W32.Klez-H@mm

[toad]

13 files on my neighbor's computer are infected with W32.Klez-H@mm.

I am able to run Norton, but it won't quarantine.

I downloaded AVG anti-virus, it didn't even detect the virus.

I went to symanetc (and other sites), got the tool and instructions, tried
to fix it on my own, nothing helped. Tried to do it manually, but there's
nothing to delete because there's no wink file (XP OS).

What are my options, how do I quarantine, and since some of the infected
files appear to be associated with various programs, is it wise to delete
them?

some of the infected files include...

falcon.dll
mswm.dll
omgbkup.exe (it could be omq, not g, not sure).
omgexsel.exe
PicGear.exe
PictureToy.exe
VMC.dll
CreateCDDA.dll

handful of others.

thank you

 

[Why so many stars for so few four-leaf clovers?]

In

13 files on my neighbor's computer are infected with W32.Klez-H@mm.

I am able to run Norton, but it won't quarantine.

I downloaded AVG anti-virus, it didn't even detect the virus.

I went to symanetc (and other sites), got the tool and instructions,
tried to fix it on my own, nothing helped. Tried to do it manually,
but there's nothing to delete because there's no wink file (XP OS).

What are my options, how do I quarantine, and since some of the
infected files appear to be associated with various programs, is it
wise to delete them?

Did you check the NAV configuration ?

Usually rules for NAV are

1st try to clean
2nd if unsuccessful try to quarantine

However you can select an other choice such as

1st try to clean
2nd if unsuccessful try to delete

Assuming your NAV configuration is the 2nd one, NAV detected the worm then
remove it instead of quarantined it.

This could explain why there is nothing in quarnatine and no virus is found
later...

--

Jean-Luc Cavey
Paris, France
E-Mail : (e-mail address removed)
http://canon.cavey.org/

 

[toad]

In

Did you check the NAV configuration ?

Usually rules for NAV are

1st try to clean
2nd if unsuccessful try to quarantine

However you can select an other choice such as

1st try to clean
2nd if unsuccessful try to delete

Assuming your NAV configuration is the 2nd one, NAV detected the worm then
remove it instead of quarantined it.

This could explain why there is nothing in quarnatine and no virus is found
later...

I ran the scan with norton again and it's still finding them. the same
13... and they appear to be found around the same time in the program files
folder.

Norton is set to repair first, then quarantine... both of which fail.

 

[Why so many stars for so few four-leaf clovers?]

In

"Why so many stars for so few four-leaf clovers?"


I ran the scan with norton again and it's still finding them. the
same
13... and they appear to be found around the same time in the program
files folder.

Norton is set to repair first, then quarantine... both of which fail.

Which version of Windows are you running ?

If it's XP please look at this :

<http://service1.symantec.com/SUPPORT/nav.nsf/8d071816eedd7cac88256c0e005a96
e5/5766df37140aed3b8825696500726d13?OpenDocument&prod=Norton%20AntiVirus&ver
=2003%20for%20Windows%202000/Me/98/XP&src=csm&pcode=nav&svy=&csm=no>

[Line word wrapped]

--

Jean-Luc Cavey
Paris, France
E-Mail : (e-mail address removed)
http://canon.cavey.org/

 

[toad]

If it's XP please look at this :

<http://service1.symantec.com/SUPPORT/nav.nsf/8d071816eedd7cac88256c0e005a96
e5/5766df37140aed3b8825696500726d13?OpenDocument&prod=Norton%20AntiVirus&ver
=2003%20for%20Windows%202000/Me/98/XP&src=csm&pcode=nav&svy=&csm=no>

Thanks, that exactly describes the problem I just posted about my Windows ME
system, except that I don't have norton on that computer, I have AVG. I
disabled the system restore and I'm running another scan, then I'll see if I
can move them to the virus vault.

On this other puter that is the topic of this thread, I also disabled the
system restore and it's scanning now. It does have norton, but the problem
is, the klex virus isn't found in a _restore folder, they're being found in
program files... most of them in a folder called support.com I believe.
anyways, I'm trying it now. I'll get back to ya within the hour.

thank a lot. I hope this does the trick.

got another question for ya. Why can't I reinstall Norton on the laptop
with ME? I tried to put in Norton that was issued by portland state
university and even when I was connected to the internet, it wouldn't update
the virus list, so I tried it manually. that didn't work, so I uninstalled
everything from registry and put in norton 2002. Even if I remove all
symantec, nav, and norton files/folders from registry, it still tells me
norton is expired. So I decided to put in AVG. I'd like to get Norton
running on that puter.

something must still be lodged in registry that recognizes it was previously
on the computer, otherwise how would it know it's expired? I've gone
through all the complete manual removal instructions. I must be missing
something and it might be related to the version I put in that was supplied
by the university. hard to say, you have any clue?

 

[toad]

<http://service1.symantec.com/SUPPORT/nav.nsf/8d071816eedd7cac88256c0e005a96
e5/5766df37140aed3b8825696500726d13?OpenDocument&prod=Norton%20AntiVirus&ver
=2003%20for%20Windows%202000/Me/98/XP&src=csm&pcode=nav&svy=&csm=no>

followed instructions, disabled system restore, ran scan on norton (on the
XP box), found 9 instances of Klez, won't quarantine, tried to delete using
quaranting, also failed. they're still there.

They're all in c:\program files\support.com\client\lserver\backup

I'm still scanning on the ME box hoping to remove the backdoor.subseven
viruses in _restore folder, but that may not work per instructions because I
don't have norton. we'll see. I'm using AVG anti-virus.

 

[Gabriele Neukam]

On that special day, toad, ([email protected]) said...

something must still be lodged in registry that recognizes it was previously
on the computer, otherwise how would it know it's expired?

There are some more (old fashioned) config files in Windows, notably the
system.ini and win.ini, as well as the control.ini; maybe the
information has been stored therein.

Also, your Norton 2002 is a bit old; the new worms already do apply
tricks the old Norton engine never had heard of, which might explain why
cleaning and quarantining are constantly failing.


Gabriele Neukam

(e-mail address removed)