Author Topic: Win32.Sober virus - can't remove  (Read 3813 times)

0 Members and 1 Guest are viewing this topic.


  • Guest
Win32.Sober virus - can't remove
« on: December 10, 2005, 02:04:49 AM »
Ok, so I've been using Avast, Ewido, and Zone Alarm, and twice in the last couple of days, the virus Win32.Sober.W!ZIP has sent out unauthorized spam from my computer. Ran HijackThis, but it doesn't find it. Zone Alarm says it is unable to "treat" it. Don't think Avast is even finding it there. Anyone else having this problem? What did you do?


  • Guest
Re: Win32.Sober virus - can't remove
« Reply #1 on: December 10, 2005, 02:46:57 AM »
try an online virus scan at

Trend Micro Housecall now supports Firefox and Mozilla web browsers!!!
« Last Edit: December 10, 2005, 02:48:58 AM by justin1278 »

Offline szc

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6927
Re: Win32.Sober virus - can't remove
« Reply #2 on: December 10, 2005, 02:58:37 AM »
I believe you would get a better support and quicker help in this part of the forum:

Also give Justin's suggestion a try... just for the fun of it...
« Last Edit: December 10, 2005, 03:01:12 AM by S.Z.Craftec »
MB: GIGABYTE GA-Z77X-UD3H Intel 7 Series  - LGA1155, CPU: Intel Core i5-3570K - Quad Core, 3.40GHz (3.80GHz Max Turbo), CPU COOLER: Cooler Master Hyper 212 EVO Direct Heat Pipe R2, RAM: 16 GB Kingston HyperX Blu DDR3, VIDEO CARD: Galaxy GeForce GTX 560 Ti - 1GB, GDDR5, POWER SUPPLY: Corsair Enthusiast Series TX750 V2 - 750 Watts, HD: Seagate Barracuda - 2TB, 7200RPM, 64MB, SATA 6Gb/s


  • Guest
Re: Win32.Sober virus - can't remove
« Reply #3 on: December 10, 2005, 03:51:16 AM »
yeah, trendmicro didn't work anyway. I ran that scan a couple of days ago when I was having a different problem. but this time, it couldn't seem to do a thing, even to run a regular scan. What the .....

I did turn off Zone Alarm to enable it to run. Before that, it would do nothing. I'll try the other forum.


Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89212
  • No support PMs thanks
Re: Win32.Sober virus - can't remove
« Reply #4 on: December 10, 2005, 04:15:38 PM »
What detected 'Win32.Sober.W!ZIP' was sending out Spam?
Where was Win32.Sober.W!ZIP located?
How do you know it is sending out spam?

Something has to be running, for an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

There is likely to be more that one element to this see what the on-line analysis shows or paste the contents of you HJT log file here.

As Sasha Said this really should be in the Viruses and Worms forum, perhaps one of the Moderators will move it?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security


  • Guest
Re: Win32.Sober virus - can't remove
« Reply #5 on: December 10, 2005, 07:12:11 PM »
I have moved this discussion to the proper forum - sorry for my ignorance of the process.
To answer your question about how I know this is happening, yesterday I got a delivery failure notification, listing a whole long list of email addresses that I supposedly sent posts to (but I didn't), and at the end it says:
"ZoneAlarm Security Suite has detected the following infected attachment(s):
*Message Part>reg_pass-data.zm9 : Win32.Sober.W!ZIP : Unable to repair"
These addresses were all sent to "" Don't even know who that is.

This morning, I got another one, slightly different:
The original message was received at Sat, 10 Dec 2005 10:06:00 -0500 (EST)
from []

"Your e-mail is being returned to you because there was a problem with its
delivery.  The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered.  The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail

--AOL Postmaster"

Again, with a long list of AOL addresses, none of which I know. They seem to be just CG.

I've been getting occasional Avast Timeout - Connection elapsed! messages, with (thunderbird.exe -> underneath. What port is 110? What does it do?I think this is the source of the generation, but can't block Thunderbird, as it is my email program.