kelvir.worm.ea manual fix - Help!

Help! We have done everything in your "Read Me First" bible, following it to the letter, to delete my son's computer from the Kelvir virus. I can only boot up in Safe Mode

Here are the problems that McAfee found:
W32/Kelvir.worm.ea (in documents and in Norton Protected Files)
Exploit-ByteVerify

Norton does not find them. McAfee online found them, so purchased but cannot activate because I cannot delete Norton in Safe Mode -- and cannot activate McAfee in Safe Mode.

I have run AVG and Panda and all your list except those you instruct to run in Normal mode, which I cannot get into -- only reboots to Safe Mode.

AVG does not find it, which I have on his computer as weññ-

Two days of hard night work in Emily´s path and still nothing So, what to do now?

If you can help me find a solution I will be happy to give you a lobster dinner at our restaurant in Playa del Carmen (www.ajuamaya.com)

Thanks

Brenda

 

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner. After you have completed this scan procede with the below.

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I have run the Trend Microcillin sysclean and received a message that access was denied. I had closed all applications and AVG --perhaps it is because I am in Safe Mode only.

I will sent the Hijack File as an attachment.

Thanks for all your help.

 

First, pick one antivirus and uninstall the other. Running more than one antivirus causes conflicts on your computer.

After you uninstall one of the antivirus programs attach a new log from normal mode.

 

Re: Uninstall Virus Protection-Safe Mode

I would love to uninstall but I am in Safe Mode only and it will not allow me to do this. Should I do this from Hijack This? If so, I would choose Norton since the Kelvir virus is embedded in the Norton Protected files.

I can't install McAfee in Safe Mode. AVG will not let me uninstall as well in Safe Mode.

Once we are finished this, I will be more than happy to make a donation!

B

 

You cant get into normal mode? I didnt notice McAfee, I was talking about AVG, you should only have one antivirus.

 

I cannot get into Normal Mode at all. If I could have I would have uninstalled both Norton and McAfee. Unfortunatly son did not let me know he had not followed my directions to do this until he was locked out or normal mode. Oh to be 15 again and feel you are invincible!

Bibi

 

Also give this a try, download McAfee AVERT Stinger 2.5.4 and run it.

 

I have run that and it is not help but I will try again!

 

I just remembered that Norton 2005 nor McAfee is not installed since I could only be in Safe Mode -- McAfee wanted to uninstall Norton, etc. but could not since I am in Safe Mode Only.

AVG is disabled at the moment. There is an old Norton Systemworks which I cannot access, nor turn off, nor uninstall -- which is where the virus is lurking. I do not care if I totally delete this entirely if I can do that from My Computer or other means in Safe Mode.

 

If you have ran it dont worry about it, have you ran the Microsoft Malicious Software Removal Tool 1.6?

This is for Norton 04-05 Products, if you have earlier versions let me know!
Download the following utility to your desktop.

SymNRT

When the download is finished, on the desktop, double-click SymNRT.exe, and then follow the on-screen instructions. Restart the computer after removal is complete. After you have removed Norton and rebooted attempt to reinstall and let me know how things go.

 

yOU GUYS RoCK!

Thank you, thank you. Donation on your way. Removing Norton allowed me to enter normal mode, uninstall AVG, install McAfee and now I am running the virus scan.

 

Re: yOU GUYS RoCK!

Wonderful news my friend, will be awaiting new results and fresh HJT log.

 

I have seen the PayPal donation button but now cannot find it: Can ou send me the email address or link?

 

If you want to support this site you can buy a Majorgeeks t-shirt or sweatshirt. Also, an email of appreciation to the owners (see there names and email addresses here: http://www.majorgeeks.com/page.php?id=2 ) is always appreciated. Also send your friends here thats enough payment for us.

 

I have run everything, scanned everything, cleaned up everything, and it all looks like it is running fine. Here is the latest log from Hijack attached.

Thanks so very much for your help. Our son goes to prep school on the internet, www.cmacademy.org and I am going to suggest he give an eClass on the great service you provide so that he and his fellow students can begin to understand vinceable!



Hope to see you all in paradise one day. We are a wireless hotspot at our restaurant -- and it is free! All you have to do is drink margaritas and enjoy fantastic food at www.ajuamaya.com.

PS. The offer of a lobster dinner for 2 is still open and out there for you guys! Just email me and I will send a gift certificate for you to redeem

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ajuamaya.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo .com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O4 - HKLM\..\Run: [stratas] xmconfig.exe
O4 - HKLM\..\RunServices: [stratas] xmconfig.exe
O4 - HKCU\..\Run: [stratas] xmconfig.exe
O4 - Global Startup: ws_start.bat

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(This was added from Spybot S&D, this will need to be removed!)

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O14 - IERESET.INF: START_PAGE_URL=http://www.miembrosprodigy.com.mx/

O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int10.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/08cde3e5d2a086d64b06/netzip/RdxIE6.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Smart Viewer 7) - https://see.sbi.com.mx/viewer/activeXViewer/activexviewer.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\xmconfig.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Well, not quite. We now have an application file that comes up everytime we restart the computer in normal mode -- "xmconfig.exe" -- McAfee does not get rid of it. We can find the file but cannot delete it.

McAfee appears to have deleted the following after returning to normal mode:

jocker[1].exe
jocker.exe
gbnn[1].exe
gbnn.exe

I do have Restore "unactivated" and all the hidden files and extensions are visible.

 

Oops, sorry, I did not see your post below. I will go into safe mode and see if this takes care of the xmconfig.exe file.

 

I followed your instructions to the letter and rebooted in normal mode -- it is like Chucky! It's back.....!

xmconfig.exe

Which we cancel when it comes up.

The first time I booted up, when I tried to go to Internet Explorer it rebooted. The second time it booted up, canceled the application, and we were able to connect through Internet Explorer.

I have attached the latest log file from Hijack This.

We do have a C Drive and a D drive but I am cleaning both and also cleaned both with the "cleanmgr"

 

First, uninstall Microsoft AntiSpyware so it will not block this fix. Now disable any antispyware or antivirus programs you may have running so it will not block anything.

Now complete the steps in post #14 once more with MSAS uninstalled and the others diabled. Afterwards reboot and attach a fresh HJT log.

 

Re: kelvir.worm.ea manual fix - Help!-Success!!!!

The last instructions did it! Thanks so much. No more xmconfig.exe See HJT logfile attached. I cannot express enough gratitude for helping me through this.

We are currently running SpyBlaster and SpyDoctor -- should we run both?

Should I reinstall Microsoft Anti Spyware?

And of course, we will continue to run Adware, Spybot, which I had before, and the new Ccleaner.

Muchas Gracias,

Brenda

 

Your HJT log is clean, are you having any further problems?

Also, for protection I would recommend checking out this thread on How to Protect yourself from malware!

 

No more problems thanks to you guys. We will spread the word. Thanks so much. Now I know more than I wish all of us had to know just to work on computers these days. May the good guys win!!!!

 

Glad things are running better, be sure to follow all the steps in the How To Protection article.

Surf Safely!