W32/Tilebot (Safe Mode) disinfection instructions
Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
Windows 95/98/Me and Windows NT/2000/XP/2003
W32/Tilebot-F, W32/Tilebot-GM, W32/Tilebot-GW, W32/Tilebot-IE and Troj/Rootkit-W can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.
Note: When disinfecting variants not listed above, use the recovery instructions in the appropriate virus analysis.
Both versions of the W32/Tilebot tool must be run in Safe Mode (or MS-DOS mode). To go into Safe Mode, do as follows.
- On Windows 2000
- Go to Start|Shut Down.
- Select Restart from the drop down list and click OK. Windows will restart.
- Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8".
- In the Windows 2000 Advanced Options Menu select the top option "Safe Mode".
- When requested, logon as local administrator.
- On Windows XP and Windows 2003
- Go to Start|Shut Down.
- Select Restart from the drop down list and click OK. Windows will restart.
- Press F8 repeatedly as the computer boots up to get to the Windows Advanced Options Menu.
- In this menu select the top option "Safe Mode", then select Windows XP or Windows 2003.
- When requested, logon as local administrator.
- On Windows 95/98
Restart the computer in MS-DOS mode. Note: starting a Command Prompt (a DOS window) is not enough.- Go to the Start menu and select Shut Down.
- Choose the option 'Restart the computer in DOS mode'.
- On Windows Me
In Windows Me you must create a startup disk to boot from.- Go to Start|Settings|Control Panel.
- Click 'Add/Remove Programs', select the 'Startup Disk' tab and click the 'Create Disk' button.
- When you have created the startup disk, write-protect it and boot from it.
Windows disinfector
TILBTGUI is a disinfector for standalone Windows computers
- open TILBTGUI
- run it
- then click GO.
If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.
After removing the worm you should read the security bulletins and, where appropriate, install the Microsoft patches MS04-011 and MS05-039 or, on single computers, update with all relevant security patches from Windows update.
Note: Microsoft has documented several known issues with the MS04-011 update in Microsoft Knowledge Base Article 835732. Read this article carefully before applying the update. If any of the described problems occur after applying the update, please contact Microsoft support.
Command line disinfector
TILBTSFX.EXE is a self-extracting archive containing TILBTCLI, a Resolve command line disinfector for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.
After removing the worm you should read the security bulletins and, where appropriate, install the Microsoft patches MS04-011 and MS05-039 or, on single computers, update with all relevant security patches from Windows update.
Note: Microsoft has documented several known issues with the MS04-011 update in Microsoft Knowledge Base Article 835732. Read this article carefully before applying the update. If any of the described problems occur after applying the update, please contact Microsoft support.
Other platforms
To remove these worms and Trojans on other platforms please follow the instructions for removing worms.
