Klez Virus

[Bentek]

I have 2 machines which had been infected by the Klez virus
Since the machine have been cleaned (using the Norton removal tool) They seem to be getting a lots of EXPLORER problems with the machines crashing does the virus screw things up more than the fix tool can sort or does anybody have any ideas what I could be missing or am I going to have to relaod the machine . (Both machine now have norton antivirus 2002 ) they had norton 2000 which was upto date but the virus seemed to be able to get past .
Any ideas will be a great help
John

 

[SoulAssassin]

Try running sfc, start -> run type 'sfc' without quotes. Then allow it to check for altered or corrupted files...sometimes after a virus has been cleaned, the original files may need to be extracted.

 

[Bentek]

I Have tried SFC Scandisk and even Norton utilities but I am now starting to run out of ideas Thanks for the advise as we can all miss the simple things

 

[BeenThereDoneThat]

Run Sysedit and check your autoexec.bat and config.sys files. Some versions of Klez wipes these out. You may have to restore these from a backup copy[Search for a .bak or .syd extension]. Since these files have various loadlines, run lines and specialized settings some of your programs may not run right even after running a virus clean up tool. Also if I run Explorer and click on the C drive in the column that says Modified Date a lot of files list 2003 and 2004. Don't know what that's all about.

 

[primobruno]

Hello
I've runned into the same problem: KLEZ VIRUS !!!!
I was running win98 and win2000.
I didn't have any anti-virus tools before i run into ONE.
Then i downloaded 3 tools.Norton and Mcafee Anti-virus and Mcafee boot disk for ms-dos.
1st i install NORTON.Run it and find KLEZ !!!
When i tried to clean the virus the program "dissapeared",vanished,deleted,gone.HOW ????
Tried 2 more times before installing mcaffe for windows.
I gave up and tried mcafee.KLEZ AGAIN !!!
CLEAN,CLEAN,CLEAN....if asked....ERASE,ERASE,ERASE.
OK , i know , missing core files in windows but still could not remove virus , because...
Just in case i run the mcafee boot disk.KLEZ AGAIN !!!
IMPRESSIVE and persistant.
THE SAME PROBLEM IN THE TWO MACHINES (Win98 and Win2k).
At this time i was tired and wanted to sleep , so i decided to re-GHOST the images i've previously created.
THAT saved the day!!!!

Information i gather in this marathon:
When the Email is opened the worm immediately activates
The worm copies itself under WINKxxx.EXE name (where xxx are random characters) into the WINDOWS\SYSTEM folder.
This file is set to run every time the system starts.
The virus may save a copy of itself into .RAR archives.
Running infected files causes the worm to reconstruct the uninfected host file using saved data. Such reconstructed files will have "~1" appended to the name (ex., infected MSOFFICE.EXE will be accompanied by an uninfected MSOFFI~1.EXE). The worm deletes them as soon as the program stops running so they exist only temporarily.
On the 6th day of March, May, September, or November, the virus may overwrite local and network files containing the following extensions with zeros: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3.