From Newsgroup: comp.os.ms-windows.misc

To make a long story short, my brother recently decided to install
some software on my PC (Adaware and Spybot, both seemingly good
software) and then decided to defrag my HD. Of course he had to turn
off my Norton virus software to do this and unfortunately forgot to
turn it back on before he connected to the Internet (dial-up
connection) to download the latest updates from MS. I have since
restored Norton and run a PC scan and found nothing.

I am now seeing symptoms that are puzzling me. A couple of times a
day, I get a burst of e-mail telling me that I am sending infected
e-mail to addresses I don't recognize. They are not in my address
book. I am also getting several e-mails a day intercepted by Norton
which tells me they are infected with the KLEZ virus. Some of these
infected e-mails, according to Norton, are e-mails informing me that I
have sent infected e-mail (how's that for irony!). I then go thru the
process of quarantining the e-mails (or the attachments). I have
repeatedly scanned the PC and found nothing. What is interesting is
that the time-tags on the e-mails telling me I have sent infected
e-mails are usually at times when the PC has been off for several
hours. I would think I would get such e-mails at times when I am on
line or shortly thereafter. Of course, when I look in my sent folder,
I see no sign that such e-mail was ever sent.

Does anyone have any suggestions as to how to fix this, assuming
something is broken. BTW, I am running ME (just haven't had the time
to upgrade to XP which I do have) on a Dell 1.5 gig PC. And I also
think the traffic of e-mail infected with KLEZ has been higher than
usual. I'm even getting them at work as are many other people.

I would sure appreciate whatever help anyone can provide. Thanks.

Terry
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.os.ms-windows.misc

I have since restored Norton and run a PC scan and found nothing.

So you`re clear - that`s the important thing - and spybot is pretty nice
;-)

I am now seeing symptoms that are puzzling me. A couple of times a
day, I get a burst of e-mail telling me that I am sending infected
e-mail to addresses I don't recognize. They are not in my address
book. I am also getting several e-mails a day intercepted by Norton
which tells me they are infected with the KLEZ virus.

Klez will scan the addressbook of an infected machine and send mail out
from *their* machine with someone elses` email address as the originator.

You, unfortunately, are the "someone elses` email address"...

Does anyone have any suggestions as to how to fix this, assuming
something is broken.

There`s not a lot you can do - all I could really suggest for now if you
use Mailwasher to filter the crap without downloading it (it will allow
you to delete direct off the server)

I`ve got a free multiple-email-account capable beta of Mailwasher here if
you need it, my email address is valid, just heavily spam trapped :-}
(it`s since gone commercial, and the interface isn`t any better !)
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.os.ms-windows.misc

Colin Wilson <btiruseless@btinternet.com> wrote in message news:<MPG.1994c2d961f4b8d7989974@news.cis.dfn.de>...

I have since restored Norton and run a PC scan and found nothing.

So you`re clear - that`s the important thing - and spybot is pretty nice
;-)

I am now seeing symptoms that are puzzling me. A couple of times a
day, I get a burst of e-mail telling me that I am sending infected
e-mail to addresses I don't recognize. They are not in my address
book. I am also getting several e-mails a day intercepted by Norton
which tells me they are infected with the KLEZ virus.

Klez will scan the addressbook of an infected machine and send mail out
from *their* machine with someone elses` email address as the originator.

You, unfortunately, are the "someone elses` email address"...

Does anyone have any suggestions as to how to fix this, assuming
something is broken.

There`s not a lot you can do - all I could really suggest for now if you
use Mailwasher to filter the crap without downloading it (it will allow
you to delete direct off the server)

I`ve got a free multiple-email-account capable beta of Mailwasher here if you need it, my email address is valid, just heavily spam trapped :-}
(it`s since gone commercial, and the interface isn`t any better !)

Thanks for the help. Your explanation makes sense. Now Norton is
telling me my PC is infected with KLEZ. 2 files: NAE2C.MME and Unknown0b07.data. The 2nd file is supposedly embedded in the 1st.
And Norton can't delete or quarantine either. Asks me to verify if
protected or in use. My PC did an automatic live update earlier
(before detecting the virus). When it couldn't delete the files I
manually ran another. And it seemed to download yet another set of
files. What gives with that? Is Norton really updating their files
this often? I'm now running another scan hoping the new data files
will allow Norton to delete or quarantine the 2 infected files. I'll
let you know how I make out. Again thanks for your help.

Terry
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.os.ms-windows.misc

Thanks for the help. Your explanation makes sense. Now Norton is
telling me my PC is infected with KLEZ

OK, I can`t remember what OS you`re on, but if you can boot from a
floppy, make a bootable floppy, visit www.kaspersky.com and download
clrav.exe - it will kill klez :-) (you can probably find it faster via
google)

I seem to remember you can run it from within windows too, but it may
need two passes - an initial scan, and then run from dos following a
reboot :-}
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Newsgroup: comp.os.ms-windows.misc

Thanks for the help. Your explanation makes sense. Now Norton is
telling me my PC is infected with KLEZ

clrav.exe can be found via direct link here:

ftp://ftp.kaspersky.ru/utils/clrav.com


Download clrav.com utility and save it on the hard drive

Update anti-virus databases that this worm will be detected in the future

Disconnect the infected computer from the network

Launch clrav.com. If the program will show the message "Nothing to clean"
- start the given utility from the command line with the /scanfiles key

Reboot PC in the Safe Mode (press F8 on the black screen during startup process- and choose this mode or hold on Shift button during startup
process)

Launch clrav.com once again

Launch Kaspersky Anti-Virus Scanner and be sure that the infected files
did not remain

Reboot your PC
--- Synchronet 3.18b-Win32 NewsLink 1.113