At 10:42 AM 5/4/00 -0500, you wrote:
>At 10:22 AM 5/4/00 -0500, you wrote:
> >i am up to 5 now. unfortunately two of them on my network. so I have to do a
> >cleanup. What does the virus do? and what is the best course of cleanup.
>
>Some one early in this discussion sent in some links, but I deleted the
>email because it contained the virus contents. (Like I'm about to do to
>yours.) So check back in the thread.
This solution was linked from slashdot:
http://www.thepope.org/index.pl?node_id=140
Here is my means of removing the virus, and it seems to stop the problem:
DISCLAIMER: I don't guarantee this will work on your computer. Also, you
need to edit the registry,
which is not for the faint of heart.
1. If Outlook is running, turn it off now! There is still a chance that
the messages in your Outbox were
not sent yet. Unplug your network adapter/modem to ensure that you
cannot accidentally connect,
open Outlook again, and delete all entries from your Outbox.
2. Close Outlook.
3. Run regedit.exe (Click Start->Run, enter 'regedit' and click OK).
4. Go to HKEY_CURRENT_USER->Software->Microsoft->Windows Script
Host->Settings. If
there is an entry for Timeout, delete it. I did not have this, but the
source code looks like it may exist.
5. Go to HKEY_CURRENT_USER->Software->Microsoft->Internet
Explorer->Main. Scroll down
until you see an entry for Start Page. Double click on it, and edit it
so it reflects the correct start page
(Ideally slashdot.org or thepope.org :) ).
6. Go to
HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->Run.
Delete the entry for MSKernel32.
7. Go to
HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->RunServ
HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->RunServices.
Delete the entry for Win32DLL.
8. Go to
HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion->Explorer
HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion->Explorer->Doc
Find Spec MRU. This entry contains all of the most recently used files.
It would be a good idea to
delete all of the entires.
9. Open Windows Explorer (Start->Programs->Windows Explorer). Go to
c:\windows\system (or
c:\winnt\system32) and delete MSKernel32.vbs, LOVE-LETTER-FOR-YOU.HTM, and
LOVE-LETTER-FOR-YOU.TXT.vbs. Also, delete Win32DLL.vbs from the Windows
directory.
10. This is the most painful part. This virus replaces every file with
the following file extensions: vbs,
vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2. You can't get the
files back, but you can at least
delete them pretty easily. Do a search for all files with the .vbs
extension (Start->Find and enter '*.vbs'
in the Named field, then click Find Now). Select all of the results, and
hit delete.
UpdateIt looks like mp3 files are merely marked as hidden, not
completely deleted.
11. Go to your room without dinner. You should know better than to run
files like this. Optionally, you
may avoid any punishment by purchasing an indulgence.
This is my rough draft. I'll continue to take looks at it, and if anyone
has any other information, feel free
to email me ([EMAIL PROTECTED]) and I will try to integrate it into this
page.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.