HELP! Infected with virus...

Posted on 2002-04-05
Last Modified: 2013-12-29
I've just been hit with the Klez.E@mm virus, which has infected Norton's (so that it won't run, although it does still pick up atempts to run infected programs), Stay Connected, Textpad and, worst of all, kernel.exe. I've downloaded a trial of McAfee, and that agrees that kernel.exe is infected and recommends deleting it and replacing it with an uninfected copy.

problem is, where would I get an uninfected copy _from_? isn't the kernel the core of the OS? I don't want to go aroud deleting that, do I?

any help much appeciated - and I need it quick, please...

Ian W
Question by:cath
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 15

Accepted Solution

lyonst earned 200 total points
ID: 6920400
This might help..

Manual removal procedure for Windows 95/98/Me

Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases.

NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant.

1. Download virus definitions
Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

2. Restart the computer in Safe mode
You must do this as the first step. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode.

3. Edit the registry
You must edit the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run and remove the wink???.exe value after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:


4. In the right pane, look for the following values:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

5. Write down the exact file name of the Wink[random characters].exe file
6. Delete the Wink[random characters] value and the WQK value (if it exists).
7. Navigate to and expand the following key:


8. In the left pane, under the \Services key, look for the following subkey, and delete it, if it exists:

\Wink[random characters]

NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway.

9. Click Registry, and click Exit.

4. Delete the actual Wink[random characters] file
Using Windows Explorer, open the C:\Windows\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.

5. Empty the recycle bin
Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

6. Run the Intelligent Updater
Double-click the file that you downloaded in Step 1. Click Yes or OK if prompted.

7. Restart the computer
Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it. Allow it to start normally. If any files are detected as infected, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

8. Scan with Norton AntiVirus (NAV) from a command line
Because some NAV files were damaged by the worm, you must scan from a command line.
1. Click Start, and click Run.
2. Type--or copy and paste--the following, and then click OK:


3. Allow the scan to run. Quarantine any additional files that are detected.

9. Restart the computer
Allow it to start normally.

10. Reinstall NAV
1. Reinstall NAV from the installation CD.
2. Start NAV, and make sure that it is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan. Quarantine any files that are detected as infected.
LVL 15

Expert Comment

ID: 6920408
Some more info on the Virus..

W32.Klez.E@mm is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines and message bodies.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained.

Information and a patch for the vulnerability can be found at 

The worm drops a virus similar to W32.ElKern.3326, and it attempts to disable some common antivirus products.

In addition, the worm will infect executable files by prepending itself to the infected files.

When executed, the worm will copy itself to %System%\Wink[random characters].exe

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the values

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

to the registry key


so that it is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes.

The worm copies itself to local, mapped, and network drives. The worm copies itself as a random file name with a double extension such as filename.txt.exe. In addition, the worm copies itself as a .rar archive with a double extension, for example filename.txt.rar.

In addition, the worm searches the Windows address book, which is used by Microsoft Outlook, for email addresses. The worm sends an email message to these addresses with itself as an attachment.

The subject line and message bodies are random. If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at 

The worm also infects executables by prepending itself to the infected files.

For information please visit 


LVL 23

Expert Comment

ID: 6920540
I just fought this one for a client.  It actually went rather easily after following those instructions.  He had two computers which were infected at startup although they didn't show the effects in the registry.  The initial infections were done by one receiving machine.  I first had to clear it up and then follow the procedures on the other machines.  You can do a scan at after you get it up and running.

Author Comment

ID: 6923563
worked like a dream. many, many thanks, you're a lifesaver...

took all day Friday and all yesterday to remove virus, uninstall infected software (it had infected _51_ .exe's...!), reinstall software, and have a bloody good cleanup while I was at it (disk doctor/speed disk, remove loads of old programs I don't use any more or never did...)

so my machine is running rather better now than it has for a while.

every cloud has a silver lining... ;-)

many thanks again.

Ian W
LVL 15

Expert Comment

ID: 6924854
Glad I could help..



Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question