I had a virus and ran a virus scan and deleted all infected file, but my computer seems to be going crazy . What shlould I do?

I recently detected that my computer came in contact with a virus. The virus name was loveletters. Since then I have ran my VirusScan and deleted all infected files, but now my computer seems to be going crazy. It's one error after the other....... Kernel32, script errors, and my computer freezes at random. What now??????

This question was answered on February 5, 2003. Much of the information contained herein may have changed since posting.

---

If Outlook is running, close now! There is still a chance that the messages in your Outbox were not sent yet Unplug your network adapter/modem to ensure that you cannot accidentally connect, open Outlook again, and delete all entries from your Outbox

Close Outlook

Now, make sure the virus is no longer running Press Ctrl-Alt-Del If you are running Windows NT/2000, you will also need click on task manager then on the Processes tab Look for any processes named WScript If any exist, select them and click the End Task button (End Proccess under Win NT/2000) If the process does not terminate, try again in a few seconds

Run regedit.exe (Click Start->Run, enter 'regedit' and click OK)

Go to HKEY_CURRENT_USER->Software->Microsoft->Windows Script Host->Settings If there is an entry for Timeout, delete it I did not have this, but the source code looks like it may exist

Go to HKEY_CURRENT_USER->Software->Microsoft->Internet Explorer->Main Scroll down until you see an entry for Start Page Double click on it, and edit it so it reflects the correct start page (Ideally slashdot.org or thepope.org :) )

Go to HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->Run Delete the entry for MSKernel32

Go to HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->RunServices Delete the entry for Win32DLL

Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run If there is an entry for WIN-BUGSFIX, delete it

Go to HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion->Explorer->Doc Find Spec MRU This entry contains all of the most recently used files It is not 100% necessary to delete these entries, but it would be a good idea

Open Windows Explorer (Start->Programs->Windows Explorer) Go to c:\windows\system (or c:\winnt\system32) and delete MSKernel32.vbs, LOVE-LETTER-FOR-YOU.HTM, and LOVE-LETTER-FOR-YOU.TXT.vbs Also, delete Win32DLL.vbs from the Windows directory

This is the most painful part This virus replaces every file with the following file extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg You can't get the files back, but you can at least delete them pretty easily Also, all of your mp3's and mp2's were hidden, and a new file with the same name as the file, but with a .vbs extension, were created.

First a search for all files with the .vbs or .vbe extension (Start->Find and enter '*.vbs *.vbe' in the Named field, then click Find Now) Select all of the results, and hit delete

I originally advocated also searching for a line of text within the file to test which files were corrupted With all of the different versions of the virus now floating around, this is no longer effective It now appears that the best method is to look for all of the files of the same size If you do not see the size attribute in your search window, maximize the window You should now be able to see the file size While different versions of the virus are different file sizes, most are around 10k to 13k The trick here is to find the most common file sizes These should be the infected files

Once you think you know the correct file size, select all of the files in the folder Now weed out the good files While holding the Ctrl key, click on any entries that you do NOT want to delete Once you have weeded out the good files, you can delete them Rather than just pressing the delete key, hold down Shift and the press delete This way, the files will get completely deleted so you don't have to empty them from the Recycle bin later If you are having problems deleting files, go back to Step 3 and repeat

You should repeat this process for any hard drives on your machine and any network drives you are connected to

Finally, you will need to do a search for a couple of other misc files that may be on your machine now Search for WIN-BUGSFIX.exe or WIN_BUGSFIX-32.exe (if you opened Internet Explorer after getting the bug) script.ini (if you use mIRC), and possibly WinFAT32.exe If you have any of these two files, delete them

When all of the files are deleted, it would be a good idea to empty your recycle bin

About the author

Posted by Ileen of Katharine Gibbs School - New York on February 5, 2003

Need Help with this Issue?

We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!