Incomplete Sober worm removal

[wabashjake]

Hoping someone here knows what's going on.

This weekend I was asked to take a look at a machine that was "acting funny."  It turns out that the owner had been running it without virus protection for almost two years.

I installed avast! 4.6-744 and it detected and removed a Sober virus infection.  Or so I thought, until it started popping up "Internet connection timeout elapsed" messages pointing to some very odd mail servers.

I looked up the "Internet Mail" settings and I can see it letting through spam mail after spam mail.  This computer is literally sending out spam non-stop (8900 messages so far).

This computer does not use a resident email client, only web-based email.  I checked both Outlook and Outlook express, and there are no accounts in either program.

I've searched the web, but not finding a lot more info.

Can anyone suggest something?

Jacob

[oldman]

Give this a try.

http://ts.mcafeehelp.com/default.asp?siteID=1&resolution=800x600&rurl=&rqs=

You can down load  stinger from this page. Scroll down on the right panel , the link to the program is the word "stinger" (in blue letters)

Good luck

[FreewheelinFrank]

On a really dirty machine, no one AV will remove everything.

It would be worth running Trend Micro Sysclean, Stinger as mentioned, plus a few online scans to double check.

Links here:

http://www.geocities.com/dontsurfinthenude/antivir2.htm

[oldman]

Agreed Frank.  On the same page in the link I posted, an online scan can also be preformed

[DavidR]

I installed avast! 4.6-744 and it detected and removed a Sober virus infection.  Or so I thought, until it started popping up "Internet connection timeout elapsed" messages pointing to some very odd mail servers.

In that timeout message it usually gives the program file that initiated the email being sent. That should also give you a clue as to what is resopnsible. If you know it let us know. Many of these malware email bots come with their own SMTP routine so they don't need to use Outlook or OE.

If this were sober sending out more infected emails then avast once installed should catch it. However, I feel this may be more of a SpamBot activity sending spam rather than viruses, something that may get under avast's radar, unless it is caught by the heuristics for multiple messages with the same subject in a short time.

With a system that has been unprotected for so long it could be completely compromised and may need the ultimate sanction, format and start again, that aside as people have said defense in depth is essential.

If you haven't already got this software (freeware), download, install, update and run it.
1. Ad-Aware
2. Spybot Search and Destroy
3. Spywareblaster Don't install this until you are clean.
4. Ewido Security Suite If using winXP.

[wabashjake]

First of all, thank you to everyone for taking the time to read and respond -- it is appreciated.

I did run Stinger and Symantec's W32 Sober Removal tool after it became clear that the machine was still compromised.  I also ran Trend Micro's online Housecall.  Stinger did find infections in the System Restore points, but otherwise nothing new.

I'm starting to agree with DavidR that this may be a non viral attack.  The system does have updated versions of Ad-Aware, Spybot Search & Destroy, and Spyware Blaster installed and active.  Ad-Aware and Spybot found nothing.  I'm not familiar with Ewido Security Suite, but willing to give it a try.

DavidR, the timeout messages don't show the program initiating the emails.  I can set the email scanning options in Avast! so that it starts catching them, but at something like 6,000 spams a day the warnings become near constant.

I admit that this machine is proving to be very frustrating, not least because such a gross oversight went on for this long and now is drawing in my time.  I'm not far at all from using the "ultimate sanction" on the drive, since at this point a full rebuild would take less time than I've already spent.

Still, would love to figure this out if only for the principle.

Will post any new results once I've installed Ewido Security Suite.

Thanks again!
Jacob

[DavidR]

If you can do a screen capture the timeout message with its odd mail servers, it may help to narrow this down.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

[polonus]

Hi Jacob,

To me this smells like AIM, you can download Loden's Aimfix, and run that against the machine. Just give it a swing. get it from here: http://www.jayloden.com/aimfix.htm
Again a good thing to do next is. Go to Start -> Run -> and in the command line type: drwtsn32 -i. Just this. The -i is to set the installatation back as meant.

polonus

[Juanjo]

Hello all. Like I say in another post, we have some customers reporting the same problem. In all cases, we have solved the problem using hijackthis and fixing all lines that were suspicious. In the majority of the cases the file used to send spam was a false winlogon.exe

For what we can see I believe that the infection is affecting every time more people.

[Hannoloeloe]

Hi there,

I've been having the very same problem.
Avast's Internet Mail Settings indicate that millions of spam messages are sent to a wide variety of e-mailaddresses, all with the subject "important news".
From time to time Avast displays the "Internet connection timeout elapsed" message, with indication of the winlogon.exe file.
I've tried numerous virus scanners and anti-spyware programs such as Avast, Ad-aware, Spybot and Ewido anti-malware, but none of these programs proved to be a solution.

So, does anyone of you know what to do next?  It's been deadly annoying for the past few days and I'd like to get rid of it!

Thank you!

[Spiritsongs]

  Hannoloeloe :

     Ad-Aware, at times, requires the use of "special
     instructions" to remove difficult spyware. Such
     "instructions", along with other Expert advise can be found
     on the forums at www.landzdown.com ; this forum is
     staffed by the Experts who used to advise on the now-
     defunct Lavasoft Ad-Aware Support forums.