W32.ElKern.4926 - Removal

Removal using the removal tool
Symantec offers a removal tool to remove infections of all known variants of W32.Klez and W32.ElKern. This is the recommended method. Click here to obtain the tool.

Note on W32.Klez.gen@mm detections: W32.Klez.gen@mm is a generic detection for variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm most likely have been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most case, the tool will be able to remove the infection.

Manual removal

NOTE: This procedure will work if the computer is infected only by W32.ElKern.4926. It will not work if the computer is also infected by by W32.Klez.H@mm.

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Shut down the computer, turn off the power, and wait for 30 seconds.
3. Restart the computer in Safe mode. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."
4. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files.
   • For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
   • For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan All Files."
5. If any file is identified as being infected with W32.ElKern.4926, click Repair.
6. Restart the computer.
7. Repeat steps 3-5 until no infected files are reported.

Technical Details