If you use Windows ME, there's an added risk there that doesn't exist for others. Basically an ME system could get infected and then cleaned but when it's rebooted System Restore could re-infect them. Once the virus is cleaned by deleting gone.scr from the hard drive, processes and registry they will need to follow the manual instructions to deal with the ME systems below. The directions are formatted for users, not admins. Additional Windows ME Info: NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder. > Disabling the Restore Utility > 1. Right click the My Computer icon on the Desktop. > 2. Click on the Performance Tab. > 3. Click on the File System button. > 4. Click on the Troubleshooting Tab. > 5. Put a check mark next to "Disable System Restore". > 6. Click the Apply button. > 7. Click the Close button. > 8. Click the Close button again. > 9. You will be prompted to restart the computer. Click Yes. > NOTE: The Restore Utility will now be disabled. > 10. Restart the computer in Safe Mode. > 11. Run a scan with VirusScan to delete all infected files, or browse the > file's located in the C:\_Restore folder and remove the file's. > 12. After removing the desired files, restart the computer normally. > NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 > remove the check mark next to "Disable System Restore". The infected > file's are removed and the System Restore is once again active. General Manual Removal Instructions WINDOWS 95/98/ME > * Restart Windows in Safe Mode (reboot your computer, just before the > large WINDOWS startup screen comes up, hit the F5 key). You can recognize > that you're in Safe Mode by the text Safe Mode in the 4 corners of the > desktop. > * Click START | FIND | Files or Folders ... > * Type Gone.scr and hit ENTER > * Delete GONE.SCR (if present) > * Click START | RUN, type REGEDIT and hit ENTER > * Click the (+) next to HKEY_LOCAL_MACHINE > * Click the (+) next to SOFTWARE > * Click the (+) next to MICROSOFT > * Click the (+) next to WINDOWS > * Click the (+) next to CURRENTVERSION > * Click RUN > * Click on C:\WINDOWS\SYSTEM\gone.scr on the right and hit DELETE on > the keyboard > * Restart the computer WINDOWS NT/2000/XP > * Type CTRL-ALT-DEL at the same time > * Choose TASK MANAGER and then choose the PROCESS tab > * Locate the GONE.SCR process, click it, and choose END PROCESS > * Click START | FIND | Files or Folders ... > * Type Gone.scr and hit ENTER > * Delete GONE.SCR (if present) > * Click START | RUN, type REGEDIT and hit ENTER > * Click the (+) next to HKEY_LOCAL_MACHINE > * Click the (+) next to SOFTWARE > * Click the (+) next to MICROSOFT > * Click the (+) next to WINDOWS > * Click the (+) next to CURRENTVERSION > * Click RUN > * Click on C:\WINNT\SYSTEM\gone.scr on the right and hit DELETE on the > keyboard > * Restart the computer Michael Garafola -----Original Message----- From: Chris Eidem [mailto:jceidemat_private] Sent: Wednesday, December 05, 2001 4:34 PM To: Andrew Blevins; incidentsat_private Subject: RE: Gone Worm not too difficult to clean up. 1. shut down the program (gone.scr) from task manager 2. dir \gone*.* /s (it dumps itself in a variety of places: \windows\system, \winnt\system, \temp, \winnt\profiles but one tricky place is that it dumps itself into the \winnt\system32 dir with the system, hidden and read-only bits set so make sure to do a attrib go*.* in that dir and make sure it isn't there. if it is, attrib -h -s -r gon*.* and then delete them 3. delete the key in the registry, it's in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gone.scr 4. reboot and if you dug it out of all of its hiding places, you shouldn't see it running. hth, chris > -----Original Message----- > From: Andrew Blevins [mailto:ABlevinsat_private] > Sent: Wednesday, December 05, 2001 12:02 PM > To: incidentsat_private > Subject: Gone Worm > > > Has anyone had any success with isolating the Trojan script > with this worm, > and having a for sure successful cleanup? Any help appreciated, and I > apologize in advance if I have missed a previous posting. > Blevins > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 11:24:30 PST