windows\win.ini). This is what this should look like: Win.ini
should open. At the top of it should be the SubSeven line, so if you see the
following, delete it: run=nodll Click on File again and go to Save. Next, click
to File and Open again and select the file system.ini. This is only in one
version of SubSeven, so if the following isn’t there, don’t worry. There should
be a line in the System.ini saying "shell=explorer.exe". This is okay,
but if it says "shell=explorer.exe -trojan_name_here-.exe", delete the
bit saying "-trojan_name_here-.exe" so the line will end up as
"shell=explorer.exe". Save the file from the File menu. Note: The
"trojan_name_here-.exe" could be any file name Now you have
successfully removed SubSeven, but before you’re finished, reboot your machine.
Congratulations – you are no longer infected.