This may have been covered in other topics, so I apologize in advance if this is the case.
I recently got hit with the Klez H worm through an e-mail I received from my Hotmail account that I check using Outlook express. The funny thing is I checked my e-mails beforehand, I didn’t get any suspicious e-mail and didn’t click on any attachments. Avast was also set to scan e-mails yet it still got through somehow. I know it came from an e-mail because that’s what it says in the virus information.
I had to reinstall my OS (98se) to get to the desktop again but IE, Outlook Express and MSN Messenger don’t work though. I can connect to the Internet and the homepage will load up using IE but it won’t go anywhere else (Firefox works though, which is what I’m using now).
Outlook Express checks my e-mail and then after about 30 secs comes up with an “msimn” error, when I click okay it shuts down OE.
MSN Messenger simply won’t log in.
I did a full AV scan with Avast which found the Klez worm but couldn’t repair it, only quarantine it. Unfortunately, I didn’t know much about Avast, so I had a friend set it up for me and noticed that the VRDB was disabled.
I’m just wondering if i’m screwed now and have to format or if there’s a way to fix the corrupted files and make sure the worm is totally removed.
This is quite a nasty infection, and I once before lost a computer OS to this malware, had to re-install from scrap.
Well that is years gone now, but this malware is still hunting us from asia as a website download infection. Here we go.
Alternatively, the following steps will circumvent virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.
Ensure that you are using the minimum DAT specified or higher.
Close all running applications
Disconnect the system from the network
Go to a command prompt, then change to the VirusScan engine directory:
* Win9x/ME - Click START | RUN, type command and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
*
WinNT/2K/XP - Click START | RUN, type cmd and hit ENTER.
Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
First, scan the system directory
* Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
*
WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
After scanning and removal is complete, reboot the system
Apply Internet Explorer patch if necessary.
Klez can delete anti-virus software files. It may be necessary to reinstall VirusScan after cleaning a system.
A removal too can be found below:
Disinfection tool
Disinfection of Klez.H worm can be performed with the special tool that is available from this ftp site:
Thank-you both for your helpful posts. Since I would class myself as novice-intermidate when it comes to computers I went with option DavidR suggested first.
I ran the program with the main Avast AV diabled as it recommended, and did 2 scans, 1 connected to the internet and 1 not connected to the internet. I made sure that I didn’t enable any programs or do anything while the scans were running but unfortunately the AV Cleaner didn’t find any virus and I know it’s there because it’s in quarantine in the main Avast AV
This maybe a silly question, but do I need to remove it from quarantine so the AV cleaner can find it?
Polonus, I will try your suggestion next, but could you explain what you meant by:
Ensure that you are using the minimum DAT specified or higher.
Disconnect the system from the network
(do you meant the internet? I only have one computer).
Okay, thanks for clearing that up. I tried step 4 but it said “Invalid command”. Should there be a space between “cd” and the “/”? You mentioned closing all running applications, does this include Avast? (I closed down everything except explorer using ctrl alt dlt).
The avast chest is a protected area and its contents will be encrypted so that would stop it being accesses by any program other than the main avast program. So if it didn’t find anything outside the chest, you should theoretically be in the clear. The avast cleaner is also incorporated in the main avast program, if a virus is found that can be cleaned by the cleaner, avast will give you the repair option, i you select that it should use the avast cleaner to clean-up the infection. However moving it to the chest may not have initiated the clean-up, I don’t know.
It is most certainly not a silly question, but the point of the chest is so the virus can do no harm. However, if you restore it and scan it with the main avast scanner or the quick scan (right click the file) it should be detected and if repair is there I would choose that and see if that works.
What was the original file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
Polonus: Yes, sorry that was actually a typo in my post. I did actually copy the string exactly as you have typed it using \ so I’m not sure what happened but I’ll try again. Should I close down everything (including Avast) if I try this again of leave Avast turned on? I will also try the Outlook Express restore tool if I can get this worm removed. Thanks for the link.
DavidR: I have a problem each time I try to open the main Avast AV. It basically says:
“An attempt was made to load a program with an
Program cannot set properly into main storage”
I click “ok” and then have to manually remove the Avast splash screen via ctrl/alt/dlt. When I do that the main Avast AV interface appears and seems to work fine. When I ran a scan it found the virus and asked if I wanted to repair it. Unfortunately the repair failed and I put it in the Virus Chest.
Try a repair of avast. Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button and scroll down to Repair, click next and follow. You need to be on-line to do this. I also can’t remember if the repair option is available with win98.
If that doesn’t work try, uninstall, reboot, install, reboot.
Well the original infection was found in your OE inbox this is a dbx file that holds multiple emails, so this was found in an old email not an incoming one. So if as you have said you don’t routinely click on attachments, etc. you may not have been exposed the the Klez virus, but it remains in your inbox.dbx file. avast should be able to extract this from the dbx file which it would appear to have done as it isn’t found in the inbox.dbx any longer.
Outlook Express checks my e-mail and then after about 30 secs comes up with an "msimn" error, when I click okay it shuts down OE.
MSN Messenger simply won’t log in.
What is the error message ?
I think that the MSN Messenger login could be related to the OE problem, but I don’t use MSN so I can’t check.
It isn’t advisable to use the inbox for general email storage as this is the mailbox most likely to suffer from corruption and deletion as it is usually the one open if you experience a problem, so if you don’t back-up your emails you could lose the lot. Also if thee are a lot of emails in your inbox it takes longer to open. I suggest you use your inbox as a pending tray and once you view the contents move it to a folder/mailbox more appropriate to that email, personal, newsletters, etc. That way if the inbox ever dies you have only lost a few emails.
Well the msimn application is being blamed for the page fault (which could mean you have a memory issue), but the faulting module is the real cause ‘SHLWAPI.DLL’ a google search for this returns many hits, this is just one http://www.auditmypc.com/process/shlwapi.asp so it may be worth trying the search and seeing if there is anything related to your system and use. Like is there and updated shlwapi.dll file for win98se, etc. ?
I don’t think it’s a memory problem because the Avast Virus Cleaner did a memory test and it said it was okay. I just did a repair of Avast and it still came up with the splash page error when I tried to start the scanner. I got around that by doing ctrl/alt/dlt and got into the Virus Chest but it didn’t give me the option to repair the file. I assume this option is only available outside of quarantine.
Memory problem as in duff memory not infected memory.
I assume that is correct as repair isn’t given as an option when you right click the file in the chest, you can select scan within the chest, I don’t know if it would subsequently give the repair option then.
What splash screen error (“An attempt was made to load a program with an
Program cannot set properly into main storage”) ?
Sorry with all these different issues I’m having difficulty keeping up ;D
What version of avast do you have the latest is 4.7.844 ?
If it is bad memory it’s very coincedental since I didn’t have a problem before I got hit with the virus. I have no idea how to check though.
I scanned the file itself in the Virus Chest now but it just gave me the standard results / information. I right clicked on the file and also looked in the Virus Chest menu, but there was no repair option there. The only time it gave me the repair option was when it was scanning and found the virus, which I used, the repair failed and it was quarantined.
Yes, the splash page error is the one I mentioned before.
Co-incidence or not, an invalid page fault is usually switching between RAM and virtual memory, swap file and a page (a block of memory) that was expected is no longer there.
Bad Memory, invalid bits or physically bad memory:
It is possible that bad memory can cause Illegal Operations. If you have recently added memory to the computer it is recommended that it first be removed to verify that you are not experiencing conflictions with the recently installed memory.
If no memory has been recently added to the computer it is recommended you follow all other steps found on this page before replacing the memory within the computer. </blockquote>
Personally I wouldn’t worry about trying to repair what is in the chest as it isn’t going to resolve anything as Klez doesn’t appear to be on your system otherwise it would be detected.
Sorry for the delay in my reply but I’ve been trying to sort through this mess. I uninstalled Avast and reinstalled it again, and did a full scan which found several malware. I don’t know what happened to the Klez worm that was in the Virus Chest when I removed Avast but it wasn’t picked up in the scan I did today. The scan found a total of 4 malware, all of which was moved to the Virus Chest.
At this point IE works but has the occassional hang up, which I’m not sure is caused by malware, damaged files, or the lack of updates from when I reinstalled the OS the other day. I’m not sure what to do there. Scratch that, I just checked IE again and it’s not loading any other page apart from the home page
OE still comes up with that msimn error. I did the system back up from the abf-soft program Polonus gave me but I’m not quite sure what to do next. Should I do the restore this abf-aoft program has or isn’t that going to fix the error?
The last part is MSN Messenger, but I guess I should be able to just reinstall that and it’ll work right. Is there anywhere I can get the older version of MSNM? I prefer version 7.0 Also, will me contacts list and message history be saved if I remove MSNM and reinstall it?
Also, certain icons in my system tray seem to dissapeer after I run a scan. When I scroll over them they show the pop ups telling me what programs they are but the icons have been removed.
Sorry for all the questions, but I’m just trying to get out of this mess. I’m not sure if Polonus and DavidR are still reading this thread but I could use your help.
Well Polonus is reading the thread sure thing, and is considering a Winsock repair. Maybe you can also post a HijackThis log here, to be evaluated: http://www.hijackthis.de/
The winsock repair can be found here, with the documentation, and how to run this fix: http://cexx.org/lspfix.zip
In the meantime we ask the Walkyries to be favourite to our Lohengrin once again,
The chest and its contents will be removed on an uninstall.
Since I don’t use MSNM I can’t say for sure but I would have though an uninstall would or should clean everything, unless it leaves settings, etc. in the Documents and Settings folder under your user name. Is there not a means of backing-up or exporting your contacts/history in the program.
The only thing it found classed as “Nasty” was some adware belonging to a Gaming Portal that I use that has never given me any problems before. It also found the following:
“O10 - Broken Internet access because of LSP provider ‘xfire_lsp_10908.dll’ missing”
I then ran the LSPFix exe and it found the same problem. Xfire is a program I no longer use so I chose the “remove” option and rebooted. I checked my IE but it still won’t go to any other sites other than the home page.
I had a look at the instructions but have no idea what I am meant to do with the LSPFix-Source folder though.
DavidR: If the Chest and it’s contents are also removed with an uninstall do you have any idea what happened to the Klez worm it found a few days ago? Because I did a full system scan today and it didn’t find the Klez worm again.
MSNM could probably be fixed with a reinstall, but to be honest my main concern is getting IE and OE fixed right now. Is there a repair option for the 2 programs? If not, can I reinstall them from the internet or something?