Elkern.Klez virus. Help cleaning please!

[exorr]

Hi Everyone,

I need to know if anyone has been successfully removed this from Windows 2000 server? I have a problem where I got the virus, I used McAffee to clean the virus. However, somehow the server continues to get infected even with McAffee running. I know McAffee sucks, so if you have had success with any virus software please let me know. This is extremely urgent!

Thanks!
Ethan

 

[bacillus]

see if this helps!

 

[exorr]

I've tried that one. The problem is, I take the server off the network. Clean it and run a scan to make sure its clean. Plug it back into the network and wammo it gets the virus again, even with the software running. I get a bazillion messages telling me its been successful cleaning files and don't know if maybe the virus software is getting overloaded and not able to clean everything since there are so many trying to infect it. I'm continuing to work on this issue and if anyone has any more advice I'm open to any suggestions.

Thanks for the link by the way!
Ethan

 

[Tiger]

What else is on the network? Check those machines too.

 

[exorr]

Hehe...yeah, we have about 10 infected servers. We are slowly but surely cleaning them, its just one that we are having this problem with. FYI, all servers in the same domain that connect to it seem to be clean (they were dirty at one point but we've cleaned them). This seems to be the only one still doing this.

 

[LordThing]

Only one I had to clean it off of is a Win 98 machine, so I can't give full heads up. Still, you do have to take it into "Safe Mode" and make sure there are no drivers loaded because there are some files that Mcafee (and even the removal tool) know are there but the system will not clean them. You also have to run it twice in safe mode separated by reboots. Not only infects all your MM files and EXEs, but puts a hidden process that runs in the background and cannot be disabled.

Nasty stuff to have, especially when you are a programmer. One IT department I helped clean lost 2 months of work because they didn't have backups.


Edit: Oh yeah, almost forgot. After I did the removal tool, you had to boot into dos and rename your clean utility (this was with Mcafee) to something like clean.exe. Then you ran the dos clean of all your disks because Klez disables and kicks out any virus checking by watchig for certain exe names that are associated with virus checking. Pretty frustrating..

 

[exorr]

I spoke with McAffee and they sent me a stand alone Klez killer that I'm going to try. Also sent me a new service pack and 2 hotfixes to install. It will supposedly shut down all processes associated with the virus, etc. Hopefully it will work.

LordThing,

I believe I'm used the one your talking about, we had to rename scanpm.exe to scanpm.com in order to run it. We have backups everynight, so we won't have that problem. But hopefully we can get this resolved without worrying about that!