W97M.Evo - Removal

These instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

---

WARNING: If you are running Windows 95/98/Me and suspect that W97M.Evo has run, do not restart the computer until it has been removed and the Autoexec.bat file has been edited.

---

---

Note: On Windows 95/98/Me computers, if W97M.Evo was executed and you have restarted the computer, it is likely that Windows will not start. In this case, re-install Windows before you can continue. You may also need to re-install Norton AntiVirus, Norton Internet Security, and Microsoft Office.

---

1. Update the virus definitions.
2. Run a full system scan and repair all the files detected as W97M.Evo, except C:\Evo.txt, which should be deleted.
3. Edit the Autoexec.bat file (Windows 95/98/Me).

For specific details on each of these procedures, read the following instructions.

1. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
  
  The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

2. To scan for and repair (or delete) the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
   • For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. Note the file name of any files detected as W97.Evo.
   • If the file is C:\Evo.txt, click Delete.
   • For all other files, click Repair.

3. To edit the Autoexec.bat file
If you are running Windows 95/98/Me, follow these steps:

1. The function you perform depends on your operating system:
   • Windows 95/98: Go to step B.
   • Windows Me: If you are running Windows Me, the Windows Me file-protection process may have made a backup copy of the Autoexec.bat file that you need to edit. If this backup copy exists, it will be in the C:\Windows\Recent folder. Symantec recommends that you delete this file before continuing with the steps in this section. To do this:
     1. Start Windows Explorer.
     2. Browse to and select the C:\Windows\Recent folder.
     3. In the right pane, select the Autoexec.bat file and delete it.
        
        
2. Click Start, and then click Run.
3. Type the following, and then click OK.
   
   edit c:\autoexec.bat
   
   (The MS-DOS Editor opens.)
   
   
4. Delete all the lines that begin with:
   
   format
   
   
5. Delete all the lines that begin with:
   
   copy c:
   
   For example:
   
   copy c:\windows\system32\activeds.dll+c:\EVO.txt c:\windows\system32\
   
   There may be over 600 of these lines. Delete all of them.
   
   
6. Click File, and then click Save.
   
7. Click File, and then click Exit.

Technical Details