• Please help

    From ritpg@ritpg@hotmail.com (TerryG) to comp.os.ms-windows.misc on Friday, August 01, 2003 10:53:28
    From Newsgroup: comp.os.ms-windows.misc

    To make a long story short, my brother recently decided to install
    some software on my PC (Adaware and Spybot, both seemingly good
    software) and then decided to defrag my HD. Of course he had to turn
    off my Norton virus software to do this and unfortunately forgot to
    turn it back on before he connected to the Internet (dial-up
    connection) to download the latest updates from MS. I have since
    restored Norton and run a PC scan and found nothing.

    I am now seeing symptoms that are puzzling me. A couple of times a
    day, I get a burst of e-mail telling me that I am sending infected
    e-mail to addresses I don't recognize. They are not in my address
    book. I am also getting several e-mails a day intercepted by Norton
    which tells me they are infected with the KLEZ virus. Some of these
    infected e-mails, according to Norton, are e-mails informing me that I
    have sent infected e-mail (how's that for irony!). I then go thru the
    process of quarantining the e-mails (or the attachments). I have
    repeatedly scanned the PC and found nothing. What is interesting is
    that the time-tags on the e-mails telling me I have sent infected
    e-mails are usually at times when the PC has been off for several
    hours. I would think I would get such e-mails at times when I am on
    line or shortly thereafter. Of course, when I look in my sent folder,
    I see no sign that such e-mail was ever sent.

    Does anyone have any suggestions as to how to fix this, assuming
    something is broken. BTW, I am running ME (just haven't had the time
    to upgrade to XP which I do have) on a Dell 1.5 gig PC. And I also
    think the traffic of e-mail infected with KLEZ has been higher than
    usual. I'm even getting them at work as are many other people.

    I would sure appreciate whatever help anyone can provide. Thanks.

    Terry
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Colin Wilson@btiruseless@btinternet.com to comp.os.ms-windows.misc on Friday, August 01, 2003 19:33:35
    From Newsgroup: comp.os.ms-windows.misc

    I have since restored Norton and run a PC scan and found nothing.

    So you`re clear - that`s the important thing - and spybot is pretty nice
    ;-)

    I am now seeing symptoms that are puzzling me. A couple of times a
    day, I get a burst of e-mail telling me that I am sending infected
    e-mail to addresses I don't recognize. They are not in my address
    book. I am also getting several e-mails a day intercepted by Norton
    which tells me they are infected with the KLEZ virus.

    Klez will scan the addressbook of an infected machine and send mail out
    from *their* machine with someone elses` email address as the originator.

    You, unfortunately, are the "someone elses` email address"...

    Does anyone have any suggestions as to how to fix this, assuming
    something is broken.

    There`s not a lot you can do - all I could really suggest for now if you
    use Mailwasher to filter the crap without downloading it (it will allow
    you to delete direct off the server)

    I`ve got a free multiple-email-account capable beta of Mailwasher here if
    you need it, my email address is valid, just heavily spam trapped :-}
    (it`s since gone commercial, and the interface isn`t any better !)
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From ritpg@ritpg@hotmail.com (TerryG) to comp.os.ms-windows.misc on Friday, August 01, 2003 21:16:37
    From Newsgroup: comp.os.ms-windows.misc

    Colin Wilson <btiruseless@btinternet.com> wrote in message news:<MPG.1994c2d961f4b8d7989974@news.cis.dfn.de>...
    I have since restored Norton and run a PC scan and found nothing.

    So you`re clear - that`s the important thing - and spybot is pretty nice
    ;-)

    I am now seeing symptoms that are puzzling me. A couple of times a
    day, I get a burst of e-mail telling me that I am sending infected
    e-mail to addresses I don't recognize. They are not in my address
    book. I am also getting several e-mails a day intercepted by Norton
    which tells me they are infected with the KLEZ virus.

    Klez will scan the addressbook of an infected machine and send mail out
    from *their* machine with someone elses` email address as the originator.

    You, unfortunately, are the "someone elses` email address"...

    Does anyone have any suggestions as to how to fix this, assuming
    something is broken.

    There`s not a lot you can do - all I could really suggest for now if you
    use Mailwasher to filter the crap without downloading it (it will allow
    you to delete direct off the server)

    I`ve got a free multiple-email-account capable beta of Mailwasher here if you need it, my email address is valid, just heavily spam trapped :-}
    (it`s since gone commercial, and the interface isn`t any better !)

    Thanks for the help. Your explanation makes sense. Now Norton is
    telling me my PC is infected with KLEZ. 2 files: NAE2C.MME and Unknown0b07.data. The 2nd file is supposedly embedded in the 1st.
    And Norton can't delete or quarantine either. Asks me to verify if
    protected or in use. My PC did an automatic live update earlier
    (before detecting the virus). When it couldn't delete the files I
    manually ran another. And it seemed to download yet another set of
    files. What gives with that? Is Norton really updating their files
    this often? I'm now running another scan hoping the new data files
    will allow Norton to delete or quarantine the 2 infected files. I'll
    let you know how I make out. Again thanks for your help.

    Terry
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Colin Wilson@btiruseless@btinternet.com to comp.os.ms-windows.misc on Saturday, August 02, 2003 12:48:27
    From Newsgroup: comp.os.ms-windows.misc

    Thanks for the help. Your explanation makes sense. Now Norton is
    telling me my PC is infected with KLEZ

    OK, I can`t remember what OS you`re on, but if you can boot from a
    floppy, make a bootable floppy, visit www.kaspersky.com and download
    clrav.exe - it will kill klez :-) (you can probably find it faster via
    google)

    I seem to remember you can run it from within windows too, but it may
    need two passes - an initial scan, and then run from dos following a
    reboot :-}
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Colin Wilson@btiruseless@btinternet.com to comp.os.ms-windows.misc on Saturday, August 02, 2003 12:51:28
    From Newsgroup: comp.os.ms-windows.misc

    Thanks for the help. Your explanation makes sense. Now Norton is
    telling me my PC is infected with KLEZ

    clrav.exe can be found via direct link here:

    ftp://ftp.kaspersky.ru/utils/clrav.com


    Download clrav.com utility and save it on the hard drive

    Update anti-virus databases that this worm will be detected in the future

    Disconnect the infected computer from the network

    Launch clrav.com. If the program will show the message "Nothing to clean"
    - start the given utility from the command line with the /scanfiles key

    Reboot PC in the Safe Mode (press F8 on the black screen during startup process- and choose this mode or hold on Shift button during startup
    process)

    Launch clrav.com once again

    Launch Kaspersky Anti-Virus Scanner and be sure that the infected files
    did not remain

    Reboot your PC
    --- Synchronet 3.18b-Win32 NewsLink 1.113