When looking in my startup menu in configsys, i found a winkkzc.exe
file which refuses my instruction not to run.  Now i find a 2nd
winkbu.exe and i search my harddrive and cannot find.  what are these
files, where do they come from and how do i get rid of them?  Thanks

I strongly suspect that this is the infamous Klez worm.  It is the
most common worm infecting computers at the present time.

You may want to try this free tool from Symantec, to remove Klez.
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html

After downloading the file, you will need to restart your computer in
Safe Mode in order for the tool to clean all of the impacted files. 
(You do this by holding down the CTRL key or the F8 key, depending
upon which version of the Windows operating system you are using.)

If you run the tool, and it did not turn out to be the Klez worm,
simply post a clarification, and we can look for other possible
problems.

Also, after you remove the Klez worm, double-check to be certain that
you have a virus checker installed, working, and updated with the
latest virus definition files.  No point in checking before you remove
Klez, since until it is removed from your system this worm can disable
some virus checkers, causing you to think you are protected when you
are not.

Please let me know if I can be of additional assistance.

---

Request for Answer Clarification by djt-ga on 10 Aug 2002 08:53 PDT

Thanks for your quick response.  i downloaded the symantec tool and
followed the instructions but when i tried to disable restore it was
already disabled.  Yet when i ran the disinfect tool it said it found
restore enabled.  so i tried again to enable then disable but what
ever i tried i rebooted to find the box checked.  ran the tool any way
and it said it removed files but i still have winkbu unchecked in my
configsys list.  also now have a GMT.exe i never noticed.  anyway
maybe it fixed.  any suggestions?  thanks djt

---

Request for Answer Clarification by djt-ga on 10 Aug 2002 09:39 PDT

I think i solved my mystery with respect to the restore deactvation. 
i removed the restore from my c: drive because it had replicated
itself into consuming my entire 20 gig C: drive.  but i have a 2nd D:
which still has the _Restore on it.  i think my C: drive has been
cleared of the nasty Klez worm; the fixklez.log shows nearly 80 files
repaired or deleted.  wow my first virus.  anyway of finding the B_d
that start this so i can take him out for a thrashing?

---

Clarification of Answer by snapanswer-ga on 10 Aug 2002 11:55 PDT

Yes, yes.  I thought it might be the Klez worm.  I'm glad we have
identified the problem.  However, please make note of this.

It is important to carefully read the log file that the tool
generates.  At the end of the log file it will indicate if it was able
to completely remove Klez successfully, or if it left some files on
your system that it couldn't repair.

If it could not completely clean you system, then it will be important
that we find a way to turn of System Restore and it will be important
that the computer has been restarted in Safe Mode before trying to run
the tool again.  If the log file does not indicate that your computer
is completely clean, simply restarting in Safe Mode should take care
of the System Restore issue while you run the tool again, I believe.

Also, the log file will give you a sense of the earliest date of your
infection by checking the date information provided.

Once the log file indicates that your system is clean, then it is time
to install (or re-install) your virus protection software.  It is
important that you use the latest virus definition files for your
particular software package.

If you do not have virus software, you may want to read these reviews
from CNET:
http://www.cnet.com/software/1,11066,0-806174-1202-0,00.html

If you simply refuse to pay for virus software, at least consider a
free package, like this one from AVG.
http://www.grisoft.com/html/us_downl.htm

Now the bad news.  It will be hard to find who is to blame for
infecting your computer.  Unfortunately, Klez is fairly smart.  Once
it infects your computer, it goes through your Microsoft address book,
sending email to those addresses.  Sometimes, it even sends the
message in a way that it appears to be from people in the address
book.  This makes it difficult to determine who is to blame and makes
it likely that your computer has been used by Klez to try to infect
your friends without your knowledge.

The final step will be to visit Windowsupdate.com which will offer
security patches for Windows and Outlook Express that should help to
prevent this problem from reappearing.

I hope that helps.  Please let me know if you have additional
questions.

---

Request for Answer Clarification by djt-ga on 11 Aug 2002 20:32 PDT

Thanks for your follow up.  the log does indicate that " the
w32.klez.gen@mm/w32.elkern.gen infection has been successfully removed
from your computer!" 37 files deleted and 42 repaired.  so i guess i
am out of the woods.  You think? thanks djt

---

Clarification of Answer by snapanswer-ga on 11 Aug 2002 22:50 PDT

Excellent.  That's exactly what I wanted to hear.  It sounds like your
computer is clean.

I do encourage you to visit Windowsupdate.com to get the available
patches (the site will detect what you need) to help to prevent this
from happening again.
http://www.windowsupdate.com/

Also, please make sure your virus software is installed and up to
date.

I am happy you had such a positive result.  Happy Computing!

If you haven't done so already, run an updated virus checking program
to make certain nothing sinister is going on. I'd also suggest running
Ad-aware, which can be found on this page:
http://www.lavasoftusa.com/