try this;
If Outlook is running, close now! There is still a chance that the messages in your Outbox were not sent yet. Unplug your network adapter/modem to ensure that you cannot accidentally connect, open Outlook again, and delete all entries from your Outbox.
Close Outlook.
Now, make sure the virus is no longer running. Press Ctrl-Alt-Del. If you are running Windows NT/2000, you will also need click on task manager then on the Processes tab. Look for any processes named WScript. If any exist, select them and click the End Task button (End Proccess under Win NT/2000). If the process does not terminate, try again in a few seconds.
Run regedit.exe (Click Start->Run, enter \'regedit\' and click OK).
Go to HKEY_CURRENT_USER->Software->Microsoft->Windows Script Host->Settings. If there is an entry for Timeout, delete it. I did not have this, but the source code looks like it may exist.
Go to HKEY_CURRENT_USER->Software->Microsoft->Internet Explorer->Main. Scroll down until you see an entry for Start Page. Double click on it, and edit it so it reflects the correct start page (Ideally slashdot.org or thepope.org
).
Go to HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->Run. Delete the entry for MSKernel32.
Go to HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->RunServices. Delete the entry for Win32DLL.
Go to HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. If there is an entry for WIN-BUGSFIX, delete it.
Go to HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion->Explorer->Doc Find Spec MRU. This entry contains all of the most recently used files. It is not 100% necessary to delete these entries, but it would be a good idea.
Open Windows Explorer (Start->Programs->Windows Explorer). Go to c:\\windows\\system (or c:\\winnt\\system32) and delete MSKernel32.vbs, LOVE-LETTER-FOR-YOU.HTM, and LOVE-LETTER-FOR-YOU.TXT.vbs. Also, delete Win32DLL.vbs from the Windows directory.
This is the most painful part. This virus replaces every file with the following file extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg. You can\'t get the files back, but you can at least delete them pretty easily. Also, all of your mp3\'s and mp2\'s were hidden, and a new file with the same name as the file, but with a .vbs extension, were created.
First a search for all files with the .vbs or .vbe extension (Start->Find and enter \'*.vbs *.vbe\' in the Named field, then click Find Now). Select all of the results, and hit delete.
I originally advocated also searching for a line of text within the file to test which files were corrupted. With all of the different versions of the virus now floating around, this is no longer effective. It now appears that the best method is to look for all of the files of the same size. If you do not see the size attribute in your search window, maximize the window. You should now be able to see the file size. While different versions of the virus are different file sizes, most are around 10k to 13k. The trick here is to find the most common file sizes. These should be the infected files.
Once you think you know the correct file size, select all of the files in the folder. Now weed out the good files. While holding the Ctrl key, click on any entries that you do NOT want to delete. Once you have weeded out the good files, you can delete them. Rather than just pressing the delete key, hold down Shift and the press delete. This way, the files will get completely deleted so you don\'t have to empty them from the Recycle bin later. If you are having problems deleting files, go back to Step 3 and repeat.
You should repeat this process for any hard drives on your machine and any network drives you are connected to.
Finally, you will need to do a search for a couple of other misc. files that may be on your machine now. Search for WIN-BUGSFIX.exe or WIN_BUGSFIX-32.exe (if you opened Internet Explorer after getting the bug) script.ini (if you use mIRC), and possibly WinFAT32.exe. If you have any of these two files, delete them.
When all of the files are deleted, it would be a good idea to empty your recycle bin.
You may need to do a little additional clean-up work on your system. I have just posted simple instructions on getting your MP3\'s back. I also now have the fix to problems with the contents of My Computer displaying correctly.
