Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 644
  • Last Modified:

HELP! Infected with virus...

I've just been hit with the Klez.E@mm virus, which has infected Norton's (so that it won't run, although it does still pick up atempts to run infected programs), Stay Connected, Textpad and, worst of all, kernel.exe. I've downloaded a trial of McAfee, and that agrees that kernel.exe is infected and recommends deleting it and replacing it with an uninfected copy.

problem is, where would I get an uninfected copy _from_? isn't the kernel the core of the OS? I don't want to go aroud deleting that, do I?

any help much appeciated - and I need it quick, please...

Ian W
  • 3
1 Solution
This might help..

Manual removal procedure for Windows 95/98/Me

Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases.

NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant.

1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

2. Restart the computer in Safe mode
You must do this as the first step. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode.

3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run and remove the wink???.exe value after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:


4. In the right pane, look for the following values:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

5. Write down the exact file name of the Wink[random characters].exe file
6. Delete the Wink[random characters] value and the WQK value (if it exists).
7. Navigate to and expand the following key:


8. In the left pane, under the \Services key, look for the following subkey, and delete it, if it exists:

\Wink[random characters]

NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway.

9. Click Registry, and click Exit.

4. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Windows\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.

5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

6. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if prompted.

7. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it. Allow it to start normally. If any files are detected as infected, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

8. Scan with Norton AntiVirus (NAV) from a command line
Because some NAV files were damaged by the worm, you must scan from a command line.
1. Click Start, and click Run.
2. Type--or copy and paste--the following, and then click OK:


3. Allow the scan to run. Quarantine any additional files that are detected.

9. Restart the computer
Allow it to start normally.

10. Reinstall NAV
1. Reinstall NAV from the installation CD.
2. Start NAV, and make sure that it is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan. Quarantine any files that are detected as infected.
Some more info on the Virus..

W32.Klez.E@mm is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines and message bodies.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained.

Information and a patch for the vulnerability can be found at 

The worm drops a virus similar to W32.ElKern.3326, and it attempts to disable some common antivirus products.

In addition, the worm will infect executable files by prepending itself to the infected files.

When executed, the worm will copy itself to %System%\Wink[random characters].exe

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the values

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

to the registry key


so that it is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes.

The worm copies itself to local, mapped, and network drives. The worm copies itself as a random file name with a double extension such as filename.txt.exe. In addition, the worm copies itself as a .rar archive with a double extension, for example filename.txt.rar.

In addition, the worm searches the Windows address book, which is used by Microsoft Outlook, for email addresses. The worm sends an email message to these addresses with itself as an attachment.

The subject line and message bodies are random. If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at 

The worm also infects executables by prepending itself to the infected files.

For information please visit 


I just fought this one for a client.  It actually went rather easily after following those instructions.  He had two computers which were infected at startup although they didn't show the effects in the registry.  The initial infections were done by one receiving machine.  I first had to clear it up and then follow the procedures on the other machines.  You can do a scan at after you get it up and running.
cathAuthor Commented:
worked like a dream. many, many thanks, you're a lifesaver...

took all day Friday and all yesterday to remove virus, uninstall infected software (it had infected _51_ .exe's...!), reinstall software, and have a bloody good cleanup while I was at it (disk doctor/speed disk, remove loads of old programs I don't use any more or never did...)

so my machine is running rather better now than it has for a while.

every cloud has a silver lining... ;-)

many thanks again.

Ian W
Glad I could help..


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now