1. /
  2. Security Response/
  3. VBS.Potok@mm Removal Tool

VBS.Potok@mm Removal Tool

Updated:
August 24, 2005 12:00:00 AM
Type:
Removal Information
The VBS.Potok@mm Fix Tool deletes the files dropped by the VBS.Potok@mm worm and repairs files by removing VBS.Potok@mm streams.

To obtain and run the tool:
Go to http://www.sarc.com/avcenter/FixPotok.exe.
Download the FixPotok.exe file to a convenient location, such as your download folder or the Windows desktop. If you are on a network, apply the removal tool on all computers, including the server.
To check the authenticity of the digital signature, refer the section The digital signature.
Close all programs before running the tool, including any antivirus scanners such as NAV Auto-Protect.

CAUTION: Do not skip this step. You must disable Auto-Protect before you run the tool. For instructions, see the document How to enable and disable Norton AntiVirus Auto-Protect.

If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before you reconnect computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.

CAUTION: Do not skip this step. You must disconnect from the network before running the tool.

If you are running Windows Me or XP, then disable System Restore. Please refer to the section System Restore option in Windows Me/XP for additional details.

NOTE: If you are running Windows Me/XP, we strongly recommend that you do not skip this step.

Double-click the FixPotok.exe file to start the removal tool.

NOTES:
If you downloaded the tool to a floppy disk, and want to run it from the floppy, see the section How to run the tool from a floppy disk at the end of this document for special instructions.
If you are running Windows Me and System Restore remains enabled, you will see a warning message. You can either run the removal tool with the System Restore option enabled (not recommended) or exit the removal tool.

By default, the removal tool scans .vbs and .ini files only. To enable scanning files with all extensions, check the "Scan files with all extensions" check box.
Click Start to begin the process, and then allow the tool to run.
If you are running Windows Me/XP, then re-enable System Restore.
Re-enable Auto-Protect.

NOTES:
If you see a message that the tool must be run in Safe mode, restart the computer in Safe mode and run the tool again. You must follow this instruction to ensure that the virus does not reinfect the computer. To restart in Safe mode, see the document How to restart Windows 9x or Windows Me in Safe Mode
The removal procedure might be unsuccessful if Windows Me System Restore is not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, any worm-removal attempts made by the removal tool might fail.
When the procedure is finished, the removal tool may detect that you are running Windows Me and that System Restore is disabled. In this case, you will see a reminder message to re-enable this option.
If you need to run the tool using login scripts or batch files with no messages displayed, then use the following command line syntax for the "Silent" mode:

FixPotok.exe /s

When the tool has finished running, you will see a message indicating whether the computer was infected by the VBS.Potok@mm. In the case of a removal of the worm, the program displays the following results:
The total number of the scanned files.
The number of deleted files.
The number of repaired files.

What the tool does
The VBS.Potok@mm removal tool does the following:
It scans and deletes files dropped by VBS.Potok@mm.
Any files stored on NTFS partitions are repaired so that the infected streams are deleted with no damage to the scanned file.

The digital signature
FixPotok.exe is digitally signed. Symantec recommends that you only use copies of FixPotok.exe that have been downloaded directly from the SARC download site. To check the authenticity of the digital signature, follow these steps:
Go to http://www.wmsoftware.com/free.htm
Download and save the chktrust.exe file to the same folder where you saved FixPotok.exe, for example, C:\Downloads.
Click Start, point to Programs, and click MS-DOS Prompt.
Change to the folder where FixPotok.exe and Chktrust.exe are stored, and then type:

chktrust -i FixPotok.exe

For example, if you saved the file to the C:\Downloads folder:

cdcd downloads
chktrust -i FixPotok.exe

Press Enter after typing each command.

If the digital signature is valid, you will see the following prompt:

Do you want to install and run "FixPotok.exe" signed on 7/31/2001 12:24 PM and distributed by Symantec Corporation.

NOTES:
The date and time that are displayed in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
If you are using Daylight Saving Time, the time that is displayed will be exactly one hour earlier.
If this dialog box does not appear, do not use your copy of FixPotok.exe. It is not from Symantec.

Click Yes to close the dialog box.
Type exit and then press Enter. This will close the MS-DOS session.

System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that on-line scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
How to disable or enable Windows Me System Restore.
How to disable or enable Windows XP System Restore.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.

How to run the tool from a floppy disk
Insert the floppy disk that contains the Fixpotok.exe file into the floppy disk drive.
Click Start, and click Run.
Type the following, and then click OK:

a:fixpotok.exe

NOTE: If you are running Windows Me and System Restore is enabled, you will see a warning message. You can either run the removal tool with the System Restore option enabled or exit the removal tool.

Click Start to begin the process, and then allow the tool to run.
If you are running Windows Me, then re-enable System Restore.

Summary

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver