Trouble...

[jannykay]

When I logged on today, I had two strange emails. Unfortunately, I open one of them before I realized my mistake. I then went to run a scan using Avast 3 but it would go no further than the initialize stage. I went to right click on my resident protection and the icon just disappeared.

I then uninstalled Avast 3 and deleted the file from program files. Restarted my computer and downloaded Avast 4. After downloading, I started the install and it started ok and then just disappeared!

Now, I don't know what to do and I think I may have some kind of virus.

Any help would be appreciated.

Jan

[raman]

You can try to start Avast in Safe mode(Windows) and than scan your harddrive, or you can try an onlinescan from offered by some AV-FIrms. A list of them can be found here:
http://www.rokop-security.de/main/onlinescan.php

[jannykay]

I went to Trend Micro and am doing an online scan and the Klez virus is showing up. It says it can't access one of the Klez files to clean it up.

BTW, thanks for your assistance.

Jan

[raman]

Yes remember the files name and delete it in Safe mode, or use the Taskmanager to kill the Klez task and delete it than. Maybe renaming is a possibility, too.
 

[JimIT]

I went to Trend Micro and am doing an online scan and the Klez virus is showing up. It says it can't access one of the Klez files to clean it up.

BTW, thanks for your assistance.

Jan

There are variants of Klez that terminate the av, and also load memory resident, which makes them harder to kill while in Windows (running in Normal mode).

Depending on which OS you are using, you can boot with a floppy and run a DOS-based av to kill the infected files before it loads in memory.  The BART cd is helpful for this, as is F-Prot for DOS (if you are using Windows ME on down.)  

At this point, (if you are using Windows ME on down) I would d/l F-Prot for DOS, and unzip it to a folder in your root directory, then boot with a DOS or W98 diskette, and run F-Prot from the command line.

[jannykay]

Jim, thank you for your answer, although as a non IT person, I had difficulty understanding. I did find a Klez removal tool at Symantec and did use that in safe mode so hopefully it is gone. Now I am going to try to install AV4.

I had kept AV3 up to date. As a matter of fact, it was just updated yesterday. Is this something that Avast misses?

Jan

[JimIT]

Jim, thank you for your answer, although as a non IT person, I had difficulty understanding. I did find a Klez removal tool at Symantec and did use that in safe mode so hopefully it is gone. Now I am going to try to install AV4.

I had kept AV3 up to date. As a matter of fact, it was just updated yesterday. Is this something that Avast misses?

Jan

No, Avast! is a fine AV, and should (and does) catch Klez, however, (who knows) maybe the resident monitor didn't load for some reason, or had some other glitch.

In addition, some variants of Klez stop the processes and delete files associated with antivirus programs, so when you opened that attachment, you might have "killed" Avast.

You did good!  I dealt with Klez yesterday, in fact, and needed to run Avast! get rid of it completely.  A scan running in Windows would not completely remove Klez, because it was also located in the Windows .swp file, which is in use while Windows is operating.

If you got a clean bill of health using the removal tool, I would re-install Avast! 4 and do a manual scan while in Windows.  

If you get a clean scan, (and the "little blue ball" is down there doing it's thing when Windows comes up after reboot) I would say you've probably cleaned up Klez.

Good luck!

[igor]

Well, Klez presence in Windows .swp file may indicate that Klez is present in memory (not necessarily though), but otherwise it shouldn't worry you very much. Windows is not reusing the content of the swapfile after reboot, so there's no need to disinfect (delete?) the swap file; in fact, I don't think it's a good idea.

[JimIT]

Well, Klez presence in Windows .swp file may indicate that Klez is present in memory (not necessarily though), but otherwise it shouldn't worry you very much. Windows is not reusing the content of the swapfile after reboot, so there's no need to disinfect (delete?) the swap file; in fact, I don't think it's a good idea.

You're right.  And just for clarification, I wasn't advocating deleting the swap file in my previous post, just that Avast! detected it in the swap file and could not disinfect it.  The average user is not going to know that the swap file does not reuse it's contents on reboot--he/she is going to think Avast! didn't do it's job.  Thanks for the clarification!