Hello,
From Synmantec's Website
http://www.symantec.com/avcenter/venc/data/backdoor.subseven.html
Start the Registry Editor, if necessary:
If you performed the procedures in the previous section, then the Registry
Editor is already open. Skip to step 4.
If it was not necessary to perform the procedures in the previous section,
then proceed to step 2.
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit, and then click OK. (The Registry Editor opens.)
Navigate to and open the following key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
CAUTION: Do not inadvertently modify the
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe subkey. Changes made to that key
can prevent the .exe files (program files) from running. Be sure to
navigate to the
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command subkey, as
shown in the following figure.
Double-click the (Default) value in the right pane.
Delete the current value data, and then type: "%1" %*
(quote-percent-one-quote-space-percent-asterisk.)
NOTE: The Registry Editor will automatically enclose the value within
quotation marks. When you click OK, the (Default) value should look exactly
like this: ""%1" %*"
Make sure that you completely delete all the value data in the command key
prior to typing the correct data. If you accidentally leave a space at the
beginning of the entry, any attempt to run the program files will result in
the error message, "Windows cannot find .exe." If this happens to you, then
start over at the beginning of this document, making sure to completely
remove the current value data.
Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, look under the Name column and delete any of the
following values if you see them:
WINLOADER
Win32nt
Win32.Bin
WinCrypt
WinProtect
Win
xTnow
Ayespie
PowerSaveMonitor
rundll32
winsys32.exe
sys32.exe
NOTE: Other values may appear, which are not on this list. Deleting the
values from this location does not prevent the programs from running; it
only prevents them from automatically starting when Windows starts.
Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
In the right pane, look under the Name column and delete any of the
following values if you see them:
WINLOADER
Win32nt
Win32.Bin
WinProtect
Win
xTnow
Ayespie
PowerSaveMonitor
rundll32
NOTE: Other values may appear, which are not on this list. Deleting the
values from this location does not prevent the programs from running; it
only prevents them from automatically starting when Windows starts.
Exit the Registry Editor.
Editing Windows startup files
This is only necessary if your operating system is Windows 95/98/Me.
NOTE For Windows Me users only: Due to the file-protection process in
Windows Me, a backup copy of the file that you are about to edit exists in
the C:\Windows\Recent folder. We recommend that you delete this file before
continuing with the steps in this section. To do this using Windows
Explorer, go to C:\Windows\Recent, and in the right pane delete the Win.ini
file. It will be regenerated as a copy of the file that you are about to
edit when you save your changes to that file.
Click Start, and then click Run.
Type the following, and then click OK.
edit c:\windows\win.ini
(The MS-DOS Editor opens.)
NOTE: If Windows is installed in a different location, make the appropriate
path substitution.
CAUTION: The steps that follow instruct you to remove text from the load=
and run= lines of the Win.ini file. If you are using older programs, they
may be loading at startup from one of these lines. The Trojan adds lines,
such as load=c:\windows\temp\pkg2350.exe or run=hpfsched <blank spaces>
msrexe.exe. (In this example, hpfsched is a legitimate program, but
msrexe.exe is part of the Trojan). It may also modify the shell= statement,
for example, to shell=explorer.exe pwrsvm.exe.
If you are sure that the text contained in these lines is for programs that
you normally use, then we suggest that you do not remove the lines. If you
are not sure, but the text does not refer to the file names shown, then you
can prevent the lines from loading by placing a semicolon in the first
character position of the line.
For example:
; run=accounts.exe
Locate the load= line within the [windows] section of the Win.ini file; it
is usually located near the top of the file.
Position the cursor immediately to the right of the equal (=) sign.
Press Shift+End to select all of the text to the right of the equal sign,
and then press Delete.
Repeat steps 4 and 5 for the run= line, which is usually beneath the load=
line.
Close the Win.ini window, and click Yes when you are prompted to save the
changes.
Locate the shell=explorer.exe line within the [boot] section of the
System.ini file; it is usually located near the top of the file.
Position the cursor immediately to the right of explorer.exe.
Press Shift+End to select all of the text to the right of explorer.exe, and
then press Delete.
Close the System.ini window, and click Yes when you are prompted to save
the changes.
NOTE: Some computers may have an entry other than explorer.exe after
shell=. If this is the case and you are running an alternate Windows shell,
then change this line to shell=explorer.exe for now. You can change it back
to your alternate shell after you have finished this procedure.
Click File and then click Exit. Click Yes when prompted to save the
changes.
Click Start, point to Settings, and then click Control Panel.
Double-click the Display icon.
Click the Screen Saver tab, and then change the currently selected screen
saver. If it is set to (None), then select any of the available screen
savers. The important thing is that you make a change to the current
setting.
Click OK, and then close the Control Panel.
This completes the removal part of the process. Even if you did so
previously, start Norton AntiVirus and run a full system scan. Delete any
files found to be infected with Backdoor.Subseven. When finished, restart
the computer.
Removal instructions for older versions of Backdoor.SubSeven
CAUTION: Follow these instructions only if the instructions in the previous
sections did not remove the Trojan.
To remove this Trojan, you need to do the following:
Restart the computer in Safe mode.
Remove the following registry key that the Trojan placed there:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System
Traylcon
Restart in MS-DOS mode, and then delete the \Windows\Systemtrayicon.exe
file.
Restart Windows, and then rename the Watching.dll file.
The details on each of these steps follows:
Restarting the computer in Safe mode
Before you edit the registry, you need to restart Windows in Safe mode.
This can take several minutes.
NOTE: In Safe mode, Windows uses default settings: VGA monitor, no network,
Microsoft mouse driver, and the minimum device drivers required to start
Windows. You will not have access to CD-ROM drives, printers, or other
devices.
Windows 95:
Exit all the programs.
Click Start, and then click Shut Down. The Shut Down Windows dialog box
appears.
Click Shut Down, and then click OK.
Click Yes to confirm the shut down.
Turn off the computer (if necessary) and wait 30 seconds.
NOTE: You must turn off the power to remove the virus from memory. Do not
use the Reset button.
Turn on the computer.
When "Starting Windows 95..." appears on the screen, press F8. The Windows
95 Startup Menu appears.
Press the number that corresponds to Safe mode, and then press Enter.
Windows will start in Safe mode.
Windows 98:
Click Start, and then click Run.
Type msconfig, and then click OK. (The System Configuration Utility dialog
box appears.)
Click Advanced on the General tab.
Check Enable Startup Menu, click OK, and then click OK again.
Exit all the programs.
Click Start, and then click Shut Down. (The Shut Down Windows dialog box
appears.)
Click Shut Down, and then click OK.
Click Yes to confirm the shut down.
Turn off the computer and wait 30 seconds.
NOTE: You must turn off the power to remove the virus from memory. Do not
use the Reset button.
Turn on the computer, and wait for the Windows 98 Startup menu.
Press the number that corresponds to Safe mode, and then press Enter.
Windows will start in Safe mode.
Editing the registry
Follow these steps to remove the entry that the Trojan placed in the
registry.
CAUTION: We strongly recommend that you back up the system registry before
making any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Make sure to modify the specified
keys only. See the document, "How to Back Up the Windows 95/98/NT
Registry," before proceeding.
Click Start, and then click Run.
Type regedit, and then press Enter.
Navigate to and select the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, select SystemTrayIcon, press Delete, and then click Yes
to confirm.
NOTES:
The program that runs from here can have different names. SystemTrayIcon is
only one of the names that this program uses.
Make sure that you delete SystemTrayIcon, and not SystemTray (see the
illustration below).
Exit the Registry Editor.
Restarting the computer in MS-DOS mode
Follow these steps to restart the computer in MS-DOS mode:
Windows 95:
Exit all the programs.
Click Start, and then click Shut Down. (The Shut Down Windows dialog box
appears.)
Click Shut Down, and then click OK.
Click Yes to confirm the shut down.
Turn off the computer (if necessary) and wait 30 seconds.
NOTE: You must turn off the power to remove the virus from memory. Do not
use the Reset button.
Turn on the computer.
When "Starting Windows 95..." appears on the screen, press F8. (The Windows
95 Startup Menu appears.)
Press the number that corresponds to Safe mode Command Prompt Only, and
then press Enter. Windows will start in Safe mode.
Windows 98:
Click Start, and then click Run.
Type msconfig, and then click OK. (The System Configuration Utility dialog
box appears.)
Click Advanced on the General tab.
Check Enable Startup Menu, click OK, and then click OK again.
Exit all the programs.
Click Start, and then click Shut Down. (The Shut Down Windows dialog box
appears.)
Click Shut Down, and then click OK.
Click Yes to confirm the shut down.
Turn off the computer and wait 30 seconds.
NOTE: You must turn off the power to remove the virus from memory. Do not
use the Reset button.
Turn on the computer, and wait for the Windows 98 Startup menu.
Press the number that corresponds to Safe mode Command Prompt Only, and
then press Enter. Windows will start in Safe mode.
Deleting a file
Follow these steps to delete the file that the Trojan placed on the
computer:
Type the following, and then press Enter:
cd windows
Type the following, and then press Enter:
del systemtrayicon.exe
To restart Windows, type the following, and then press Enter:
exit
After Windows restarts, proceed to the next section.
Renaming a file
Because there is a small possibility that the Watching.dll file could be a
legitimate file that another program uses, we suggest that you follow these
steps to rename it.
Click Start, point to Find, and then click Files or Folders.
In the Named box, type the following, and then click Find Now:
Watching.dll
In the results pane, right-click the file that was found (it should be in
the \Windows\System folder), and then click Rename.
Rename the file to Watching.bkp, and then press Enter.
NOTE: If you are sure that a legitimate program, which you installed, is
not using the file, then you can delete it.
Close the Find Files dialog box.
You have now removed the Backdoor.SubSeven Trojan.
Additional information:
How does the Trojan get on the computer?
SubSeven is usually sent as a program that you think you want. It almost
always has a .exe extension and it will often be disguised as an
installation program, such as Setup.exe. When this program runs, it will
usually return a "Failed" error message, but it can sometimes do something,
such as play a game or appear to install the software. We strongly
recommend that you only install programs received from trusted sources.
How does someone else know that this threat is on the computer?
Backdoor.SubSeven can be configured to email your IP address and the port
on which the server is running to the person who sent it to you. It can
also send an alert through some messaging programs.
What are some of the symptoms of a computer that is infected with the
Backdoor.SubSeven Trojan?
Any of the following symptoms will occur only while connected to the
Internet:
CD-ROM drive opens at random times
Wave (.wav) files play for no reason
Strange dialog boxes appear
Internet downloads are slow
Files appear or disappear
----------------------------------------------------------------------------
--------------------------------------------
From Network Computing
http://www.computing.net/windowsxp/wwwboard/forum/75975.html
Go here to Trend Micro's website and use the online virus scan to get rid
of it:
http://housecall.trendmicro.com/housecall/start_corp.asp
It's free, just follow the instructions.
Thank, You.
Diana.
(e-mail address removed)
This posting is provided "AS IS" with no warranties, and confers no rights.
