Cant seem to shake the Klez!!! 1

[johnnymc]

I have a small network with 50 pc's and I use Norton antivirus corporate edition version 7.5 I have one server set to get updates everynight and all pc's check it daily. I have a scan scheduled for each pc once a week. I have a problem with one PC. It continues to receive viruses through email and norton seems to quarantine them but I can not find them to delete them. The user gets system admin email every morning like this:

Your message did not reach some or all of the intended recipients.

Subject: Returned mail--"PHILOSOPHY"

The following recipient(s) could not be reached:

Tbillhei@neo.rr.com on 1/17/2003 5:11 AM
The recipient name is not recognized
The MTS-ID of the original message is: c=us;a= ;p=ncmf;l=EXCHANGE0301171010CWFK6ZAT
MSEXCH:IMS:NCMF:NCMF:EXCHANGE 0 (000C05A6) Unknown Recipient


The person on this PC did not try to send email to this address. I am sure there is some virus trying to email out from his system but nothing shows up on any scan! I have scanned it with Norton, the stinger tool, and the Klez removal tool nothing shows up, and still the number of these emails trying to go out increases. This morning he had about 50 of them. This person is the frequent target of email containing the Klez virus and most of the email addresses the virus is trying to send to correspond to an incoming email that contained the Klez virus. Anyone have any ideas how to stop this? Of couse, the one PC this would happen to belongs to the CEO.
Any ideas would be appreciated!!
Thanks all

 

[michigan]

Hello johnnymc -

I too have had a time w/that %!$@ Klez - also, not sure if this is your case but it tends to stick around longer with WinME & XP.

If your running XP, you may want to go into Control Panel >> System >> System Restore and check DISABLE. It's possible the Klez is restoring itself each time. I'm not 100% sure about that, but has been known to occur.

(Other PCs = Control Panel >> System >> Performance - File System >> Trouble Shooting >> Disable System Restore.)
Re-run your fix tools. Remember to keep if off the network -- It just loves to place itself on mapped drives/print queues/spools. Also, clear out all the user's temp. internet files along with cookies. Also, another virus fix tool you may want to grab from Symantec is that bugbear fix. Run both of them.

I swear, 1 of our PCs required me to run that fix @ least 5 times along with re-installing Syamantec's AV (right over top of existing) before it was finally clean.

Good Luck.

 

[PalmStrike]

I too have this problem, it is not so bad since I discovered that windows updates are usefull(paranoid conspiracy theorist I am)(oh, and new to computers).

But we have two PC's that seem to be running little Klez job engines, is this possible, is this how viruses get in?

if this is the case, can anyone tell me where Klez is comeing from on these pc's, and can it just be deleted, or is it easier to just format the harddisk, and start again?

 

[1Bullet]

W32.Klez is a difficult virus to determine where it is coming from, as it will send it self via email from an infected PC. (Especially KlezH). It will send email from infected PC address book to contacts and from contacts in that address book, If your user is in the address book of infected PC, and the virus is sending out emails on your users behalf, and the person receiving email has changed email address to stop receiving Klez emails, if there was any information in the email headers pointing back to your computer, you will receive the returned email.There is a good chance this is happening OR you have virus on your computer. An other solution that you could try is to delete your users email account and restart with new address . This would confirm whether virus on your PC or some elses. Remember if you discover W32.Klez on your computer and you are using Norton tools you must you must shut down for at least 30 to 40 seconds and not reboot as Klez can hop from memory.Good luck.