1. /
  2. Security Response/
  3. VBS.Haptime Removal Tool

VBS.Haptime Removal Tool

Updated:
August 24, 2005 12:00:00 AM
Type:
Removal Information
The VBS.Haptime Removal tool removes the changes that the VBS.Haptime.A@mm and VBS.Haptime.B@mm worms made to the computer.

NOTES:
If you are running this tool on Windows NT or Windows 2000, you need to have Administrator-level privileges.
If you have not already done so, delete any email messages containing the worm before running the tool. The email will have either the Untitled.htm or Instlog.htm attachment.
When the tool has finished running, you will see a message indicating whether the VBS.Haptime.A@mm or VBS.Haptime.B@mm worm has infected the computer. In the case of a successful worm removal, the program will display the:
Total number of the scanned files
Number of deleted files
Number of repaired files
Number of fixed registry keys


Obtaining and running the tool
Go to http://www.symantec.com/avcenter/fixhaptime.exe.
Download the Fixhaptime.exe file to a convenient location, such as your download folder or the Windows desktop.
Close all the programs before running the tool, including any antivirus scanners, such as Norton AntiVirus (NAV) Auto-Protect.

CAUTION: Do not skip this step. You need to disable Auto-Protect before running the tool. For instructions, see the document: How to enable and disable Norton AntiVirus Auto-Protect.

Double-click the Fixhaptime.exe file to start the repair tool.
Click Start to begin the process, and then allow the tool to run.
Re-enable Auto-Protect.

Digital signature
Fixhaptime.exe is digitally signed. Symantec recommends that you only use copies of fixhaptime.exe that have been downloaded directly from the Security Response Web site. To check the authenticity of the digital signature, follow these steps:
Go to: http://www.wmsoftware.com/free.htm.
Click the link to Chktrust.exe and save the file to the same folder in which you saved fixhaptime.exe.
Click Start, point to Programs, and then click MS-DOS Prompt.
Change to the folder in which fixhaptime.exe and Chktrust.exe are stored, and then type:

chktrust -i fixhaptime.exe

For example:

cdcd download
chktrust -i fixhaptime.exe

Press Enter after typing each command.

If the digital signature is valid, you will see the following:

Do you want to install and run "fixhaptime.exe" signed on 8/23/01 3:25 PM and distributed by Symantec Corporation?

NOTES:
The date and time displayed in this dialog will be adjusted to your time zone if your computer is not set to the Pacific time zone.
If you are using Daylight Saving time, the displayed time will be exactly one hour earlier.
If this dialog does not appear, do not use your copy of fixhaptime.exe. It is not from Symantec.

Click Yes to close the dialog box.
Type exit, and then press Enter. (This will close the MS-DOS session.)

What the tool does
The VBS.Haptime removal tool does the following:
Scans and repairs files infected with the VBS.Haptime.A@mm or VBS.Haptime.B@mm worm.

Will not repair the files dropped by the worm. The following files infected with the VBS.Haptime will be deleted:
Help.htm
Help.hta
Help.vbs
Untitled.htm
instlog.htm
Syslog.htm
Syslog.vbs
Syslog.hta

Removes the following registry key for all the users:

HKEY_USERS\[USER NAME]\Software\Help

In the registry key:

HKEY_USERS\[USER NAME]\Control Panel\Desktop

the removal tool updates the following value for all the users:

Wallpaper [EMPTY STRING]

In the registry key:

HKEY_USERS\[USER NAME]\Identities\[DEFAULT USER ID]\Software\\Microsoft\Outlook Express\5.0\Mail

The tool updates the following values for all the users:

Message Send HTML 0
Compose Use Stationery 0
Stationery Name [EMPTY STRING]


Summary

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver