KLEZ WORM, Win 2k, successful recovery ;-) but corrupted winserv, how to restore it???

[adlep]

Uh,
that was tough, one of my customers had klez worm snce thursday, and it corrupted all .exe files in his computer (around 500),
Since the data were critical, I had to strugle with the worm without formating the hdd. Right now, the machine is clean, win 2k boots up just fine, but when I try to shut down the system, winserv.exe file has problem closing. I think it got corrupted somehow while being cleaned. Can someone send me this file to adlep@comcast.net, or it can not be done because it is specific to every system? What winserv actually does? If I have win 2k cd, what is the way to extract a fresh file off the cd or from the cabs? Is this file diffrient for SP2 ( I did install a SP2 hoping that its going to solve the problem but it did not).
Bunch of questions, he, he
I will be away for a couple of hours but every feedback is appreciated
Regards,

 

[adlep]

elp?

 

[Nothinman]

I believe winserv is a part of another trojan, it sounds like your customer needs to actually learn how to use a computer before putting critical data on it.

What you should have done is told him that the virus he got totally trashes the PC and that the chances of him getting his data back are very slim Then perform a miracle and get his data back, and recommend he purchase a virus scanner because he might not be so lucky next time.

 

[adlep]

Hmm, I know all that, but you know, this customer IS PAYING ME TO HELP HIM OUT
Not everybody has to be a computer expert.....
And thats OK, because of him I HAVE A JOB WHICH I REALLY LIKE

 

[Nothinman]

If you don't mind cleaning up after him like this every time a new Outlook virus gets released, that's your choice. I got tired of doing that a while ago.

And I am a firm believer that just like you have to pass a test to drive a car, you should have to pass one to use a computer.

 

[Budman]

What I would do is,remove the hd from his machine.

then scan his HD from mine with Norton Antivirus & let the AV program kill any virus in there.

Then put the hd back & reinstal win2k over the current instalation.

And before he takes his pc home I would tell him to go buy Norton Antivirus.

 

[adlep]

OK, there is some confusion about the intention of the post...
Well the virus is already gone, I am going to get about $100.00 for getting this machine clean and for doing a tunup on it (installing SP2, defrag, instaling MSCONFIG etc, etc. The KLEZ HAS BEEN REMOVED SUCESSFULLY ALREADY, I did apply KLEZ removing tool by Trend Micro (the one from Norton did not work). What it did, well it uninstalled all the registry keys associated with this virus, so it would not start when the system starts. THen I went ahead and started to clean all the files which had a virus from my small net. The scanning machine was well protected, and that was the only machine on the network, beside the "victim", so there was no danger of spreading the virus. It turned out, after an hour of scanning that most of the .exe. files were modified by the virus to spread it.... Mc affe did clean all of them, couple screen savers were impossible to clean, so they have been deleted, no biggie. The PC is clean now, I spend on it about 3 hours, and I am getting paid, that whats mattes.
So winserv is a part of the other trojan, and it CAN be deleated? right? Or it is a valid system file, which should be replaced???????

 

[Budman]

Google search found the fix right away.

http://www.computing.net/security/wwwboard/forum/385.html

 

[adlep]

Ok!
Big thanks BudMan!
The winserv is no more!!!!
No problem!

The big bummer is that Mc Affe did not pick it up as a trojan...

 

[Budman]

<< Ok!
Big thanks BudMan!
The winserv is no more!!!!
No problem!

The big bummer is that Mc Affe did not pick it up as a trojan... >>