Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

system32.exe infected with Klez

Status
Not open for further replies.

tempo21

Technical User
Nov 18, 2001
166
GB
I have used Norton Antivirus to remove and quarantine most of the files infected... but the only way i can remove the virus completely is delete system32.exe

I guess i shouldnt do this?

Can I copy a system32.exe from a none infected PC ?


T3/\/\p()
tek-tips UK branch!
_________________
 
Howdy:

That particular file is part of the virus.. delete it.

Also, if you are running WinME or XP, you will have to disable System Restore or the virii will simply come back.

Murray
 
I noticed that you have to disable system restore in ME. Does this mean permanently? If so, is there any way to repair the restore files?
 
You have to disable the system restore so that you can get rid of all of the infection.
AFTER the system is clean, you can use it again.

[smile]
Kimber

Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.
 
A little more info on Me & XP's System Restore....

The reason that it needs to be disabled while cleaning is that it is a protected volume - Antivirus programs can not access it to perform the clean (or delete) function. Because these restore points are created by the system, there is a very good chance that the restore information contains the virus - which you would not want to restore.

This applies to all virii, not just Klez. And as Kimber said, you can reenable it as soon as you are done with your virus removal tools.
 
Thank you both for that response. I assume that when disabled, the system restore volume becomes accessible by the virus cleaning software, and can be cleaned also. Hopefully the files there don't have to be deleted though, since I'm not sure how they could be replaced?
 
I understand that you are concerned about your data, but disabling system restore will enable the cleaning, correct.

Once you are finished cleaning, and turn it back on, things will be back to normal.

If you do NOT, then the system will RESTORE the virus and you will still be infected. The backup of information will be infected.

If you are concerned about data, do a manual backup onto another media first. You can scan and clean it once you have your system cleaned out.

Right-click My Computer, and then click Properties.
On the Performance tab, click File System, or press ALT+F.
On the Troubleshooting tab, click to select the Disable System Restore check box.
Click OK twice, and then click Yes when you are prompted to restart the computer.
To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.


Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.
 
>> The reason that it needs to be disabled while cleaning
>> is that it is a protected volume

What about the paging file on NT4 and Win2K?

-pete

 
I don't know of any virus that infects any version of the windows swap (paging) file. Considering that this file is just 'virtual memory' I suppose it could contain some virus code if you were infected, but it can't execute like a registry entry, .dll, or .exe. Also due to the fact that Windows is always changing the data(and sometimes adjusting the size), I don't see how it could be a problem. On the other hand, if it makes you feel more comfortable, you can disable it while scanning for virii it certainly won't do any harm - just remember to reenable it afterwards for optimal performance. As a side note, doing this will also esentially defrag the swap file.
 
I think i have this virus as well, and i deleted the registry keys from Run, but when i start XP, i still get an error saying that it cant find System32.exe, yet the file name is nowhere to be found within the registry or win.ini file...any ideas?
 
Start a new thread so people will start to help you.


Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top