Hoi.
Even zoeken met google doet wonderen.
Lees dit maar even door.
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as PWSteal.Trojan.
If NAV was not able to delete all files that it detected as infected, continue on and follow the Solution which best suits your needs.
There is more than one way to remove this Trojan. In most cases it can be removed in Safe mode. Please see Solution 1 for information on how to do this. If this does not resolve the problem, if you are not able to boot to Safe mode after following the instructions, or if you prefer to work in MS-DOS mode, then see Solution 2. A third section, Solution 3, details removal instructions for those users running Windows NT or Windows 2000.
NOTES:
The procedure described in this document will remove most variants of this Trojan. If, after following these instructions, NAV still detects files infected with the PWSteal.Trojan, but NAV cannot delete or quarantine the infected files when commanded to do so, then see the document Cannot delete or quarantine files infected with PWSteal.Trojan after removing the PWSteal.Trojan or the AOL.PWSteal.32512 Trojan.
If you have not already done so, then we strongly recommend that you download the most recent virus definitions and program updates by running LiveUpdate. After doing so, run a full system scan, making sure that NAV is set to scan all files.
If you are using a high-speed connection, such as cable or DSL, and you have run a scan using the most recent virus definitions, then you may have multiple instances of this virus in your Quarantine folder. We suggest that you delete any such infected files.
If your email program is set to automatically check for and download email, and NAV is set to quarantine infected files, then this can cause multiple copies of the message to be placed in Quarantine. This can happen when an infected email message is detected and Quarantined and no confirmation of receipt is sent to the email server. (This does not happen with all email programs.) Because the email server was not notified that the message was received, it remains on the server. The next time your email program checks for messages, it downloads the same message again--with the same results. To avoid this, set your email program to download manually, or set NAV to "Ask me what to do" when a virus is found. (This option will, of course, stop the download until you take some action with the infected email message.)
Solution 1
To remove this Trojan, most of the steps are performed in Safe mode. Please follow the instructions in each section.
NOTE: The following procedure instructs you to delete files, file entries, and registry values. In some cases, they may have already been removed by NAV, or they were never added by the Trojan. If you do not find a particular file or entry, make sure that you followed the instructions exactly. If the file or entry does not exist, then proceed to the next step or section.
Enable show all files
Follow these steps to configure Windows to show all files:
1. Start Windows Explorer.
2. Click View (Windows 95/98) or Tools (Windows Me), and click Options or Folder Options.
3. Click the View tab, and uncheck "Hide file extensions for known file types" if it is checked.
4. Click Show all files, and click OK.
Restart the computer in Safe mode
If you are running Windows 95:
1. Exit all programs, and then shut down the computer. If the computer will not shut down normally, then proceed to the next step.
2. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
3. Turn on the computer. When you see the "Starting Windows 95" message, press F8.
4. Press the number for Safe mode, and then press Enter.
If you are running Windows 98:
1. Click Start, and click Run.
2. Type msconfig and click OK. The System Configuration Utility dialog box appears.
3. Click the General tab, and click Advanced.
4. Check Enable Startup Menu, click OK, and then click OK again.
5. Exit all programs, and then shut down the computer. If the computer will not shut down normally, proceed to the next step.
6. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
7. Turn on the computer, and wait for the menu to appear.
8. Press the number for Safe mode, and then press Enter.
Find and delete files
Follow these steps to locate and delete the files that were placed on your hard disk by the Trojan:
1. Click Start, point to Find or Search, and then click Files or Folders.
2. Make sure that "Look in" is set to (C
and that "Include subfolders" is checked.
3. In the Named box, type (or copy and paste) the following file names:
msdos98.exe uninstallms.exe mine.exe mi*.zip readme.txt
4. Click Find Now.
CAUTIONS:
The next step is to delete these files from your computer. Make sure that you delete only the files listed, and if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could prevent your system from starting. (The entry mi*.zip may result in several files being found, such as Mi29.zip, or Mine.zip. All such files should be deleted.)
If you are running Windows Me, the search may find the Winmine.exe file. This is the executable for the Windows Minesweeper game, and it is not necessary to delete this file.
This search will almost certainly find several files named Readme.txt. Each will be in a different location. Make sure that you delete only the one in the C:\Windows\System folder.
5. Delete each file in the Results pane; click Yes to confirm each deletion.
NOTE: If you see a message saying that the file is in use when you try to delete the Msdos98.exe file, then you cannot remove it at this point. Complete as many of the Solution 1 instructions as possible, and then proceed to Solution 2. Follow the instructions in the first two sections of that solution. You only need to enter the first two commands in the section Remove infected files. When the Msdos98.exe file has been deleted, restart the computer.
6. Right-click the Recycle Bin icon on your desktop, and click Empty Recycle Bin.
7. Click New Search, and then go on to the next section.
Find and change a file
1. Make sure that "Look in" is set to (C
and that "Include subfolders" is checked.
2. Type win.ini in the Named box, and then press Enter.
3. Right-click the Win.ini file in the results pane, and click Properties.
NOTE: If you find more than one Win.ini file, make all changes to the one that is located in the folder in which Windows is installed; for example, C:\Windows.
4. Uncheck Read-only, and then click OK.
5. Double-click the Win.ini file to open it in Notepad.
6. Locate the entry that begins with run=. It should look similar to this:
run= C:\Windows\uninstallms.exe
NOTE: There is a large space between run= and the C:\Windows\uninstallms.exe entry. If you cannot locate the C:\Windows\uninstallms.exe entry, then click the Search menu and click Find. Type uninstallms.exe and then click Find next.
7. Place the cursor after run= , and then press Shift+End to select the rest of the line. Repeat this until the entire line is selected. You may have to press Shift+End four or five times.
8. Press Delete.
NOTE: A new variant of this Trojan has been found that does not add the text C:\Windows\uninstallms.exe.
9. Underneath run= , look for an entry that begins with RUNRESTORE=. It should look similar to this:
RUNRESTORE=C:\Windows\uninstallms.exe
If you find this entry, move the cursor to the beginning of the line, press Shift+End to select the entire line, and then press Delete.
10. To make sure that none of these entries remains, click the Search menu and click Find. Type uninstallms.exe and then click Find next. Remove any entries that refer to this file.
11. Click the File menu, and click Save.
12. Exit Notepad.
Remove an entry from the registry
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. See the document How to back up the Windows registry before proceeding.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
4. Look for the following String value in the right pane:
Windows "C:\Msdos98.exe"
5. If it exists, select it, press Delete, and then click Yes to confirm the deletion.
6. Navigate to the following key:
NOTE: This will not exist on all systems.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run-
7. Look for the following String value in the right pane:
Windows "C:\Msdos98.exe"
8. Exit the Registry editor.
The Trojan is now removed from your system. Restart the computer.
NOTE (for Windows 98 users only): If you used the Microsoft System Configuration Utility to enable the startup menu, you can now disable. To do so, follow these steps:
1. Click Start, and click Run.
2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
3. Click the General tab, and click Advanced.
4. Uncheck Enable Startup Menu, click OK, and then click OK again.
5. Restart the computer.
CAUTION: Because your password could have been compromised, we strongly recommend that you contact AOL customer service and change your password before you log back on.
For additional information on viruses, Trojans, and how to practice safe computing, see the document What is a virus?
Solution 2
To remove this Trojan, most of the steps are performed in MS-DOS mode. Please follow, in the order presented, the instructions in each section.
NOTES:
The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.
The following procedure instructs you to delete files, file entries, and registry values. In some cases, they may already have been removed by NAV, or they were never added by the Trojan. If you do not find a particular file or entry, make sure that you followed the instructions exactly as shown. If the file or entry does not exist, then proceed to the next step or section.
Start the computer in MS-DOS mode
The first part of the removal procedure must be performed in MS-DOS mode. Please follow these steps to restart the computer in MS-DOS mode:
Windows 95
1. If the computer is on, then close all programs, and if possible, shut down Windows. If the computer will not shut down normally, then proceed to the next step.
2. Turn off the computer, and then wait 30 seconds. You must turn off the computer to clear memory.
3. Restart the computer, and watch the screen. When you see "Starting Windows 95," press F8.
4. Select "Safe mode Command Prompt Only" from the startup menu, and then press Enter.
Windows 98
1. If the computer is on, close all programs, and if possible, shut down Windows. If the computer will not shut down normally, then proceed to the next step.
2. Turn off the computer and wait 30 seconds. You must turn off the computer to clear memory.
3. Restart the computer, and immediately press and hold down the Ctrl key until the Windows 98 startup menu appears.
4. Select "Safe mode Command Prompt Only" from the startup menu, and then press Enter.
Remove infected files
At the DOS prompt, which should appear similar to C:\>, type the following commands in the sequence shown. Press Enter after each one.
NOTE: These instructions assume that the path to the Windows folder is C:\Windows. If you installed Windows in a different folder, such as C:\Win95, then modify the commands that refer to the Windows folder accordingly. If you press Enter and you see a message saying that the file or directory is not found, retype the command, making sure that you type it exactly as indicated, and that the path is pointing to the folder in which Windows is installed. If you still see the same message, continue on to the next line of the instructions.
attrib -r -s -h msdos98.exe
del msdos98.exe
cd windows
attrib -r -s -h uninst~1.exe
del uninst~1.exe
cd system
attrib -r -s -h mine.exe
del mine.exe
attrib -r -s -h readme.txt
del readme.txt
cd \windows
attrib -r -s -h win.ini
edit win.ini
The Win.ini file will open in the DOS Editor. Go to the next section.
Remove entries from the Win.ini file
You must delete an entry from the Win.ini file. Please follow these steps:
1. Locate the entry that begins with run=. It should look similar to this:
run= C:\Windows\uninstallms.exe
NOTE: There is a large space between run= and the C:\Windows\uninstallms.exe entry. To determine whether this entry exists, place your cursor at the beginning of run= and press the End key.
2. Backspace until the text C:\Windows\uninstallms.exe has been deleted.
3. Underneath run=, look for an entry that begins with RUNRESTORE=. It should look similar to this:
RUNRESTORE=C:\Windows\uninstallms.exe
If you find this entry, move the cursor to the beginning of the line, press Shift+End to select the entire line, then press Delete.
4. Press Alt+F, and then press X to exit. Save the changes when prompted.
5. Turn off the power to the computer, wait 30 seconds, and then go on to the next section.
Remove an entry from the registry
Restart the computer in Safe mode. To do this, follow the steps in the section titled Start the computer in MS-DOS mode except choose "Safe mode" instead of "Safe mode Command Prompt Only." When Windows starts, make sure that you do not attempt to start AOL. To remove references to the Trojan from the registry, follow these steps:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. See the document How to back up the Windows registry before proceeding.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
4. Look for the following String value in the right pane.
Windows "C:\Msdos98.exe"
If it exists, select it, press Delete, and then click Yes to confirm.
5. Navigate to the following key:
NOTE: This will not exist on all systems.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run-
6. Look for the following String value in the right pane:
Windows "C:\Msdos98.exe"
7. Exit the Registry Editor.
The Trojan is now removed from your system. Please restart the computer.
Solution 3
This procedure will allow you to delete files which NAV was not able to remove. Please make note of the file(s) which NAV detected as PWSteal.Trojan.
To remove files that cannot be deleted by NAV:
Follow the instructions for your version of Windows only if NAV could not delete files that it detected as infected with PWSteal.Trojan.
1. Press Ctrl+Alt+Delete one time.
2. Click Task Manager.
3. Click the Processes tab.
4. Click the "Image Name" column header two times to sort the processes alphabetically.
5. Scroll through the list and look for the name of the file which NAV detected as PWSteal.Trojan. If you find the file, click it and then click End Process.
6. Close the Task Manager.
7. Run the scan again, and delete any files detected as PWSteal.Trojan.
8. When the scan is finished, go on to the section Remove an entry from the registry.
Remove an entry from the registry
To remove references to the Trojan from the registry, follow these steps:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. See the document How to back up the Windows registry before proceeding.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
4. Look for the following String value in the right pane.
Windows "C:\Msdos98.exe"
If it exists, select it, press Delete, and then click Yes to confirm.
5. Navigate to the following key:
NOTE: This will not exist on all systems.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run-
6. Look for the following String value in the right pane:
Windows "C:\Msdos98.exe"
7. Exit the Registry Editor.
The Trojan is now removed from your system. Please restart the computer.
Additional information:
Norton Internet Security/Norton Internet Protection users
If you are using either of these Symantec firewall programs, the name that is used by the Trojan Block rule to prevent the Trojan from being downloaded to your computer is different from the name that is used by Norton AntiVirus to detect the same threat if it were actually run on your computer or received in email.
Norton Internet Security/Norton Internet Protection will block PWSteal.Trojan from being downloaded to your computer using the Block Rule Acid Shivers.
Groetjes,
