PDA

View Full Version : Help with W32Klez@mm virus



dandino
08-24-2002, 05:33 AM
Hi all

I'v just scanned my PC with Norton Antivirus an found that 29 files are infected with a virus named W32Klez@mm. The problem is that Norton Antivirus cannot repair the files and advises me to delete them. The trouble is one of these files is "kernel32.exe" which sounds like an important part of the OS!

Can anyone advise me as to how to get rid of this virus without deleting the files? OR if I decide to delete kernel32.exe where can I get a clean replacement file from, I've checked my Win ME installation CD but can't seem to find it.

Any help greatly appreciated
Dan

david eaton
08-24-2002, 08:20 AM
Hi Dandino.
If you go Here (http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html) you can download a klez removal tool. This should remove or clean the infected files.

Then you can use the system file checker to restore any missing files from your WinME disk.

It has been suggested tha the only way of removing this virus is to completely wipe and reformat the hard drive, but that is a bit excessive as a first response. Try the removal tool first.

You might also read
This (http://www.pcguide.com/vb/showthread.php?s=&threadid=15936)

David

mjc
08-24-2002, 10:32 AM
Klez is one of the nastiest malware apps to clean up from...that is why there are so many recomedations to wipe the hard drive and start over. With WinME you have the added complication ore system restore to deal with. Unless you have already disabled it, the likelyhood of the restore directory being infected is extremely high. To do a complete clean-up you will need to disable the restore directory.

dandino
08-24-2002, 11:22 AM
Thanks David and MJC

I have downloaded the Klez Virus cleaner that you supplied a link to David but now I have a further problem which may or may not be a result of the virus.
As per the instructions I dissabled the System Restore and proceeded to re-boot in safe mode which I don't normally have a problem with. However this time when I tried to boot in safe mode I got a dreaded "B lue Screen" error message informing me that the system had halted and that I needed to restart the PC. I have tried to use safe mode about 20 times now and every time I get the Blue Screen error message! What the hell is happening, I though the idea of "Safe Mode" was that it was comletely safe!
I've run the virus cleaner in normal mode but it won't clean any of my infected files, presumably because they are in use by the OS.
I've managed to find instructions on how to remove the virus manually, but even that requires that you work in Safe Mode.

I'm really pulling my hair out now - please can someone help me!!

Dan Hawkes

Budfred
08-24-2002, 02:31 PM
I struggled with this on a friend's machine for a while and did end up reformatting and starting over. If you have your important files backed up, you may want to proceed with that. You could try simply reinstalling your copy of WinME, but this would probably hang and would certainly end up infected as well. If you aren't backed up, hang on to see if anyone else has a way to proceed.

Good luck,
Budfred

mjc
08-24-2002, 03:12 PM
Ok, if you have the system restore turned off you could use a win98 bootdisk to boot to DOS and delete the directory. That will remove any backed up infected files from there.

Also you can give one of the DOS scanners a try...the links are in my sig.

Do you have an actual OS CD or a manufacturers restore CD?

IF you have an actual OS CD you could then, using the 98 bootdisk, restore the corrupted systems files, one at a time, from DOS, using the extract command.

At this point, though, time and effort wise it may be easiest to wipe the drive (don't just use fdisk and format, use a program to zero fill the drive...can be gotten from the drive manufacturer's site) and reinstall.

Klez is nasty and with some of the "advancements" made by M$, all that more difficult to clean and recover from.

PS: kerenl32.exe is associated with the virus badtrans...so you may have a double dose here.

Another Klez removal tool.... http://www.quickheal.com/klezh.htm

ErnieK
08-24-2002, 06:51 PM
mjc
I have just been into your "Computer Links" page then clicked on links and the following is happening.

Page loads and keeps on loading non-stop. Loads up the re-loads itself with the message at the bottom "Transmission Stopped":confused: something my end or your end?

Mitch Hatfield
08-24-2002, 07:44 PM
Loads fine for me Ernie. Sorry, but looks like it might be at your end. Temporary glitch, I'm sure:)

My lucky night :D :D