Password Stealing Trojan Horse Virus

PROCEDURE FOR ELIMINATING THE "MINE.ZIP" OR PASSWORD STEALING TROJAN HORSE VIRUS

This virus can take over your computer and prevent you from shutting down or restarting your computer. (If you have problems shutting down Windows 98, but restarting works fine, then you probably don't have this virus.) It is an extremely tenacious and difficult-to-remove virus, which can be deduced from the length of this instruction sheet.

This virus travels from computer to computer by using your "Buddy List" in America Online to send itself to everybody listed there. Be extremely careful about downloading any files with the following names: mine.zip, mine.exe, and mine47.zip. The message containing these files seems to suggest that these files are photos, but they're not! Don't download them! In fact, be extremely wary about downloading any files attached to e-mail messages, even if they are from "buddies" of yours.

[We strongly suggest finding someone who is fairly knowledgeable about troubleshooting computers to perform this procedure if you don't have much experience at these things.]

--------------------------------------------------------------------------------------------------------------------

PART ONE - Starting up in "Safe Mode"

1) Click on Start, then on Run, then type in msconfig
2) Click on OK.
3) Click on the Advanced button.
4) Click to put a check mark in the white square next to "Enable Startup Menu."
5) Click on OK.
6) While holding down the Control and Alt keys, press the Delete key once.
7) Repeat the Control-Alt-Delete until the computer restarts. (You may have to do it three or four times.)

PART TWO - Deleting the Trojan Horse (Virus) files

1) When the computer restarts and you see the start up menu, press the Down Arrow twice to highlight "Safe Mode," then press the Enter key.
2) Wait about 1 minute for the computer to start up in "Safe Mode."
3) Double-click on the Windows Explorer icon on the desktop (or click on Start, Programs, then on Windows Explorer).
4) Scroll down to the "America Online 5.0" folder and double-click on it.
5) Scroll down to the "download" sub-folder and double-click on it.
6) If you find any of the following files, click once on each one of them and, while holding down the Shift key, press the Delete key:

mine.zip
mine47.zip
mine.exe

7) Scroll up to the C: Drive folder on the left hand side of the Windows Explorer window.

8) Click on the C: Drive folder. Scroll down on the right hand side and find the file that says: msdos98.exe. Click once on it and, while holding down the Shift key, press the Delete key once.

9) Scroll down to the "Windows" folder on the left hand side and double-click on it.

10) Look on the right hand side to find the uninstallms.exe file. Click once on the file, and then, while holding down the Shift key, press the Delete key once.

11) Double-click on the "System" sub-folder (which is in the "Windows" folder).

12) Find the two files: mine.exe and ReadMe.txt and delete them in the same way as above.

PART THREE - Fixing the "win.ini" file

1) While still in the Windows Explorer program, scroll down in the list of files in the System sub-folder and find the win.ini file. Right-click on it and click to remove the checkmark next to "Read-only." Click on OK.

2) Click on Start, then on Run. Type in sysedit then click on OK.
3) Click on the title bar that says, "c:\windows\win.ini" to bring that window forward.
4) Delete any line that makes any reference to the following files:

mine.exe
msdos98.exe
uninstallms.exe
ReadMe.txt

[Note: You may have to scroll far to the right to see any such references.]

5) Click on File, then on Save when you finish.
6) Click on the X button to close the Sysedit program.

PART FOUR - Removing any references to the virus in the Registry files

1) Click on Start, then on Run, then type in regedit and click on OK.
2) Click successively on the + signs next to the following:

Hkey_Local_Machine
Software
Microsoft
Windows
CurrentVersion

3) Click on each of the following sub-folders in the "CurrentVersion" folder and look for any references to the same files listed above (msdos98.exe, uninstallms.exe, and so on):

Run
RunOnce
RunOnceEx
RunServices
RunServicesOnce

4) Click on each reference you find to the files listed above (msdos98.exe, uninstallms.exe, and so on) and then press the Delete key on the keyboard. Click on Yes to confirm that you want to delete each reference. [Caution: Don't delete anything else or your computer will not start up!]

5) Click on the X button to close the Regedit window.

PART FIVE - Disabling the Startup Menu

1) Click on Start, then on Run, then type in msconfig (or click on the Down Arrow and select msconfig).
2) Click on OK.
3) Click on the Advanced button.
4) Click to remove the check mark in the white square next to "Enable Startup Menu".
5) Click on OK.
6) Restart the computer in the usual way.

PART SIX - Running the Norton Anti-Virus program (or any other anti-virus program)

1) Run Norton Anti-Virus to see if you've deleted all of the "Mine.zip" files listed above.
2) Double-click on the Norton Anti-Virus 2000 icon on the desktop.
3) Click on Scan for viruses.
4) Click on Scan all hard disks for viruses.
5) If the Norton Anti-Virus program reports that it has found the "PasswordStealTrojan" virus, click on the Quarantine (or Repair files) button to quarantine the infected files.

PART SEVEN - Notifying your "Buddies"

1) Be sure to tell your friends and relatives in your Buddy List that you had this virus and tell them about this web site or send them this page if they have the same shutdown problem.