1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cannot remove Klex.h virus. Unsure if I even have it!!

Discussion in 'Virus & Other Malware Removal' started by cmlyon, Feb 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. cmlyon

    cmlyon Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    28
    Hi to all you great helpful people!,
    A few weeks ago we recieved about 10-15 emails in one day stating that we have the Klez.h virus. In response I updated my virus definition list with symantec but it did not find anything so I downloaded programs specifically designed to remove the Klez virus, still nothing! I ran these programs in safe mode so I am puzzled that they have not found anything. I do have a few symptoms, for example Outlook express is not running the same - the email account settings have been deleted; the icons for all word documents and for word itself have been changed from the W symbol to a generic symbol; and the system is a little slower (though only barely). Do you think I have a virus?

    Here is my startup list:

    StartupList report, 2/16/03, 8:45:21 PM
    StartupList version: 1.51
    Started from : C:\WINDOWS\TEMP\TD_0001.DIR\STARTUPLIST.EXE
    Detected: Windows 98 Gold (Win9x 4.10.1998)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS2\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS2\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\LXDBOXCP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\PROGRAM FILES\T-MEDIA\RMTSTOCK.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\T-MEDIA\KBOSDCTL.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\T-MEDIA\CDMNG32.EXE
    C:\PROGRAM FILES\SRN MICRO\SOLOSENT.EXE
    C:\PROGRAM FILES\T-MEDIA\RMTCONVT.EXE
    C:\PROGRAM FILES\T-MEDIA\KBRMT32.EXE
    C:\PROGRAM FILES\SRN MICRO\SOLOCFG.EXE
    C:\PROGRAM FILES\T-MEDIA\DKEYBEX.EXE
    C:\PROGRAM FILES\T-MEDIA\BKGRD32.EXE
    C:\PROGRAM FILES\T-MEDIA\WHEELMNG.EXE
    C:\PROGRAM FILES\T-MEDIA\RMTSPECL.EXE
    C:\PROGRAM FILES\T-MEDIA\CALCMNG.EXE
    C:\PROGRAM FILES\T-MEDIA\RECMNG.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\T-MEDIA\KBSTATUS.EXE
    C:\PROGRAM FILES\T-MEDIA\MXRCTL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    NewsUpd = C:\Program Files\Creative\News\NewsUpd.EXE /q
    Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe
    VsecomrEXE = C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE
    KE9801 = C:\PROGRA~1\T-MEDIA\DriBat32.EXE DKBoot.INI
    WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
    LoadQM = loadqm.exe
    SoloSentry = C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
    SoloSchedule = C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
    NPROTECT = C:\Program Files\Norton SystemWorks2\Norton Utilities\NPROTECT.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    CSINJECT.EXE = C:\Program Files\Norton SystemWorks2\Norton CleanSweep\CSINJECT.EXE
    NPROTECT = C:\Program Files\Norton SystemWorks2\Norton Utilities\NPROTECT.EXE
    SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 13/2/2003, 10:20:56)

    [Rename]
    NUL=C:\PROGRA~1\NORTON~1\NORTON~1\UNREGCMD.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET BLASTER=A220 I7 D3 H7 P330 T6
    SET SBPCI=C:\PROGRA~1\CREATIVE\AUDIO\DOSDRV
    C:\PROGRA~1\SRNMIC~1\SOLOLITE /HARDDISK /REPAIR /AUTO

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    Yahoo! Companion BHO - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL - {13F537F0-AF09-11d6-9029-0002B31F9E59}
    NAV Helper - C:\Program Files\Norton SystemWorks2\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Maintenance-Clean up Start menu.job
    Maintenance-Anti-Virus.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job
    Desktop Themes.JOB
    Symantec NetDetect.job
    Norton SystemWorks One Button Checkup.job
    Norton AntiVirus - Scan my computer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [National Internet Banking Custom]
    InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
    CODEBASE = http://www.national.com.au/rib/afs/v3002/cabinet/NABcustom.cab

    [National Internet Banking Images]
    InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
    CODEBASE = http://www.national.com.au/rib/afs/v3002/cabinet/images.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [MSN Photo Upload Tool]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
    CODEBASE = http://photos.ninemsn.com.au/r/neutral/controls/MsnPUpld.cab?5,0,1730,0

    [msichat50 Client Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\MSICHA~1.OCX
    CODEBASE = http://www.ichat.com/custom/nativeclient/msichat.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [{F17EDBC0-3EB2-11D3-AB74-00A0C9A522F2}]
    CODEBASE = http://www.gohip.com/freevideo/download.exe

    [MS Investor Ticker]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\TICKER8.OCX
    CODEBASE = http://fdl.msn.com/public/investor/v8/0326/ticker.cab

    [KX-HCM10 Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\KXHCM10.OCX
    CODEBASE = http://northmetro.kicks-***.org:8001/kxhcm10.ocx

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
    CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

    [Yahoo! Audio UI1]
    InProcServer32 = C:\PROGRAM FILES\YAHOO!\MESSENGER\YACSUI.DLL
    CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

    [MSN Chat Control 4.5]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX
    CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    --------------------------------------------------
    End of report, 7,585 bytes
    Report generated in 3.340 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Don't believe those e-mails. They are suspect, and often contain the/a virus themselves.
    I hope you didn't open any attachments there?

    Anyhow, no sign of Klez there.

    If you want a second opinion, run an online scan at Trend Micro HouseCall or Panda Active Scan
     
  3. cmlyon

    cmlyon Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    28
    Thanks for your help. No I did not open any of those attachments. I took them seriously as there were 10-15 emails in one day, not just one or two and none since then. How else could this come about? I have never recieved emails warning about virus's before, just this bunch all in one day, two weeks ago.
     
  4. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Well, it's just the way some forms of Klez spread: by automatically creating infecting e-mails with that text.
    It's a smart little worm... :rolleyes:

    Read this:

    From http://securityresponse.symantec.com/avcenter/venc/data/[email protected] :

    The body of the email message is random.

    The message may be disguised as an immunity tool. One version of this false message is:

     
  5. cmlyon

    cmlyon Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    28
    OK fair enough. Could someone tell me though why the other symptoms are appearing eg the changed logo for word and the problems with Outlook. Appart from losing the mail settings for Outlook I am also unable to locate any of the 200 or more emails that I have downloaded over the past few years (or folders that store them). Apologies for any silly q's, i am just new :D
     
  6. cmlyon

    cmlyon Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    28
    I have found the missing files I reported in my last message. The are in c:\windows\temp which is weird. How could have they ended up there by themselves? Some are text files, some .tmp files, others .htm files and others have still different extensions. Very weird !
     
  7. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    I'd start by clearing out your C:\Windows\Temp directory completely.
    Delete everything in there. It's just temporary junk, and it needs to be deleted on a regular basis.

    What changed your "Word" icon, hard to say. First thing to check: If you doubleclick a *.doc file, is it still opened by MS Word automatically?

    About MS Outlook Express "not running the same", you have to admit that's pretty vague... :D
    Do you have some more details on this?

    You'd also do well to upgrade to Internet Explorer 6.0 SP1, by the way.
     
  8. cmlyon

    cmlyon Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    28
    Yes perhaps a bit vague but mentioned in previous posts ;)

    When I open Outlook I cannot view any of the files or folders that I have downloaded over the last few years. They are just not there any more! No one has deleted the files. Remembering some of the subject lines of my saved emails I performed a search of my hard drive. Like I mentioned before the emails are now in the c:\windows\temp directory and ONLY there. I would have expected any emails to be in a permant folder eg programfiles\outlook or something like that and NOT a temp directory. I do NOT want to delete the emails in the temp directory as it appears I would lose them completely if I did. Incidently does anyone know where outlook files are normally stored? I would like to actually LOOk in the correct folder. And yes I will upgrade my outlook program. Have been meaning to for a while :)
     
  9. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    I do take it you're referring to Outlook Express, and not to MS Office's Outlook. They're different applications.

    As for the location of your OE folders (they're *.dbx files), in Outlook Express go to Tools > Options > Maintenance > Store Folder.

    And the problem you're mentioning has been attributed to McAfee antivirus, which I take it is the antivirus you're using.

    It would be a good idea to upgrade to the very latest version/build.
     
  10. cmlyon

    cmlyon Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    28
    Thanks again for your help. Yes it is OUtlook express that I am using.

    You said:
    "And the problem you're mentioning has been attributed to McAfee antivirus, which I take it is the antivirus you're using."

    Could you give me further references to this? I searched and didn't come up with anything. I would like to read more about how this happened. Also could someone tell me how to get my emails back. Some or them are quite important - work related etc.

    Thanks again
     
  11. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    I had to look around for articles mentioning this phenomenon, and I came across this newsgroup thread

    The issue is however about e-mails disappearing from your Inbox with McAfee e-mail scan enabled, which is not exactly what you've been experiencing.
     
  12. cmlyon

    cmlyon Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    28
    Well after a little looking around it seems that others with similar problems have been unable to recover emails. Microsoft seem unable to fix the problem as well. I was able to recover about 6 emails from the temp folder out of 3000 or more emails that I have lost! SOO I have decided to switch to Eudora and hope I don't end up in this mess again!! Unfortunately my newest backup file was created AFTER this whole problem began so no luck there either :( Oh well. Thanks again Tony for all your help!!! I very much appreciate it.

    At least I found this forum and found out all about firewalls and millions of other valubale things just by visiting here.
     
  13. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You're welcome! :)
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/119082

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice