klez virus help

[misskellibad1]

Since May I have had 4 klezh@mm in my system restore.

I have run the tool from Symantec.

I have tried to purge.

I have tried the FIFO method as described by Microsoft.

I have disabled and re-enabled restore.

I have made over 30 new restore points as suggested by Symantec.

I have posted to every forum I come across.

The viruses are still there.

Any ideas on how to remove that I haven't already mentioned would be greatly appreciated.

Thanks in advance.

[Conan]

Looks like a reformat would solve the problem. It seems all the other options have failed.

[XPerties]

Have you tried this and followed it word for word?

http://de.mcafee.com/root/genericVIL.asp?g...p&virus_k=99455

Use current engine and DAT files for detection.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished. The following steps will circumvent this action and allow for proper VirusScan scanning/removal, by using the command-line scanner.

Ensure that you are using the minimum DAT specified or higher.

Close all running applications

Disconnect the system from the network

Go to a command prompt, then change to the VirusScan engine directory:

Win9x/ME - Click START | RUN, type command and hit ENTER.

Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER

WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER.

Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER

Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER

First, scan the system directory

Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER

WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER

Once the scan has completed, Type clean.exe /adl /clean and hit ENTER

Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER

After scanning and removal is complete, reboot the system

Apply Internet Explorer patch if necessary.

Klez can delete anti-virus software files. It may be necessary to reinstall VirusScan after cleaning a system.

Additional Windows ME/XP removal considerations

Let me know if this page helps.

-Xperties

[misskellibad1]

I tried your suggestion but what am I doing wrong?

I typed letter for letter and double checked and it says "the system cannot find the path specified"

I thought I could just follow the directions you gave me -as I haven't used that before but.......?

By the way-thanks for getting back to me so quickly.

[XPerties]

Ok first let me ask you a few things because Ive been reading up on this virus for the last day. What antivirus software are you using? After your done and you supposely kill the virus is your antivirus saying its still on your system or are you recieveing e-mails that are making you think you still have the virus. As posted on a few virus forums they have said in the past the antivirus after being killed will still be detected by the anivirus even tho you dont have it. What happens is when the virus first infected your system it makes registery entrys into the antivirus folder such as nortan, Mcaffee, exc. exc. exc. Also it makes registry entrys in your outlook or oulook express thus generating e-mails. Ill look around on the forums and see what others did to correct this and maybe we can find a solution for this promblem. Just try to give me some insight on the questions I ask oh and how did you get infected? e-mail right?

-Xperties

oh ps is your pc on a network with other pc and are you on a cable or dsl connection?

[misskellibad1]

Hi again-thanks for your reply.

In May my "computer genius" brother upgraded me to xp for me. In the morning Norton's popped up a warning telling me to re-install. I had to re-install 3 times before it would take. he was downloading everything and their dog so I guess I got it there (I had no reported virus before)

Norton's is telling me my computer is infected (not e-mail)

no networking

cable

thanks again for your help.

[XPerties]

The reason why norton wouldnt work properly and you had to install it would be due to what the virus does.............

the worm attempts to unload several processes (antivirus programs) from memory including those containing the following strings:

_AVP32

_AVPCC

NOD32

NPSSVC

NRESQ32

NSCHED32

NSCHEDNT

NSPLUGIN

NAV

NAVAPSVC

NAVAPW32

NAVLU32

NAVRUNR

NAVW32

_AVPM

ALERTSVC

AMON

AVP32

AVPCC

AVPM

N32SCANW

NAVWNT

ANTIVIR

AVPUPD

AVGCTRL

AVWIN95

SCAN32

VSHWIN32

F-STOPW

F-PROT95

ACKWIN32

VETTRAY

VET95

SWEEP95

PCCWIN98

IOMON98

AVPTC

AVE32

AVCONSOL

FP-WIN

DVP95

F-AGNT95

CLAW95

NVC95

SCAN

VIRUS

LOCKDOWN2000

Norton

Mcafee

Antivir

which means it trys to uninstall norton and from what you are saying it did its job. Iev read at least 10-15 different people post there steps they took to get ride of the virus and all have ended up just formatting "erasing" the entire harddrive and starting from scratch. The reason is this trojan attaches it self to dozens of applications on your pc with extensions. It would by far take more time to go through each registry entry and try to correct its entry VS doing a reinstall. Reinstall XP is really simple and Id be happy to post the correct stages on how to do that. I dont see a solution other than that that would insure 100% clean system. heres an example on what the virus does to your system files....

Target filenames are chosen randomly, and can have single or double file extensions. For example:

350.bak.scr

bootlog.jpg

user.xls.exe

The worm may also copy itself into RAR archives, for example:

HREF.mpeg.rar

HREF.txt.rar

lmbtt.pas.rar

Just for the future what does your brother download? Music? If so and he downloads music files he should only be downloading mp3's, and if theres any files ending in .zip, .rar, .ace, .rar he should right click on them and choose scan using Norton anivirus and always update your antivirus program.

-Xperties

[misskellibad1]

Thanks again.

I never thought of that, I assumed it came from a copy of winzip he downloaded. When Norton scans everything seems fine-just won't remove from restore.

It has caught other viruses though and did its job.

My brother said he was going to do a clean install for me. He assumed because I'm somewhat new at this that I couldn't do it. he is a bit of a know it all.

I am a fast learner and I try to do things on my own.

One thing-I won't let him near my stuff again!

Anyway...

I'm not sure of the proper steps to re-install xp as I have been getting conflicting advice.

I had me (pre-installed, no disk)

I have a recovery c.d. from compaq

I have an xp upgrade c.d.

If you wouldn't mind walking me through a re-install that would be great!

Thanks for all your help thus far!

P.S.

I read that you can un-install xp but it's not listed in my add/remove-I assume tht's because my brother didn't do something he should have(log uninstall files?) ???

I'll look forward to your reply!

[XPerties]

Things to have for a new Install of XP "Fresh...Meaning clean hard drive"....

Have that recovery disk with me on it and your XP cd along with the key.

Theres two ways to start off. The best one is the second choice but sometimes if your computer does not boot from the cd the first one is the only way.

Choice one: While your in XP insert your cd of XP , a pop up window will appear, choose "Install XP" which should be the first option. Your PC will copy the setup files and restart. Once it restarts simple follow the on screen directions. It will ask you to choose the destination where to install XP, choose c: drive. It will inform you that you already have a copy of XP on that drive. Then it will ask to do the following.... 1. Repair 2. Cont install on that drive 3. choose another. You want to cont the install on the drive that you already have XP installed on. The next step will ask you to format c: drive. It will give you 5 options. I personaly pick "format NTFS" (its a more safer and suficiant way to store files) but you can pick if you would like "format fat 32". What ever you do do not choose any of the options that say "Fast" next to them. Once its done formatting the rest is a piece of cake. Im not sure when but at one point XP will ask you to verify a earlier operating system because you have the XP upgrade. When it does simple take out the XP cd and place the ME disk in the cdrom. If it doesnt auto pick the cdrom to look for ME choose the cdrom drive as the destination so it can validate you have a previous version of windows.

Choice two: Have your XP cd in the cdrom drive and restart your computer. Watch the screen and a option should show at the bottum saysing "push key to boot from cd"

Try the second way first if you dont see it offer you to boot from the cd as soon as your computer starts then youll have to do the first option.if second choice works then just follow the rest of the instructions from here.....

Once it restarts simple follow the on screen directions. It will ask you to choose the destination where to install XP, choose c: drive. It will inform you that you already have a copy of XP on that drive. Then it will ask to do the following.... 1. Repair 2. Cont install on that drive 3. choose another. You want to cont the install on the drive that you already have XP installed on. The next step will ask you to format c: drive. It will give you 5 options. I personaly pick "formatte NTFS" (its a more safer and suficiant way to store files) but you can pick if you would like "format fat 32". What ever you do do not choose any of the options that say "Fast" next to them. Once its done formatting the rest is a piece of cake. Im not sure when but at one point XP will ask you to verify a earlier operating system because you have the XP upgrade. When it does simple take out the XP cd and place the ME disk in the cdrom. If it doesnt auto pick the cdrom to look for ME choose the cdrom drive as the destination so it can validate you have a previous version of windows.

I hope that it doesnt sound to confusing, its really not.

-Xperties

PS...If you have any questions just ask. BTW theres a update to prevent that viruis in the future. as soon as your done install XP go to windowsupdate.com and get all the updates.

[misskellibad1]

Thanks again!!!!!!!!

That does sound pretty darned easy to do.

I really have been getting conflicting advice-others have told me crap about command prompts, bios, the list goes on and on.

One more question before I start-do I need to back-upeverything?

Doing this this way, do I lose all my programs?

Just give me a basic idea so I know what I need to keep on hand.

Thanks!!!!!!!!!!!!!!!!!!!!!!!!!!!

P.S

I liked that "slave" thing you mentioned in a different post

Women really do like guys who toss their coats in the mud and such!

they really like guys with a sense of humour too!!!!!!!!

[XPerties]

lol...hahaha, thanks.

Yah your going to lose all your programs but keep this in mind about backing anything up. This trojan attaches itself to dozen and dozens of applications which there still finding out and the list gets bigger, so I wouldnt backanything up from your old XP install. Reinstall all your programs fresh. You should get all your addreas info if you use outlook or any screen names. The basic stuff but dont transfer anything from the old XP install to the new one, youd be asking for trouble then.

Oh and all those info you were getting , well they were probaly telling you to change in your bios "Boot from the cd", thats why if it doesnt just boot from the cd then do step 1 and just put the cd in the drive while your in windows. Its to complicated to explain the bios if your not familiar with it. That will be in lesson 2 after we get the pc up and running virus free :user :user

-XPerties

[FthrJACK]

you will lose everything on your machine if you format if you run repair it may be a precaustion to back anything that is absolutley vital up onto CD before attempting to format, but doing so make note that you might actually burn an infected file to disc and then reinfect yourself! so check anything before you burn it, and check your discs too.

[misskellibad1]

XPerties-

You're a huuuuuuuuuuuge help to me! I'll let you know how it goes. Thanks soooooooooooo much

FthrJACK-

Thanks for the advice-will do!

Last but not least-thanks to the"lonely poster" Conan-you were right -wanted to make sure you got your due!

Thanks guys!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[XPerties]

you will lose everything on your machine if you format if you run repair it may be a precaustion to back anything that is absolutley vital up onto CD before attempting to format, but doing so make note that you might actually burn an infected file to disc and then reinfect yourself! so check anything before you burn it, and check your discs too.

with a virus like this jack you shouldnt back anything up on disk. Read up on the nasty think it combines itself with zip files, rar files, exe files and tons of other normally used files. Norton has had extremely bad luck detecting this in files through out your system.

misskellibad1- when you get done dont forget about us lonely techs out here, hope all goes well and keep that know it all brother in his place!

-Xperties

[misskellibad1]

XPerties-oops sorry, I do have one more concern-hope you don't think I'm a pain in the :moon:

I was just reading the s*** that came with the recovery disk.

Just to be clear-when you say "pop in the me disk", that's all there is to it?

Compaq has 4 different options for me to choose.

So, I am following your instructions, right?

Thanks-this is a big step for me and I don't want to f**k it up!