Klez cleanup

[tk421]

cleaned up a computer today that had klez and elkern.d. problem now is the computer (windows 2000) constantly produces the error "explorer has generated error and will be shut down". It generates an error message, and then a few moments later repeats, ad infinitum.

so the computer is clean, but unusable.

anyone had this problem with klez or elkern?

[geeksRus]

this virus is particularly nasty and overwrites executables and does other types of damage. it also writes its own registry keys and deletes others. check <a href="http://securityresponse.symantec.com/avcenter/venc/data/[email protected]" target="_blank">here</a> for more info...this one is sometimes VERY hard to clean up.

[edball]

It is very nasty ! The removal tool doesn't always work either. As you can see in the instructions above just repairing the infected files is not enough to fix the damage.

[MaddMaxx]

Did a Klez cleanup yesterday. Tried the Symantec
"fix" first and it could not finish the job. Said
one infected file remained. Installed and updated
AVG which then found 17 more infected files and
cleaned up the whole mess without flaw. Two words
to avoid in anti-virus and computer "enhancing"
products, Symantec and Norton.

[tk421]

well here is what i finally did and all seems to be well now.

When i said that the virus seemed to be gone i was grossly mistaken. i scanned first with a trendmicro fix. their products usually seem to be reliable. Once it was done, i uninstalled the ontrack virus scanner and reinstalled, then ran another full scan. At that point, i considered the system to be clean, but had the system instabilities, which is when i posted here.

since then, i took the machine back to my shop and scanned the drive over the network. It found over 150 more infected files, but wasn't able to clean them all, being over the network. so i removed the drive and installed it in a clean machine with nav2002. scanned it there, and it was able to find more files, clean them all, and now everything seems to work fine.

so i hope i'm safe now, but the different performance of all these av products makes me want to try one more, just to be safe.

[davidh]

I look after a very small network which has just been infected by the above. Having a devil of a time. Esp when classes are happening.

[Matridom]

I've gotten a few Klez E-mails, but Norton picked those up no problem.

I think the following thread is caused by Klez...

<a href="http://forums.windrivers.com/cgi-bin/forum3/ultimatebb.cgi?ubb=get_topic;f=50;t=000048" target="_blank">http://forums.windrivers.com/cgi-bin/forum3/ultimatebb.cgi?ubb=get_topic;f=50;t=000048</a>

[geoscomp]

What we do here with klez is to clean it from dos with Panda recovery disks, then start the computer in safe mode, remove all the *.vir files, then look in windows/system for a file starting with wink..it sits as a hidden system file and can reinfect the machine if you start up in normal after removing the virus..this is the executable that contains the dropper virus, but it isnt seen as a virus by all virus scanners until activated. Take this out, disable the line in msconfig or startup that activates it, and then install and upgrade the antivirus program..klez is naassssssty.