sub seven help... !!

[noODle]

SubSeven is a pest to remove, the best way to recover from subseven is a reinstall from your last known (safe) backup and apply a stricter software installation policy.
Someone allready mentioned the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run\

There are quit a few more registry entries that can autostart apps (or have them hijack on some other programs startup).
Besides that, there are more ways in windows to autostart an app.
Then subseven is widely known (infamous) thus there are many different versions/mods.
That is why I think: 'reinstall'

[Producer]

Its run= in win.ini

c:\%systemdir%\win.ini

just search for win.ini and edit the file. Thats what your talking about.

[noODle]

Originally posted here by Producer
Its run= in win.ini

c:\%systemdir%\win.ini

just search for win.ini and edit the file. Thats what your talking about.

There are way more pest-options then that.

[Producer]

Yep. But thats the "least known method" in subseven.

[noODle]

Yep. But thats the "least known method" in subseven.

I disagree, subseven (like I said) is a pest, that is why there is no single 'removal tool'. It can be modified to load on several different events [hkcu\software\microsoft\windowsnt\currentversion\windows\load] for example or some script in [hklm\software\policies\microsoft\windows\system\scripts\startup] or some .htt file or it could copy itself as c:\windows\system\loader.exe to name a few.

[Producer]

your right noODle. There are other ways. the c:\windows\system\loader.exe is an easy one, but \scripts\startup I have seen in other programs.

I have not seen Mobman since defcon 2000. Since then, the invention of Nat threw his script to heck. I shall research this, thanks.

[Alphaflux]

if im not mistaken you can acutally use the subseven tool to remove the trojan itself, i think there is some option and the server version that allows you to do this. trying that might get ride of your error problem. if that doesn't work, PM me and i will do some more searching

[hustlefrog]

I infected my self a while back when i first started to mess with trojans and that same thing happen to me every time i would reboot my computer it would say (what i named the server when i edited it) is not found and so i thought i edited it to start in the win.ini and i went to run and typed in win.ini and boom there it wuz [windows]
load=
run="the name of the server"
NullPort=None
and so i took it off and i reboted and the windows box never poped up again maybe that is what it is hope it works

[Jakus]

To remove sub7 from your computer i recomend. fire up your client and connecting the LOCALHOST and port that you set to. to even protech yourslef more is setting a password on the server that is very strong. then try to remove it. becasue if it donsen't remove at least it is passworded. btw what version on sub7 are you running?


Just my .02. Good luck

[Galdron]

Originally posted here by mafia_almighty
i was just doing some R&D with the sub7 tool ... and i accidently infected my PC ...i got rid of the infected file... ... using Norton.
but the trouble is that i had turned on --->>> start up and on top of it ... i enabled "less known method" and "not known how methods" .. in the edit server..
so as such i m not infected with that trojan ... but every time i start my PC ........
i get that message that that file is not found ....!!!

plz help me....
!!!

I am still wodering what R&D you were doing. If you had the Proggie on your HD most virus progs, would detect it, unless you allowed access. How did you become "Infected"?

Interested in further details.





Althought this might have been suggested in the forums, I have had very good luck with TDS3.

Decent program for Trojan removals. Demo is free.

http://tds.diamondcs.com.au/

P: