virus

lneilson · #1 April 27th, 2003, 10:22 PM

hi

I'm working on my first ME os in a hp pavilion home computer it was infected with w32.klez.h@mm virus . I finally found a tool that said it deleted all 18 infected files an the virus was no longer on the computer. but now I can't enable system restore, I uncheck the box apply reboot and it is still disabled also tried to run norton (freshly updated) but still comes up with error. Part of the directions were to rename the scan.exe to clean.exe so the virus would'nt abort the virus scan looked everywhere could'nt find the file any thoughts on this is the computer really clean or just a smart virus still at work?

thanks

lneilson

**AnnMarie** · #2 April 28th, 2003, 04:13 AM

Hi lneilson - Go here and download and run Startup List on the PC. It will generate a log file. Copy the log and paste it back into this thread. If it is still infected with Klez, we will be able to see that in the log.

lneilson · #3 April 28th, 2003, 12:02 PM

thanks for the reply here's the list

StartupList report, 4/28/2003, 6:49:23 AM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\TD_0001.DIR\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0600)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 27/4/2003, 13:13:38)

[Rename]
NUL=C:\WINDOWS\INSTAL~1\999814.MSI
NUL=C:\WINDOWS\APPLIC~1\MICROS~1\INSTAL~1\{87AEF~1 \
NUL=C:\WINDOWS\APPLIC~1\MICROS~1\INSTAL~1\{87AEF~1 \

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YACSCOM.DLL
CODEBASE = http://cs4.chat.yahoo.com/v43/yacscom.cab

[MSN Chat Control 4.0]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT40.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

[McAfee.com Updater]
InProcServer32 = C:\WINDOWS\MCBIN\MGAVEXP.DLL
CODEBASE = http://download.mcafee.com/molbin/cl...an/mcasupd.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 4,425 bytes
Report generated in 0.300 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

lneilson

**AnnMarie** · #4 April 29th, 2003, 05:00 AM

Hi lneilson - there is no evidence of Klez in the startups. As a double check, you could run an online scan here if you havent already done so.

Klez disables most AV's so you will have to uninstall Norton and reinstall it. There was also an issue with Norton Auto Protect and System Restore so if you are using an older version of Norton, you may well find that System Restore can be enabled, once Norton is removed.

Make sure that STMGR.EXE was not one of the infected files that were deleted. It should be in C:\WINDOWS\SYSTEM\RESTORE.

lneilson · #5 April 29th, 2003, 11:53 AM

finally disease free!!!!!

thanks for the help

lneilson

**AnnMarie** · #6 April 29th, 2003, 11:05 PM

You are very welcome.

Were you able to re-enable System Restore?