?
Solved

HELP! Infected with virus...

Posted on 2002-04-05
5
Medium Priority
?
635 Views
Last Modified: 2013-12-29
Hi.
I've just been hit with the Klez.E@mm virus, which has infected Norton's (so that it won't run, although it does still pick up atempts to run infected programs), Stay Connected, Textpad and, worst of all, kernel.exe. I've downloaded a trial of McAfee, and that agrees that kernel.exe is infected and recommends deleting it and replacing it with an uninfected copy.

problem is, where would I get an uninfected copy _from_? isn't the kernel the core of the OS? I don't want to go aroud deleting that, do I?

any help much appeciated - and I need it quick, please...


Ian W
0
Comment
Question by:cath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 15

Accepted Solution

by:
lyonst earned 800 total points
ID: 6920400
This might help..

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

Manual removal procedure for Windows 95/98/Me

Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases.

NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant.

1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

http://securityresponse.symantec.com/avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

2. Restart the computer in Safe mode
You must do this as the first step. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode.

3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run and remove the wink???.exe value after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.


1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, look for the following values:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

5. Write down the exact file name of the Wink[random characters].exe file
6. Delete the Wink[random characters] value and the WQK value (if it exists).
7. Navigate to and expand the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

8. In the left pane, under the \Services key, look for the following subkey, and delete it, if it exists:

\Wink[random characters]

NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway.

9. Click Registry, and click Exit.

4. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Windows\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.

5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

6. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if prompted.

7. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it. Allow it to start normally. If any files are detected as infected, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

8. Scan with Norton AntiVirus (NAV) from a command line
Because some NAV files were damaged by the worm, you must scan from a command line.
1. Click Start, and click Run.
2. Type--or copy and paste--the following, and then click OK:

NAVW32.EXE /L /VISIBLE

3. Allow the scan to run. Quarantine any additional files that are detected.

9. Restart the computer
Allow it to start normally.

10. Reinstall NAV
1. Reinstall NAV from the installation CD.
2. Start NAV, and make sure that it is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan. Quarantine any files that are detected as infected.
0
 
LVL 15

Expert Comment

by:lyonst
ID: 6920408
Some more info on the Virus..

W32.Klez.E@mm
W32.Klez.E@mm is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines and message bodies.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained.

Information and a patch for the vulnerability can be found at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp 

The worm drops a virus similar to W32.ElKern.3326, and it attempts to disable some common antivirus products.

In addition, the worm will infect executable files by prepending itself to the infected files.

When executed, the worm will copy itself to %System%\Wink[random characters].exe

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the values

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that it is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes.

The worm copies itself to local, mapped, and network drives. The worm copies itself as a random file name with a double extension such as filename.txt.exe. In addition, the worm copies itself as a .rar archive with a double extension, for example filename.txt.rar.

In addition, the worm searches the Windows address book, which is used by Microsoft Outlook, for email addresses. The worm sends an email message to these addresses with itself as an attachment.

The subject line and message bodies are random. If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp 

The worm also infects executables by prepending itself to the infected files.


For information please visit http://www.symantec.com/avcenter/venc/data/w32.klez.e@mm.html 

Cheers,

T.
0
 
LVL 23

Expert Comment

by:slink9
ID: 6920540
I just fought this one for a client.  It actually went rather easily after following those instructions.  He had two computers which were infected at startup although they didn't show the effects in the registry.  The initial infections were done by one receiving machine.  I first had to clear it up and then follow the procedures on the other machines.  You can do a scan at http://housecall.antivirus.com after you get it up and running.
0
 

Author Comment

by:cath
ID: 6923563
worked like a dream. many, many thanks, you're a lifesaver...

took all day Friday and all yesterday to remove virus, uninstall infected software (it had infected _51_ .exe's...!), reinstall software, and have a bloody good cleanup while I was at it (disk doctor/speed disk, remove loads of old programs I don't use any more or never did...)

so my machine is running rather better now than it has for a while.

every cloud has a silver lining... ;-)

many thanks again.

Ian W
0
 
LVL 15

Expert Comment

by:lyonst
ID: 6924854
Glad I could help..

Cheers,

T.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question