Mytob W32.Mytob Virus/Worm Removal



Jim K (CMS-ONR)
07-09-2005, 10:49 PM
I run Norton on my server and it finds the w32.Mytob in the c:\program
files\exchsvr\vs1\badmail folder. I delete them but the next day more
appear. Today 732 files were found in the badmail folder. I have 15
computers on my network and I have run Norton, McAffee, Panda, Microsoft
Spyware, Xsoft, ect. on all computers. Nothing is found on the individual
computers only on the exchange server in the BadMail folder. I have looked
at several different removal instructions but I do not find any of the files
on any computer and each different site has me look for different files
names. None are consistent with the other. I know that the badmail folder
is the result of the worm but I can't get a clear answer on where or how to
locate the actual worm or infection. If I could find out which of my
computers are infected I would wipe them clean and re-install the software.
Can anyone help me get rid of mytob?

Crouchie1998
07-09-2005, 10:49 PM
Jim,

Download the Symantec Removal Tool here:

Page:
-----

http://www.sarc.com/avcenter/venc/data/w32.mytob@mm.removal.tool.html

Direct Link To Tool:
---------------------

http://securityresponse.symantec.com/avcenter/FixMytob.exe

Will remove all versions up to 13th June, 2005, but there is a new version
of the mass mailing worm that this tool doesn't fix, so, be warned. Give it
a few days & it will be added I guess, but if you look under the two
registry keys below for the bottom link ("WINDOWS SYSTEM" = "wmisg.exe" )
then you are covered.

Once you finished with the above tool, do the following:

You need to go into the registry:

Click START, RUN & type 'regedit' (without quotes) & press ENTER

Navigate to:
------------

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RunServices

and delete the value(s):
-----------------------

"Windows Registry Manager" = "Taskmanagers.exe" or
"WINDOWS SYSTEM" = "\h3.exe" or
"WINDOWS SYSTEM" = "winligon.exe" or
"WINDOWS SYSTEM" = "wmisg.exe"

You also want to press ALT CTRL DEL, choose TASK MANAGER then Processes &
END TASK 'Taskmanagers.exe'

Search for a file 'hosts'. It will be in 'C:\WINNT\system32\drivers\etc'
(example). Obviously, WINNT is for Windows 2000 & Windows is for 95/98XP.
System32 is for Windows 200/XP, but System for 95/98

Back up the 'hosts' file just in case

Open the original with Notepad & make sure that after the '#' characters
there is only one entry:

127.0.0.1 localhost

If there are any others then delete them. Save the changes & close the file

Make all hidden files & folders visible:
--------------------------------------

Open any folder, click the TOOLS menu & then FOLDER OPTIONS, click the VIEW
tab & 'show hidden files & folders', click APPLY & then click OK

Navigate to
------------

C:\Doc & Settings\%User%\Local Settings\Temp
C:\Doc & Settings\%User%\Local Settings\Temp Internet Files

And delete everything in those folders

'%User% is obviously meaning any user (administrator for example...)

Remember to put the files & folders back to hidden afterwards

I hope this helps

Crouchie1998
BA (HONS) MCP MCSE


Mytob W32.Mytob Virus/Worm Removal