h t t p : / / s e c u r i t y r e s p o n s e . s y m a n t e c . c o m /avcenter/venc/data/w32.bugbear.b@mm.removal.tool.html
W32.Bugbear.B@mm Removal Tool
IMPORTANT - READ THIS FIRST:
* If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before reconnecting computers to the network or to the internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.
If you are cleaning out an infection on a network, make sure any shares are disabled or set to Read-Only before doing so.
* This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, after making sure that you have current virus definitions, run a full system scan with your Symantec antivirus product.
What the tool does
The W32.Bugbear.B@mm Removal Tool does the following:
1. It terminates the viral W32.Bugbear.B@mm processes.
2. It deletes the non-repairable W32.Bugbear.B@mm files and the Trojan that the worm drops (detected by Symantec antivirus products as PWS.Hooker.Trojan)
3. It repairs the W32.Bugbear.B@mm infected files.
Command-line switches available with this tool
Switch
Description
/HELP, /H, /?
Displays the help message.
/NOFIXREG
Disables registry repair (the use of this switch is not recommended).
/SILENT, /S
Enables silent mode.
/LOG=
Creates a log file where is the location in which to store the tool's output. By default, this switch creates the log file FixBugb.log in the same folder from which the removal tool was executed.
/MAPPED
Scans mapped network drives (the use of this switch is not recommended--see notes).
/START
Forces the tool to start scanning immediately.
/EXCLUDE=
Excludes the specified from scanning (the use of this switch is not recommended).
NOTE: The use of the /MAPPED switch does not ensure the complete removal of the virus on the remote computer because:
* The scanning of mapped drives scans only the folders that are mapped. This might not include all folders on the remote computer, and this can to lead to missed detections.
* If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer is using this file.
For these reasons, you should run the tool on every computer.
To obtain and run the tool
NOTES:
* You must have administrative rights to run this tool on Windows NT4/2000/XP.
* There have been some reports, mostly on Windows 95/98/Me computers, where it was necessary to run the tool in Safe mode. If you have problems running the tool, first download it by following the instructions in steps 1 and 2, and then restart the computer in Safe mode. All Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.
* If you are connected to a network--and a DSL line or Cable connection is a type of network, you must disconnect from the network as described in step 5.
1. Download the FixBugb.exe file from:
http://securityresponse.symantec.com/avcenter/FixBugb.exe
2. Save the file to a convenient location, such as your download folder or the Windows desktop (or removable media that is known to be uninfected, if possible).
3. To check the authenticity of the digital signature, refer to the section The digital signature.
4. Close all programs before you run the tool.
5. If you are on a network or have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
6. If you are running Windows Me or XP, disable System Restore. Please refer to the section System Restore option in Windows Me/XP for additional details.
NOTE: If you are running Windows Me/XP, we strongly recommend that you do not skip this step.
7. Double-click the FixBugb.exe file to start the removal tool.
8. Click Start to begin the process, and then allow the tool to run.
9. Restart the computer.
10. Run the removal tool again to ensure that the system is clean.
11. If you are running Windows Me or XP, then re-enable System Restore.
12. Run LiveUpdate to make sure that you are using the most current virus definitions.
NOTE: The removal procedure might be unsuccessful if Windows Me/XP System Restore is not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, the removal tool might fail.
When the tool has finished running, you will see a message indicating whether the computer was infected by W32.Bugbear.B@mm. In the case of a removal of the worm, the program displays the following results:
o The total number of the scanned files
o The number of deleted files
o The number of files repaired
o The number of viral processes terminated
o The number of viral registry entries deleted
The digital signature
FixBugb.exe is digitally signed. Symantec recommends that you use only copies of FixBugb.exe that were downloaded directly from the Symantec Security Response download site. To check the authenticity of the digital signature, follow these steps:
1. Go to http://www.wmsoftware.com/free.htm
2. Download and save the Chktrust.exe file to the same folder where you saved FixBugb.exe (for example, C:Downloads).
3. Depending on your operating system, do one of the following:
* Click Start, point to Programs, and click MS-DOS Prompt.
* Click Start, point to Programs, click Accessories, and then click Command Prompt.
4. Change to the folder in which FixBugb.exe and Chktrust.exe are stored, and then type:
chktrust -i FixBugb.exe
For example, if you saved the file to the C:Downloads folder, you would enter the following commands (press Enter after you type each command):
cd
cd downloads
chktrust -i FixBugb.exe
If the digital signature is valid, you will see the following:
Do you want to install and run "W32.Bugbear.B@mm Removal Tool" signed on 6/6/2003 3:05 PM and distributed by Symantec Corporation.
NOTES:
o The date and time that appear in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
o If you are using Daylight Saving Time, the time that appears will be exactly one hour earlier.
o If this dialog box does not appear, there are two possible reasons:
+ The tool is not from Symantec. Unless you are sure that the tool is legitimate, and that you downloaded it from the legitimate Symantec Web site, you should not run it.
+ The tool is from Symantec and is legitimate. However, your operating system was previously instructed to always trust content from Symantec. For information on this, and how to view the confirmation dialog again, read the document How to restore the Publisher Authenticity confirmation dialog box.
5. Click Yes to close the dialog box.
6. Type exit and then press Enter. This will close the MS-DOS session.
System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that on-line scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
* How to disable or enable Windows Me System Restore.
* How to disable or enable Windows XP System Restore.
For additional information, and an alternative to disabling System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.
How to run the tool from a floppy disk
1. Insert the floppy disk that contains the FixBugb.exe file in the floppy disk drive.
2. Click Start and then click Run.
3. Type the following and then click OK:
a:FixBugb.exe
NOTES:
* There are no spaces in the command a:FixBugb.exe
* If you are running Windows Me and System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool.
4. Click Start to begin the process, and then allow the tool to run.
5. If you are running Windows Me, then re-enable System Restore.
--文學城www.wenxuecity.com--
W32.Bugbear.B@mm Removal Tool
IMPORTANT - READ THIS FIRST:
* If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before reconnecting computers to the network or to the internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.
If you are cleaning out an infection on a network, make sure any shares are disabled or set to Read-Only before doing so.
* This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, after making sure that you have current virus definitions, run a full system scan with your Symantec antivirus product.
What the tool does
The W32.Bugbear.B@mm Removal Tool does the following:
1. It terminates the viral W32.Bugbear.B@mm processes.
2. It deletes the non-repairable W32.Bugbear.B@mm files and the Trojan that the worm drops (detected by Symantec antivirus products as PWS.Hooker.Trojan)
3. It repairs the W32.Bugbear.B@mm infected files.
Command-line switches available with this tool
Switch
Description
/HELP, /H, /?
Displays the help message.
/NOFIXREG
Disables registry repair (the use of this switch is not recommended).
/SILENT, /S
Enables silent mode.
/LOG=
Creates a log file where
/MAPPED
Scans mapped network drives (the use of this switch is not recommended--see notes).
/START
Forces the tool to start scanning immediately.
/EXCLUDE=
Excludes the specified
NOTE: The use of the /MAPPED switch does not ensure the complete removal of the virus on the remote computer because:
* The scanning of mapped drives scans only the folders that are mapped. This might not include all folders on the remote computer, and this can to lead to missed detections.
* If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer is using this file.
For these reasons, you should run the tool on every computer.
To obtain and run the tool
NOTES:
* You must have administrative rights to run this tool on Windows NT4/2000/XP.
* There have been some reports, mostly on Windows 95/98/Me computers, where it was necessary to run the tool in Safe mode. If you have problems running the tool, first download it by following the instructions in steps 1 and 2, and then restart the computer in Safe mode. All Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.
* If you are connected to a network--and a DSL line or Cable connection is a type of network, you must disconnect from the network as described in step 5.
1. Download the FixBugb.exe file from:
http://securityresponse.symantec.com/avcenter/FixBugb.exe
2. Save the file to a convenient location, such as your download folder or the Windows desktop (or removable media that is known to be uninfected, if possible).
3. To check the authenticity of the digital signature, refer to the section The digital signature.
4. Close all programs before you run the tool.
5. If you are on a network or have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
6. If you are running Windows Me or XP, disable System Restore. Please refer to the section System Restore option in Windows Me/XP for additional details.
NOTE: If you are running Windows Me/XP, we strongly recommend that you do not skip this step.
7. Double-click the FixBugb.exe file to start the removal tool.
8. Click Start to begin the process, and then allow the tool to run.
9. Restart the computer.
10. Run the removal tool again to ensure that the system is clean.
11. If you are running Windows Me or XP, then re-enable System Restore.
12. Run LiveUpdate to make sure that you are using the most current virus definitions.
NOTE: The removal procedure might be unsuccessful if Windows Me/XP System Restore is not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, the removal tool might fail.
When the tool has finished running, you will see a message indicating whether the computer was infected by W32.Bugbear.B@mm. In the case of a removal of the worm, the program displays the following results:
o The total number of the scanned files
o The number of deleted files
o The number of files repaired
o The number of viral processes terminated
o The number of viral registry entries deleted
The digital signature
FixBugb.exe is digitally signed. Symantec recommends that you use only copies of FixBugb.exe that were downloaded directly from the Symantec Security Response download site. To check the authenticity of the digital signature, follow these steps:
1. Go to http://www.wmsoftware.com/free.htm
2. Download and save the Chktrust.exe file to the same folder where you saved FixBugb.exe (for example, C:Downloads).
3. Depending on your operating system, do one of the following:
* Click Start, point to Programs, and click MS-DOS Prompt.
* Click Start, point to Programs, click Accessories, and then click Command Prompt.
4. Change to the folder in which FixBugb.exe and Chktrust.exe are stored, and then type:
chktrust -i FixBugb.exe
For example, if you saved the file to the C:Downloads folder, you would enter the following commands (press Enter after you type each command):
cd
cd downloads
chktrust -i FixBugb.exe
If the digital signature is valid, you will see the following:
Do you want to install and run "W32.Bugbear.B@mm Removal Tool" signed on 6/6/2003 3:05 PM and distributed by Symantec Corporation.
NOTES:
o The date and time that appear in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
o If you are using Daylight Saving Time, the time that appears will be exactly one hour earlier.
o If this dialog box does not appear, there are two possible reasons:
+ The tool is not from Symantec. Unless you are sure that the tool is legitimate, and that you downloaded it from the legitimate Symantec Web site, you should not run it.
+ The tool is from Symantec and is legitimate. However, your operating system was previously instructed to always trust content from Symantec. For information on this, and how to view the confirmation dialog again, read the document How to restore the Publisher Authenticity confirmation dialog box.
5. Click Yes to close the dialog box.
6. Type exit and then press Enter. This will close the MS-DOS session.
System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that on-line scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
* How to disable or enable Windows Me System Restore.
* How to disable or enable Windows XP System Restore.
For additional information, and an alternative to disabling System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.
How to run the tool from a floppy disk
1. Insert the floppy disk that contains the FixBugb.exe file in the floppy disk drive.
2. Click Start and then click Run.
3. Type the following and then click OK:
a:FixBugb.exe
NOTES:
* There are no spaces in the command a:FixBugb.exe
* If you are running Windows Me and System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool.
4. Click Start to begin the process, and then allow the tool to run.
5. If you are running Windows Me, then re-enable System Restore.
選擇“Disable on www.wenxuecity.com”
選擇“don't run on pages on this domain”
