W95.Ussrhymn - Removal

Some files infected with W95.Ussrhymn cannot be repaired, and you will have to reinstalled the software or restored them from backups.

To remove this virus:
Follow these steps to remove this virus:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
   
   NOTE: Virus definitions dated November 13, 2000, or later will detect this virus. If your definitions are older than this and the damage done by the virus prevents you from running LiveUpdate, you can use a Rescue Disk created on an uninfected computer to remove the virus. In this case, skip to the section titled To create and scan with Rescue disks.
   
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. If any files are found to be infected by W95.Ussrhymn, click Repair.
   • If NAV is unable to repair a file, write down the file name and location, and then click Quarantine or Delete.
   • If NAV is unable to quarantine or delete a file, you will have to delete the file manually. In most cases you must restart the computer to do this.
4. Restart the computer.
5. Restore all deleted or quarantined files from program installation disks or from a backup.
   
   NOTE: If the Wsock32.dll cannot be repaired, you must extract a new copy. There are various ways to do this, and not all methods will work on all systems. For instructions on how to extract this file on most Windows 95/98 computers, see the section To extract a new copy of Wsock32.dll.

To create and scan with Rescue disks

1. On another, uninfected computer on which NAV is installed, run LiveUpdate and create a Rescue disk set. For instructions on how to do this, see the document How to create or update a Norton AntiVirus rescue disk set when Norton AntiVirus is already installed.
2. Insert Rescue disk 1 into the floppy disk drive of the infected computer, and restart the computer.
3. Follow the prompts to run a virus scan.
4. Remove the Rescue disk, and then restart the computer.
5. Restore all deleted or quarantined files from program installation disks or from a backup.
   
   NOTE: If the Wsock32.dll cannot be repaired, you must extract a new copy. There are various ways to do this, and not all methods will work on all systems. For instructions on how to extract this file on most Windows 95/98 computers, see the section To extract a new copy of Wsock32.dll.

To extract a new copy of Wsock32.dll:
Use the Extract command at a DOS prompt to restore a good copy of this file from the Windows installation files.

There are two locations from which this file can be extracted:

• The Windows installation files on your hard drive. On many newer computers, the .cab files that contain the Windows installation files are stored on the computer's hard drive. If you are sure that this is the case, then see the section How to extract files that are located on the hard drive.
• The Microsoft Windows 95/98 installation CD. If you do not have the .cab files on the hard drive, then see the section How to extract files that are located on the installation CD.
  

CAUTION: If you are running Windows 95 or have upgraded the computer to Windows 98 from Windows 95, then read the following:

• If you are running Windows 95 and you have installed Internet Explorer 4.0 or later at any time, then it is not likely that extracting the Explorer.exe file will work on your computer. This is because the Internet Explore installation replaces Explorer.exe and other files with later versions. Replacing only the Explorer.exe file from the .cab files will not work in most cases, as the older file will not work with the many other files that were also updated by the installation. If this is your situation, then you may have to reinstall Windows 95 completely, or update to Windows 98 or later.
• If you have upgraded to Windows 98 from Windows 95, then unless you are sure that the cabinet files on the hard disk are from Windows 98, you should extract the files from the installation CD and not from the files on the hard disk.
  

NOTES:

• These instructions are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products.
• Numerous versions of the Windows installation CD are available. Each of these may have the needed files in a different location within the .cab files. In the following instructions, while the command provided tells the extraction program to start in a specific location, the command also includes the "/a" switch. This command switch causes the extract program to search recursively through all of the cabinet files that follow, in sequence, until it finds the indicated file. It will not search for files that are in the previous .cabs. For example, the Windows 98 command
  
  extract /a precopy1.cab wsock32.dll /L c:\windows\system,
  
  will start with .cab 40, then search .cab 41, and so on. It will not search .cab 39 or previous .cab files.
  
  The Windows 98 .cab files usually begin at 21 and typically end in the upper 70's (usually 74). We begin the search with .cab 40 because, in most cases, these files are in .cab 44 or 45. This is done to speed up the search for these files. If you have a version of the Windows installation files that is different from the standard format, then you will have to adjust the command accordingly. For example, if you are running Windows 98, and the command
  
  extract /a win98_40.cab wsock32.dll /L c:\windows
  
  does not locate the Wsock32.dll file, and you are sure that you have entered it exactly as shown, try changing the number of the .cab file in which the search starts, for example, to
  
  extract /a win98_20.cab wsock32.dll /L c:\windows

To extract files that are located on the hard drive:

1. Type dir /s /b \precopy1.cab and then press Enter: This displays the path to the Precopy1.cab file. If the file is not found, then it is likely that the .cab files are not on the hard drive. If that is the case, skip to the section How to extract files that are located on the installation CD.
2. Change to the folder where the Precopy1.cab file is located.
3. What you do next depends on which operating system you are using:

NOTES:
• If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
• If you see a message asking whether you want to overwrite a file, then press Y for Yes and press Enter.
• If Windows is installed in a different location, then substitute the appropriate path.

CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.

Windows 98
If you are running Windows 98, then type the following command and press Enter:

extract /a precopy1.cab wsock32.dll /L c:\windows\system

Widows 95
If you are running Windows 95, then type the following command and press Enter:

extract /a win95_10.cab wsock32.dll /L c:\windows\system

If you do not see any error messages, then you are finished extracting files.

To extract files that are located on the installation CD:
NOTES:

• The instructions that follow are for the most widely distributed CD versions of Windows 95/98. There are, however, numerous versions, some of which were distributed on floppy disks. Each version may have the .cab files in a different location, or may have the files that you need to extract in a different .cab file. It is beyond the scope of this document to include instructions for every version.
• If you do not have the Windows installation CD for which the following commands were written, then you may have to change the command to the correct path for your version. You will also have to locate the .cab file that contains the file that you need to extract. For additional information on this, see the document Which Cabinet files contain the original Windows files?

1. Insert the Windows 95/98 Startup disk in the floppy disk drive.
2. Insert the Windows 95/98 Installation CD in the CD-ROM drive.
3. Turn off the computer, and wait thirty seconds.
4. Turn on the computer. The computer boots to a startup menu.
5. The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter.
6. Allow the computer to finish booting to a A:\> prompt. This could take a few minutes.
7. The next step is to change to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is drive D in Windows, it will be the drive E here.
   
   Type the following, changing the drive letter as necessary, and then press Enter:
   
   e:\win98 (If the installation disk is for Windows 98)
   
   or
   
   e:\win95 (If the installation disk is for Windows 95)
   
   If you see an error message, then retype the command using a different drive letter, for example, f:\win98
   
8. What you do next depends on which operating system you are using:

NOTES:
• If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
• If you see a message prompting whether you want to overwrite a file, then press Y for Yes and press Enter.
• If Windows is installed in a different location, then substitute the appropriate path.

CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.

Windows 98
If you are running Windows 98, type the following command and press Enter:

extract /a precopy1.cab wsock32.dll /L c:\windows\system

Windows 95
If you are running Windows 95, type the following command and press Enter:

extract /a win95_10.cab wsock32.dll /L c:\windows\system

If you see no error messages, then you are finished extracting files.

Technical Details