W95.Hybris.Plugin - Removal

General removal instructions:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Make sure that Norton AntiVirus is set to scan all files.
3. Restart the computer in Safe mode (Windows 95/98/Me).
4. Run a full system scan.
   • If Norton AntiVirus detects W95.HybrisF, reboot into Normal mode and download and run the W95.HybrisF fix tool. This tool will repair any Windows executable files that have been infected by the W95.HybrisF.plugin.
   • If Norton AntiVirus detects an infection other than W95.HybrisF, choose to repair any infected files. If Norton AntiVirus cannot repair the files, choose to delete them.
5. When the scan is finished, reboot into Normal Mode.

Removal instructions for the black and white spiral or black circle:
The spiral or circle loads from the run= line of the Win.ini file. In most cases, because the spiral will prevent you from opening programs, you need to:

1. Run LiveUpdate and run a full system scan.
2. Restart the computer in Safe mode.
3. Make sure Windows is set to show all files.
4. Remove the reference to the plug-in from the Run line of the Win.ini file.
5. Find and delete the plug-in itself.
6. Extract the Wsock32.dll file from the Cab files.
7. Run LiveUpdate and then run a full system scan.

To update and scan:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. If any files are detected as infected, click Repair.

To restart the computer in Safe mode:

• Windows 95:
  1. Exit all programs.
  2. Click Start, and then click Shut Down. The Shut Down Windows dialog box appears.
  3. Click Restart, and then click OK.
  4. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
  5. Press the number that corresponds to Safe mode, and then press Enter. Windows will start in Safe mode.
• Windows 98:
  1. Click Start, and then click Run.
  2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
  3. Click Advanced on the General tab.
  4. Check Enable Startup Menu, click OK, and then click OK again.
  5. Exit all programs.
  6. Click Start, and then click Shut Down. The Shut Down Windows dialog box appears.
  7. Click Restart, and then click OK. The computer restarts.
  8. When the Windows 95 Startup Menu appears, press the number that corresponds to Safe mode, and then press Enter. Windows will start in Safe mode.

To set Windows to show all files:

1. Start Windows Explorer.
2. Click the View menu (Windows 95/98) or the Tools menu (Windows Me), and then click Options or Folder Options.
3. Click the View tab, and uncheck, if necessary, Hide file extensions for known file types.
4. Click Show all files and click OK.

To edit the Win.ini file:

1. Click Start, and then click Run.
2. Type sysedit and then click OK.
3. Click the title bar of the Win.ini file.
4. In the [windows] section, locate the Run= line, and note what follows the = sign. For example, you may see:
   
   run=C:\Windows\System\amiaamia.exe
   
   Write down the file name, for example, amiaamia.exe.
   
5. Place the cursor to the right of the = sign and delete the text that follows it. When finished, it should look like:
   
   run=
   
6. Click the File menu, and then click Exit. Click Yes when prompted to save changes.

To delete the plug-in file:

1. Click Start, point to Find, and then click Files or Folders.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the file name that you wrote down in step 4 of the previous section.
   
   NOTE:The file name that is referred to in step 4 of the previous section is an example only. The plug-in that makes the entry in the Win.ini file creates a somewhat random file name. (It is not completely random, as multiple cases of the same file name have been reported.) The file name will usually consist of eight letters with the .exe extension. The name consists of a sequence of four letters which are then repeated. For example:
   • Gbpkgbpk.exe
   • Aboaaboa.exe
   • Enpeenpe.exe
   • Agaiagai.exe
4. Click Find Now.
5. When the file is found, select it, press Delete, and then click Yes to confirm.
6. Restart the computer in normal mode.

NOTE: For Windows 98 users only, if you used the Microsoft System Configuration Utility to enable the startup menu, then you can disable it at this time. Please follow these steps to do so:

1. Click Start, and then click Run.
2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
3. Click Advanced on the General tab.
4. Uncheck Enable Startup Menu, click OK, and then click OK again.
5. Restart the computer.

To extract a new copy of the Wsock32.dll file:

This is necessary because this file has very likely been infected by the virus and is critical for accessing the Internet and using the computer. You need to use the Extract command at a DOS prompt to restore good copies of these files from the Windows installation files.

There are two locations from which the file can be extracted:

• The Windows installation files on your hard drive. On many newer computers, the .cab files that contain the Windows installation files are stored on the computer's hard drive. If you are sure that this is the case, then see the section To extract files that are located on the hard drive.
• The Microsoft Windows 95/98 Installation CD. If you do not have the .cab files on the hard drive, then see the section To extract files that are located on the installation CD.
  

CAUTION: If you have upgraded to Windows 98 from Windows 95, unless you are sure that the cabinet files on the hard drive are from Windows 98, you should extract the files from the installation CD and not from the files on the hard drive.

NOTES:

• These instructions are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products.
• There are numerous versions of the Windows installation CD available. Each of these may have the needed files in a different location within the .cab files. In the instructions that follow, while the command provided tells the extraction program to start in a specific location, the command also includes the "/a" switch. This command switch will cause the extract program to search recursively through all of the cabinet files that follow, in sequence, until it finds the indicated file. It will not search, however, for file that are in the previous .cabs.
  
  

To extract files that are located on the hard drive:

1. Type dir /s /b \precopy1.cab and then press Enter: This displays the path to the Precopy1.cab file. If the file is not found, then it is likely that the .cab files are not on the hard drive. In which case you should skip to the section To extract files that are located on the installation CD.
2. Change to the folder where the Precopy1.cab file is located.
3. What you do next depends on which operating system you are using:

NOTES:
• If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
• If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
• If Windows is installed to a different location, then substitute the appropriate path.

CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, then the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.

• If you are using Windows 98, then type the following command, and then press Enter:
  
  extract /a precopy1.cab wsock32.dll /L c:\windows\system
  
• If you are using Windows 95, then type the following command, and then press Enter:
  
  extract /a win95_10.cab wsock32.dll /L c:\windows\system
  

To extract files that are located on the installation CD:

NOTES:

• The instructions that follow are for the most widely-distributed CD versions of Windows 95/98. There are, however, numerous versions, some of which were distributed on floppy disks. Each version may have the .cab files in a different location, or may have the files that you need to extract in a different .cab file. It is beyond the scope of this document to include instructions for every version.
• If you do not have the Windows installation CD for which the following commands were written, then you may have to change the command to the correct path for your version. You will also have to locate the .cab file that contains the file that you need to extract. For additional information on this, see the document Which cabinet files contain the original Windows files?

1. Insert the Windows 98 Startup disk in the floppy disk drive.
2. Insert the Windows 98 Installation CD in the CD-ROM drive.
3. Turn off the computer, and then wait thirty seconds.
4. Turn on the computer. The computer starts to a startup menu.
5. The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter.
6. Allow the computer to finish booting to a A:\> prompt. This could take a few minutes.
7. The next step is to change to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is the D drive in Windows, it will be the E drive.
   
   Type the following, changing the drive letter as necessary, and then press Enter:
   
   e:\win98 (If the installation disk is for Windows 98)
   
   or
   
   e:\win95 (If the installation disk is for Windows 95)
   
   If you see an error message, then try retyping the command with a different drive letter, for example, f:\win98
   
8. What you do next depends on which version of Windows you are running:

NOTES:
• If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
• If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
• If Windows is installed to a different location, then substitute the appropriate path.

CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, then the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.

• If you are running Windows 98, then type the following command, and then press Enter:
  
  extract /a precopy1.cab wsock32.dll /L c:\windows\system
  
• If you are running Windows 95, then type the following command, and then press Enter:
  
  extract /a win95_10.cab wsock32.dll /L c:\windows\system
  

If you experience no error messages, then you are finished with the extraction process.

Run a scan again
To be sure that all infected files have now been removed, run LiveUpdate and then run a full system scan.

Technical Details