Win32.Sober virus - can't remove

[midwyfjan]

Ok, so I've been using Avast, Ewido, and Zone Alarm, and twice in the last couple of days, the virus Win32.Sober.W!ZIP has sent out unauthorized spam from my computer. Ran HijackThis, but it doesn't find it. Zone Alarm says it is unable to "treat" it. Don't think Avast is even finding it there. Anyone else having this problem? What did you do?

[justin1278]

try an online virus scan at http://housecall.trendmicro.com/


Trend Micro Housecall now supports Firefox and Mozilla web browsers!!!

[szc]

I believe you would get a better support and quicker help in this part of the forum:

http://forum.avast.com/index.php?board=4.0

Also give Justin's suggestion a try... just for the fun of it...

[midwyfjan]

yeah, trendmicro didn't work anyway. I ran that scan a couple of days ago when I was having a different problem. but this time, it couldn't seem to do a thing, even to run a regular scan. What the .....

I did turn off Zone Alarm to enable it to run. Before that, it would do nothing. I'll try the other forum.

thanks

[DavidR]

What detected 'Win32.Sober.W!ZIP' was sending out Spam?
Where was Win32.Sober.W!ZIP located?
How do you know it is sending out spam?

Something has to be running, for an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

There is likely to be more that one element to this see what the on-line analysis shows or paste the contents of you HJT log file here.

As Sasha Said this really should be in the Viruses and Worms forum, perhaps one of the Moderators will move it?

[midwyfjan]

I have moved this discussion to the proper forum - sorry for my ignorance of the process.
 
To answer your question about how I know this is happening, yesterday I got a delivery failure notification, listing a whole long list of email addresses that I supposedly sent posts to (but I didn't), and at the end it says:
"ZoneAlarm Security Suite has detected the following infected attachment(s):
*Message Part>reg_pass-data.zm9 : Win32.Sober.W!ZIP : Unable to repair"
These addresses were all sent to "setonimaging.com" Don't even know who that is.

This morning, I got another one, slightly different:
The original message was received at Sat, 10 Dec 2005 10:06:00 -0500 (EST)
from host-216-153-135-93.buf.choiceone.net [216.153.135.93]

"Your e-mail is being returned to you because there was a problem with its
delivery.  The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered.  The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster"

Again, with a long list of AOL addresses, none of which I know. They seem to be just CG.

I've been getting occasional Avast Timeout - Connection elapsed! messages, with (thunderbird.exe -> charter.net:110) underneath. What port is 110? What does it do?I think this is the source of the generation, but can't block Thunderbird, as it is my email program.