My office manager got this on her home PC. I gave her the Office's norton AV cd to install at home. Norton found it and all the wonderful files it produces and quarantined them. Now, because of a registry entry (I assume) calling that file--or maybe it attached itself to the kernel32.dll--it will not run anything besides Internet Explorer. I cannot get into the REGEDIT or any other software program installed on that PC. It is looking for one of the files that were removed/quarantined by Norton.
I can, however, get to DOS. Is there any way for me to enter teh Registry from DOS to get to the hkey_local_machine\Software\Microsoft\windows\Curr ent_version\run \run_services to remove this called file?? Or am I going to have to reformat the **** harddrive to fix this?
Thanks in Advance!
Paul C

The only thing that I can think of is to copy the file(s) from another machine (write protect the disk) and restore them onto the infected machine uing dos. This might allow you 1 chance at editing the registry before the file becomes reinfected.

I had a similar problem with a co-workers machine..the Av program quarantined files needed to run windows. I found two ways to deal with it.
You can run scanreg /restore from a dos prompt and go to a pre-infection copy of the reg..or
run a reinstall from dos..I wouldn't format just yet...
http://sysopt.earthweb.com/forum/smile.gif

Booting into safe mode may bypass the registry entries that could be set to run SubSeven, although you probably already tried that. You are correct on those registry settings, but there are two more common ways for S7 to be called up.
The system.ini and/or win.ini, you may be able to check these in DOS. In the system.ini, the file holding the server portion of the Trojan can be added to the line: shell=Explorer.exe(file name.exe). Note that the file name will usually be something very similar to a common windows system file. Perhaps this is what could be preventing your system from running correctly.
In the win.ini, the file will be called up from the run, or load lines under the Windows section.

I like smokin's idea of restoring a previous registry, once you can get her system working, you could release the Trojan files from quarantine and then remove S7 manually.

Best of luck Paul.
Dave

edit-spelling-edit


[This message has been edited by Dave_H (edited 06-25-2000).]

I can't claim this fix as mine but it worked for me when I was in the same place you are... Good Luck!!!

http://sysopt.earthweb.com/forum/Forum2/HTML/007088.html

it sounds like you may be able to just change your file associations in the registry since the virus has been deleted and so i don't think you'll re-infect the machine. try this:
search for regedit.exe, rename it to regedit.com and then run it ... kind of a work-around. go in and check the following keys:

HKEY_CLASSES_ROOT\exefile\shell\open\command

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command

, the default value for these should be:

"%1" %*

if it's anything else, just double click on it to bring up the edit window and paste that in the edit box. after that, close regedit and be sure to rename regedit.com back to regedit.exe

let me know how that works for you.

good luck!