Klez

[mark_boyle2002]

O.K Guys,

needin some help here. My friends computer is infected with KLEZ

(Win XP)

I can't use any anti virus tools cause the wee shits just deletin them when I try.

I can't boot to dos because the disk is NTFS.

What to do ?


Registry strings of this virus would be great so I can remove them .

[Maverick811]

Have you tried the Klez removal tool available from Symantec?

http://securityresponse.symantec.com...oval.tool.html

[KidAdmin]

Oh-oh, I have experience with this one, I had it about a month ago. Go grab the tool from symantec with the link provided by Maverick, and follow the instructions carefully. Be sure that when you try to reinstall your anti virus, that you are NOT connected to the internet. Im pretty sure the instructions require you to download the fix, disconnect from the internet, turn off file restore (which sometimes klez infects as well), boot into safe mode, run the fix, boot into regular mode, re-install norton, turn file restrore back on. I hope this helps.

[rdsxcru]

You can save yourself a lot of time and go to www.trendmicro.com and use their free online scanner. This will find the klez virus and remove it. No need to reboot or any of that other crap. Good luck....

[TechieChick]

Having removed more klez infections at the shop than I care to think about my advice is to use the Symantec tool. It's the best and easiest. Couple of things to remember, download the fix from a clean machine and run it in safe mode only. I've had one instance on a 2k box where it had to be run twice.

In regards to Trend Micro's online scanner, it's good but it doesn't remove all of the klez footprints. I like to use that for a scan but I depend on myself to remove the viruses/trojans etc.

[Und3ertak3r]

To BAckup TechieChick, Maverick811 and KidAdmin,

Klez kept me busy for about 2 months last year, the symantec removal tool is the more reliable method of removal. (I think F-Prot, Mcafee, and TM have one also).. The instruction that any of these companies give is standard now for Me and XP regarding many of the current worms.. WHY?.. because the virus can be saved as part of a normal "Check Point" Back up the system creates.. and potentially be available to re infect your machine.. This is why the Online scanners are not so good.. well they will get the virus.. but they Can't remove any infection from the Restore folder..

The standard instructions for Worm/Virus Removal Are:

Disable system restore..
Reboot into safe mode
remove virus
reboot into normal mode
Reinstall Av - update Defs, run full scann.
Re-enable System REstore..

Just pray you don't get Lovegate.. the removal tools only operate in DOS mode.. cure ..create a Ntfs-DOS boot disk..

Cheers

[PuReExcTacy]

Here is your answer, boot to Norton Antivirus or another vendor's boot disk. Enable the write protection on the disk so it cannot be overwritten ( it won't be since your not booting to windows.) After the virus has been removed, remove the network cable from the system ( so it can't spread to another machine) boot to windows, run your anti-virus again from within windows. After your satisfied that the virus has been removed, sit back and enjoy the praise of being the hero. : )



PuRe

[Und3ertak3r]

PuReExcTacy WTF are you going on about?

[TechieChick]

Pure, Norton hasn't shipped with boot floppies for at least 4 years now and while the cd's are bootable, they aren't updatable so they are only as good as the AV definitions that were put on them at the time of production. So, my point here is, you can scan all you want with the boot floppies or bootable cd, but without an updated NAV you're wasting your time.

[mark_boyle2002]

You were all half right.

In windows XP if you run MSCONFIG it gives you a boot to safe mode option.

In this mode the virus was not running.

I got a copy of the tool from the symantec site and run it here.

Then I put this .com object in my windows startup folder as a shortcut to a write protected floppy disk.

I booted the machine in normal mode and the AV ran and cleaned my registry + didn't get deleted.

Woo Hoo.