Affected Operating Systems
Recovery Instructions:
Please follow the instructions for removing worms.
Windows NT/2000
To close the spiral in Windows NT/2000 press Ctrl-Alt-Del to access the Task Manager, select the relevant process and then click the "End Task" button. The
process will have a name consisting of 8 random characters, e.g. FHJENJXE. A file with this name (and a .EXE extension) will be in the Windows system directory. This should be deleted. Also, in the win.ini file, which can be found in the Windows directory, there will be a run= line that points to this EXE file. Delete the file name from that line.
Now remove any other worm files using the Windows NT instructions for removing worms.
Windows 95/98/Me
To close the spiral you will have to go into DOS mode and you will need SWEEP for DOS.
Either download the Emergency SAV distribution and unzip it, or create a folder 'Sophtemp' and copy the contents of the DOS folder on the CD into it.
a) On Windows 95/98
Go to the Start menu and select Shut Down. Choose the option "Restart the computer in DOS mode". Starting a Command Prompt (a DOS window) is not enough.
b) On Windows Me
You cannot go directly into MS-DOS mode in Windows Me. You must create a startup disk to boot from. At the Windows taskbar, select Start|Settings|Control Panel. Click on "Add/Remove Programs". Select the "Startup Disk" tab and press the "Create Disk" button. When you have created the startup disk, write-protect it. Place it in the A: drive and reboot to a command prompt.
At the DOS prompt type
C:
CD \
CD SOPHTEMP
SWEEP *: -REMOVEF
Say 'Yes' when prompted to delete a file (provided it is a W32/Hybris-B file). Make a note of its name.
Reboot to Windows.
In the win.ini file, which can be found in the Windows directory, there will be a run= line that points to the file that you deleted above. Delete the file name from that line.