Solved

HELP! Infected with virus...

Posted on 2002-04-05
5
629 Views
Last Modified: 2013-12-29
Hi.
I've just been hit with the Klez.E@mm virus, which has infected Norton's (so that it won't run, although it does still pick up atempts to run infected programs), Stay Connected, Textpad and, worst of all, kernel.exe. I've downloaded a trial of McAfee, and that agrees that kernel.exe is infected and recommends deleting it and replacing it with an uninfected copy.

problem is, where would I get an uninfected copy _from_? isn't the kernel the core of the OS? I don't want to go aroud deleting that, do I?

any help much appeciated - and I need it quick, please...


Ian W
0
Comment
Question by:cath
  • 3
5 Comments
 
LVL 15

Accepted Solution

by:
lyonst earned 200 total points
ID: 6920400
This might help..

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

Manual removal procedure for Windows 95/98/Me

Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases.

NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant.

1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

http://securityresponse.symantec.com/avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

2. Restart the computer in Safe mode
You must do this as the first step. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode.

3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run and remove the wink???.exe value after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.


1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, look for the following values:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

5. Write down the exact file name of the Wink[random characters].exe file
6. Delete the Wink[random characters] value and the WQK value (if it exists).
7. Navigate to and expand the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

8. In the left pane, under the \Services key, look for the following subkey, and delete it, if it exists:

\Wink[random characters]

NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway.

9. Click Registry, and click Exit.

4. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Windows\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.

5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

6. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if prompted.

7. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it. Allow it to start normally. If any files are detected as infected, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

8. Scan with Norton AntiVirus (NAV) from a command line
Because some NAV files were damaged by the worm, you must scan from a command line.
1. Click Start, and click Run.
2. Type--or copy and paste--the following, and then click OK:

NAVW32.EXE /L /VISIBLE

3. Allow the scan to run. Quarantine any additional files that are detected.

9. Restart the computer
Allow it to start normally.

10. Reinstall NAV
1. Reinstall NAV from the installation CD.
2. Start NAV, and make sure that it is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan. Quarantine any files that are detected as infected.
0
 
LVL 15

Expert Comment

by:lyonst
ID: 6920408
Some more info on the Virus..

W32.Klez.E@mm
W32.Klez.E@mm is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines and message bodies.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained.

Information and a patch for the vulnerability can be found at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The worm drops a virus similar to W32.ElKern.3326, and it attempts to disable some common antivirus products.

In addition, the worm will infect executable files by prepending itself to the infected files.

When executed, the worm will copy itself to %System%\Wink[random characters].exe

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the values

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that it is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes.

The worm copies itself to local, mapped, and network drives. The worm copies itself as a random file name with a double extension such as filename.txt.exe. In addition, the worm copies itself as a .rar archive with a double extension, for example filename.txt.rar.

In addition, the worm searches the Windows address book, which is used by Microsoft Outlook, for email addresses. The worm sends an email message to these addresses with itself as an attachment.

The subject line and message bodies are random. If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The worm also infects executables by prepending itself to the infected files.


For information please visit http://www.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

Cheers,

T.
0
 
LVL 23

Expert Comment

by:slink9
ID: 6920540
I just fought this one for a client.  It actually went rather easily after following those instructions.  He had two computers which were infected at startup although they didn't show the effects in the registry.  The initial infections were done by one receiving machine.  I first had to clear it up and then follow the procedures on the other machines.  You can do a scan at http://housecall.antivirus.com after you get it up and running.
0
 

Author Comment

by:cath
ID: 6923563
worked like a dream. many, many thanks, you're a lifesaver...

took all day Friday and all yesterday to remove virus, uninstall infected software (it had infected _51_ .exe's...!), reinstall software, and have a bloody good cleanup while I was at it (disk doctor/speed disk, remove loads of old programs I don't use any more or never did...)

so my machine is running rather better now than it has for a while.

every cloud has a silver lining... ;-)

many thanks again.

Ian W
0
 
LVL 15

Expert Comment

by:lyonst
ID: 6924854
Glad I could help..

Cheers,

T.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now