I know alot of you have not seen or heard from me in a while. But working in a ISP...in less than 1.5 hours alot of our customers got the ILOVEYOU thingy. It is nasty. It gets in the machine, changes alot of mulitmedia files to .txt files..and as of now..there is no "double clicking" fix. The manual fix is below...if one of your machines gets this virus IMMEDIATELY pull it from your network..cause it infects network drives. How to confirm if a machine is infected with the > ILOVEYOU/LOVE-LETTER-FOR-YOU.TXT.vbs virus: > > Do a Find for mskernel32 and win32dll. If these files are present on the > machine then the machine has the virus. > > > These are the steps to do a manual cleanup of a machine infected by the > virus: > > 1. Use the Find utility and delete the following files: > > MSKernel32.vbs > LOVE-LETTER-FOR-YOU.TXT.vbs > LOVE-LETTER-FOR-YOU.HTM > Win32DLL.vbs > > 2. Delete the following registry keys: > HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 > HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL > > 3. Files with the extensions .js (java script), .jse, .css, .wsh, .sct, > and .hta will be copied and renamed with the extension .vbs. The virus may > then (or may not) delete the original files. > a. If the original files still exist, delete the *.vbs copies. > b. If the original files have been deleted (and they're not available in > the Recycle Bin), replace them with copies from another machine. NOTE: The > only affected files we have found at this time are: > Aform.js > Afstrenu.js > > 4. Files with the extensions .jpg, .jpeg, .mp3, or .mp2 will be copied and > renamed with extensions of .jpg.vbs, .jpeg.vbs, .mp3.vbs, and .mp2.vbs, > respectively. Delete these files: > *.jpg.vbs > *.jpeg.vbs > *.mp3.vbs > *.mp2.vbs > > 5. The virus points the machine to a different home page (aka Start Page). > Create a .reg file with the following entries and then execute it while > the customer is logged on. This is necessary because the Start Page is > unique to the current user and the customer won't have permission to run > the registry editor. > > REGEDIT4 > > [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] > "Start Page"="http://rfetshp" This is no spam thingy just being nice! If you need more info...here is some from AVP! http://www.avp.com/may04.html James Katana Foamypup
