Before I start repeating what has already been said elsewhere on the net, I will give you a link to follow that contains a lot of useful information about SubSeven (also known as Sub7). However, this document misses one of the ways this trojan can stay active (and the only method I have actually seen), so when you have finished reading this page, return here if you did not find the trojan.

Threats to your Security on the Internet - SubSeven

I have seen the SubSeven virus activate using the windows context menu as a springboard. It changes the registry key "HKEY_CLASSES_ROOT\exefile\shell\open\command" and sets the default value to something other than "%1" %*. The default parameter simply runs the app requested with the parameters provided by the user. The SubSeven trojan may change this to something along the lines of " windos.exe "%1" %* ", but the filename could be different.

To remove the virus, go to Start -> Run and type 'regedit' without quotes and press enter. Then navigate the tree to HKEY_CLASSES_ROOT\exefile\shell\open\command and double click on the (Default) value, remove the contents of the box then type in: "%1" %* including the quotes. You are now uninfected. The files for the trojan still exist on your computer though, but unless you know exactly what these filenames are, you should not try to remove them.

As a general rule, if you see the file windos.exe, you are probably infected.

WARNING:

Do not delete the trojan exe until it has been removed from the registry, or your computer will fail to boot.

IMPORTANT: Please note that I cannot be held responsible for any damages caused by the use of this document, even though the chances are extremely small.

On This Page

Detecting SubSeven
Removing SubSeven
Disclaimer

Documents - Quick Links

Documents
Removing the Kak virus