Hi all,
I tried to help somebody whose system was sending hundreds of klez infected emails to newsgroups.
I told her to get the clrav.com tool at kaspersky's and do the scan in windows, windows safe mode and in msdos.
After to get an online scan at one of the known sites.
Till she would come out clean not to trust her local av/at, but immediately afer to update the databases.
She has an WinME system and her av is NAV2000.
She says she came out all clean with every scan.
This surprises me more then highly.
I had told her to disable the system recovery just in case.
She sent a few emails from the same email account, same IP, as far as i can see same routing, but i think she logged in as another user as those emails are completely clean, no klez, no iframe exploit.
As she says she does not have different ways of logging in, no network, just her and her C:\ drive, i'm even more surprised about this.
It can't also be done by her ISPs mailserver, for then the other emails from the same email account would not have been clean.
In the infected emails her routing is each time pasted inside the header with extra some of her addressbook or inbox addresses, exactly like Klez always does. As all time her IP is used, i don't think any other person is involved.
Any ideas so far?

Good; i had told her after all the scanning and possible cleansing to update her av, NAV2000. Unfortunately she decided to uninstall that completely and to install NAV2002.
And this does not want to be installed, it keeps telling to install NAV2000.

I don't run NAV so i don't have the slightest idea.
Could this mean there is still some infection somewhere on the system, or should she just try to reinstall her NAV2000 version and after that upgrade to 2002 or are there risks in that?

Thanks in advance for the insights!
I am sure this kind of problem has geen answered but searching here can't find the answer.

She could try RNAV.exe:

How to uninstall Norton AntiVirus by using the Rnav.exe removal tool (http://service2.symantec.com/SUPPORT/nav.nsf/pfdocs/2001092114452606)

Thanks a lot! I wasn't around to react sooner, so i just emailed her, and will try to let you know when i hear results!

No prob! :)

It usually does the trick, if the uninstaller's missing or corrupted.

One other thing: I'd run it in Safe Mode; it does a more thorough job there.

Sounds good! I gave her the link to this thread, so she might come over to read and learn here too!
Wished i had done so and known long ago as my system was bad with NAV on it (5, 2000), the uninstall took away files other programs really needed, so that was some stumbling more till the main programs were reinstalled.
My system simply doen't like NAV.

She needs to turn off the recovery mode.
Because if system files are infected , the antivirus won't fix um unless it is turned off.. ;)

Thanks Controler, i forgot to tell i had her that far already :) which helped not getting infections back after cleansing, even though saying not being infected at all.
That system restore is a pain in such problems, think to remember another thread here somewhere where that was an important item too :)
In the meantime got a big thanks to the good people here as it helped her and she now is running NAV2002, updated.
So as that NAV wanted to be installed now, i might more or less suppose she should at least have been clean at the moment of installing NAV, is that a right impression?

Well these are two differerent things.

Norton does advise to uninstall and reinstall NAV after getting rid of Klez, as vital files may have been corrupted or removed.

I think though you can safely conclude, that if she's been able to install NAV 2002, update her virus definitions, deep scan her drives, and still come out clean, there's no trace of Klez left.

Thanks again for the comments; it was the same i was thinking.
I would think of my firewall too and whatever thing checking my email and letting it still pass without blocking.
AQnd of urse after all the cleaning update all security patches at MS for windows and IE/OE as that update site too might find missing parts.
After too many crashes i update my IE or do a repair install for IE from that site, where possible missing files are downloaded again.
Might be necessary after uninstalling NAV, as that goes soo deep and spares nothing! :)
For the sending of infected emails if not sent by her known computer name for instance would only be possible with another user login or another computer in a network sharing one internet connection. So if there is such a thing she knows now how to clean that and how to re-install NAV.