"Hybris.B" Removal Instructions

Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)

Translated versions available: en Français, in het Nederlands and Deutsch

Anti-Virus Main Menu
Main Menu
Removal Helper Utility! - Graciously developed by Art Kopp and Robert Green
Please read all of the information contained on this page thoroughly before proceeding.
  *REMHYB.EXE
(**The most convenient option | self-extracting executable)

  *REMHYB.zip
  (zipped archive)		   *Contains five files:
  1. Findcd.bat
  2. Findcd.com
  3. Win-edit.exe
  4. Readme.txt
  5. Remhyb.bat

**REMHYB.EXE will create the FSI directory and F-PROT should be unzipped to that directory.
REMHYB is designed to act as a removal tool for infections of the Hybris internet worm.

Please carefully read all of the instructions below...

  1. Download the REMHYB.EXE self-extracting archive (if you haven't already) and execute it. The files will be extracted to the directory C:\FSI (by default, but you can change the directory name, if you prefer).
  2. Download F-PROT for DOS - f-prot.zip (if you haven't already).
  3. Unzip f-prot.zip into the FSI directory.
  4. Start the computer in DOS mode. [Note: some users may need to boot to DOS with a Windows EBD (emergency boot disk) in order to have DOS mode CDROM support.]
You must run REMHYB from a *pure* DOS prompt, not a Windows DOS box.
Remember, REMHYB must be used in true DOS without Windows running in the background. Windows ME users must use their Emergency Boot Disk (EBD).

How to make a Windows ME EBD:
  1. Insert a formatted diskette
  2. Control Panel
  3. Add/Remove Programs
  4. Startup Disk
  5. Create Startup Disk
Win 9X users should also boot from their System disk since CD ROM support may be required for the extraction of the WSOCK32.DLL file (see the - Restore WSOCK32.DLL - section of this Web site). If it is known that WSOCK32.DLL is in a CAB archive elsewhere, then Win 9X users may boot to command line mode by pressing the F8 key during the bootup process.

If booting from floppy disk, at the A:\> prompt type:

C:             <Enter>
CD FSI    <Enter>
REMHYB <Enter>
REMHYB employs WIN-EDIT.EXE, a DOS program written earlier for basic repairs of Hybris infections such as the Hybris.b variant which places a large spiral image on the monitor screen.

WIN-EDIT is invoked first. It begins with a search for any and all files in the System directory which have eight character name fields followed by the .EXE extension. It presents these names on screen and the user has the option of highlighting and deleting any suspicious looking files that appear to have random characters in their name field, such as ASDFGHJK.EXE

Next, the users WIN.INI file is examined. If a suspicious file name as described above is found in the line starting with load= that line of text is presented on screen to the user who can decide to have the program remove that particular text or leave it. If the user chooses to remove it, the file by the same name is also removed from the System folder. The unmodified WIN.INI file is backed up as WIN.000

When WIN-EDIT exits, the user will be presented with a option to rename the existing WSOCK32.DLL file. This must be done before extraction of a fresh WSOCK32.DLL from a CAB file. The user should insert the Windows Setup CD into the drive in case the desired CAB file is only located there. In certain Win 95 cases the source media may be floppy diskette.

Finally, the user can choose to scan/disinfect using F-PROT. This is highly recommended. When F-PROT is finished the user is presented with a option to view the HYBRIS.TXT report that resulted from the scan. Replying y(es) will invoke the DOS Editor. Use the up/down arrow keys to manipulate. When finished viewing, press the Alt key. Then press the down arrow to Exit. Press Enter.

Windows Millennium users please note:
If you can't clean or delete infected files from the _Restore\Temp or _Restore\Archive folders... read this.

In the event REMHYB.BAT fails to extract the WSOCK32.DLL from the CAB file for some reason, See the Wsock32 extraction page on this Web site.

F-PROT anti-virus. (Detailed F-PROT for DOS Instructions here.)
REMHYB.EXE.
Restore Wsock32.dll Details.


- End Removal Instructions -


Some of you may now be wondering...

"How can I possibly keep my computer safe from further harm?"

Answer: Click Here for Some Tips!

© Claymania Creations 2001 - 2010. All rights reserved.

Rev. "G"   03/12/2001