OnLine E-ZineReturn to: OnLine E-Zine Main IPCUG Home Page
OnLine E-Zine
Return to: OnLine E-Zine Main IPCUG
Home Page
Notice of Disclaimer: The following information is provided as-is, no warantee expressed or implied, use at your own risk. Neither the IPCUG and/or the author, Clint Tinsley, can be held responsible for the use of this information. This article is simply a good faith effort to provide the PC User community, of which you are member, with information in dealing with this infection.
One of the first things W32.Klez does is drop a well hidden executable file that runs everytime you start your computer. It is transparent memory resident program which is cannot be seen in Windows98 Run List and it can actually survive a warm reboot of the computer. One of the steps in the effective removal of this virus is that once you "remove" the executable from your computer, you are instructed to turn off your computer for atleast 30 seconds, so that "memory" contents die. I can attest to this as I removed the virus only to see it reappear at the next reboot as I did not power down the system.
What are the warning signs that you have been infected by W32.Klez? One is a noticeable change in performance and your hard drive staying active, trashing, little red Hard Disk activity light staying on or flashing at a high rate. Another warning is the reciept of an email of about 100K in size which you were not expecting and can be from a friend or associate which has already been infected as this is the way the virus propagates itself.
If you suspect that you have been infected and are comfortable with working in the MSDOS box "command window," you can relatively easily check for the signature file(s) that are the infection. The procedure is to open "MSDOS" (an icon) or run "Command" from the Windows "Run" box on the start menu, either of which will open a black text screen box or take you to a full screen DOS prompt sceen depending on how your computer is configured. Once in the DOS or Command screen, change to the C:\Windows\System directory with a "CD C:\Windows\System <Enter>" command. Step 1 is to type "attrib win*.*"; If you see a SHR WINKUE.EXE or SHR WINKFR.EXE in the list, you have been infected. Possible other Wink??.exe permutations are possible. Step 2 and what I recommend at this point is that you do an "attrib winkue.exe -s -h -r <enter>" which will unhide the file, substituting winkfr.exe or other permutation name if seen in step one. One unhidden, step 3 is to do a "del winkue.exe <enter>" command which should remove the executable file from your computer. Step 4 is then to shut down and then power down your computer for at least seconds so the the infection "dies" in memory. On restarting you may see Windows trying to find this deleted file, just cancel the search and let Windows startup normally.
The final step is to follow the procedures linked here from Symantec or TrendMicro which will also have you download a "fixklez" tool which you will have to run. Both of these site contain information NOT found on the other so you should visit both!
Note, that the W32.Klez infection may require the removal and reinstallation of your antivirus program as well as the Windows installer program. In one computer I diagnosed with the virus, I even had to "fix" the Internet Dialup connection as the computer would not even connect to the Internet. I uninstalled/reinstalled the Dialup component in Windows which entaild the "removal" of dialup networking component from Windows setup control panel (add/remove programs), applying the change, rebooting the computer, and then adding the dialup networking component and applying the change.
Return to: OnLine E-Zine Main IPCUG Home Page