W32.Klez Removal Guide

Description:     This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP to propagate via email. The subject line of the email it arrives with is randomly selected from a list of possible choices.

1. Print this page or write down the order of events so that you can follow the instructions completely. Otherwise you will probably not remove the virus from your system entirely and it will re-infect your system immediately after finishing all this!!!!
   
   
2. Download Norton's Klez removal tool either from Norton:   Norton Klez Removal Tool
   or you can get a copy of the tool from our local FTP:     ECSIS Copy of Removal tool
   
   Note where you download/save the removal tool (c:\temp, c:\windows\desktop, etc) as you will require this information in below to actually run the removal tool.
   
   
3. Disconnect from the internet and disconnect your modem or network connection so that the virus cannot reconnect while you are doing the removal. (unplug phone cord from modem or unplug network cable from system unit or where it connects to your network)
   
   
4. Open your Mail program and empty the Inbox of any item that contains an attachment or appears in any way suspecious. Then empty the Deleted Items folder. If there are any items in your INBOX with the virus your system will immediately be re-infected after you complete this procedure and you will have to start all over again. (safe thing is to empty the inbox, and then the deleted items folder).
   
   
5. Exit all programs and Restart your system into SAFE MODE
   
   
   • For Windows 95 systems:
     • Restart your computer.
     • Press the F8 key when you see the message, "Starting Windows 95."
     
     
   • For Windows 98/Me systems:
     • Restart your computer.
     • Press the Ctrl key until your Windows 98 startup menu appears.
     • Choose the Safe Mode option then hit the Enter key.
     
     
   • For Windows XP systems:
     • Restart your computer.
     • When prompted, press the F8 key. If Windows XP Professional starts without the ?Press select operating system to start? menu, restart your computer.
     • Press F8 again after the Power-On Self Test is done.
     • Choose the Safe Mode option from the Windows Advanced Options Menu.
     
     
     
     
     
     
     
   • For Windows 2000 systems:
     • Restart your computer.
     • Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
     • Choose the Safe Mode option from the Windows 2000 Advanced Options Menu.
   
   
   
   
6. Once in Safe Mode Execute/Run the removal UNTIL it reports there are no viruses found. (You may have to run it several times until the message "No viruses Found" is displayed when you run the removal tool).
   
   
7. Restart your computer into Regular Mode (the way you normally use it) - but still disconnected from the phone line or network.
   
   
8. Run the removal tool again and verify that it gives the message: "No viruses were Found". (IF not, reboot into Safe Mode and go through the removal again).
   
   
9. Re-connect your modem or your network connection.
   
   
10. Please install a good anti-virus software package (see ECSIS.NET Virus Page for several options; or if you have an anti-virus package, please update the Virus Definitions file for that package
    
    
11. Since this worm uses a vulnerability in HTTP-based email clients like Microsoft Outlook and Outlook Express, please visit Microsoft Updates and apply any security or system updates available for your system - particularly Internet Explorer, Outlook , or Outlook Express .