[NTLUG:Discuss] Removing the virus

Brian Silvers bsilvers at duracom.net
Thu May 4 11:16:22 CDT 2000 

Here are instructions I found for removing the virus:

DISCLAIMER: I don't guarantee this will work on your computer. Also, you
need to edit the
  registry, which is not for the faint of heart.

  1. If Outlook is running, turn it off now! There is still a chance
that the messages in your Outbox were
  not sent yet. Unplug your network adapter/modem to ensure that you
cannot accidentally connect,
  open Outlook again, and delete all entries from your Outbox.

  2. Close Outlook.

  3. Run regedit.exe (Click Start->Run, enter 'regedit' and click OK).

  4. Go to HKEY_CURRENT_USER->Software->Microsoft->Windows Script
Host->Settings. If
  there is an entry for Timeout, delete it. I did not have this, but the
source code looks like it may exist.

  5. Go to HKEY_CURRENT_USER->Software->Microsoft->Internet
Explorer->Main. Scroll
  down until you see an entry for Start Page. Double click on it, and
edit it so it reflects the correct
  start page (Ideally slashdot.org or thepope.org :) ).

  6. Go to
HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->Run.
  Delete the entry for MSKernel32.

  7. Go to

HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->RunService
s.
  Delete the entry for Win32DLL.

  8. Go to

HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion->Explorer->D
oc
  Find Spec MRU. This entry contains all of the most recently used
files. It would be a good idea to
  delete all of the entires.

  9. Open Windows Explorer (Start->Programs->Windows Explorer). Go to
c:\windows\system (or
  c:\winnt\system32) and delete MSKernel32.vbs, LOVE-LETTER-FOR-YOU.HTM,
and
  LOVE-LETTER-FOR-YOU.TXT.vbs. Also, delete Win32DLL.vbs from the
Windows directory.

  10. This is the most painful part. This virus replaces every file with
the following file extensions: vbs,
  vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2. You can't get
the files back, but you can at least
  delete them pretty easily. Do a search for all files with the .vbs
extension (Start->Find and enter
  '*.vbs' in the Named field, then click Find Now). Select all of the
results, and hit delete.

  UpdateIt looks like mp3 files are merely marked as hidden, not
completely deleted.

More information about the Discuss mailing list