Have had a real s~~t wave for past week + . Despite 3 days of battle (
beginning w/ XP syst restores at every restore point available, followed by
>reg restore to previous save points> searching w/ 1/2 dozen various
OS/Reg/Diagnostic progs> hunting for hours in the reg> scanning for
virus', tr horses spyware etc. w/ another 1/2 doz or so utilities> removal
of over 1/2 of my apps and virtually all docs> and having Norton and Zone
Alarm active on my syst) whatever came aboard effectively strangled my OS,
took me offline, and ultimately rendered my syst useless.
Beginning slowly, intermittently, and seemingly out of nowhere, a Windows
Installer message box "prepaining to install..." began popping up. Because
I had been updating and had recently gone through a software feeding frenzy,
adding several new trial apps, I first thought I hadn't completed an install
correctly, so I reinstalled a couple of the more recent downloads in an
effort to "complete the install cycle" . The reinstalls went fine- alas, the
problem remained. Back to the drawing board. The more repair procedures
attempted, the more persistant and the worse the problem became. The Windows
Installer basically hijacked the OS (which I try not to take to personally)
and monopolized every task attempted, (syst and net). When attempting to
close the box, it reacted in different ways:
-- Click to close and it popped back up, ad infinitum, and wouldn't allow
moving to another task until closed (exceptions to this were (WinXP) Task
Manager, regedit and, I think, a couple other syst utilities)
-- X (close) greyed out, window frozen - not responding to mouse/keyboard.
-- Would close w/ Task Mngr, (after a 30-45 sec pause), but, about 3/4 of
time, would also close the program you were trying to open, leading to more
attempts etc
Ultimately was necessary to have Task Manager running full time just to
close Installer window between every task/mouseclick The (almost) last straw
came when the "Can't Connect..." error messages showed up and each attempt
to connect to the net became disabled (IP confirmed, correctly, as it later
turned out, that my cable connection was good). Finally, I gave up.
Now after several calls to computer mnfr and a hardware guru, some
lukewarm online help (I accept some of the blame), installing a new
harddrive, installing and formatting a back-up harddrive (it ain't gonna go
down like this again), as well as adjusting Bios and jumpers, installing
drivers, downloading the 49Mb of Windows Critical updates to bring virgin OS
back to former glory, downloading an essential skeleton crew of programs,
along w/ the on-line registration forms, s/n's, new passwords, etc. etc.
After all of this, tonight I do a scan of a Documents back-up CD and
there are 2 viruses found. Furthermore, I have already copied this file
onto the backup harddrive so 2 viruses are now on my computer. The virus is
W32Sobig.B@mmvirus. Pardon the pun, but my understanding was that Sobig
virus was not Sobig. I sense that the above problems and Sobig may not be
interelated, but would love hearing from an expert on this. Additionally,
I've traced the virus to a freeware prog I downloaded from the software cos.
website well over a year ago, w/ purpose of giving me my_details from MS-DOS
command line. it's embedded itself as a system file and is associated w/
..pif ext. Access is denied due to it being a "system" program and neither I
Norton, McAfee, or Sophos Anti Virus can gain access.

Any information or identification relating to my computer symptoms, the
Sobig virus, getting rid of Sobig along w/ the infected (infecing?) app
which essentialy is a little plug-in utility I don't need. Incidently,
just as this problem began surfacing I started receiving a rash of emails
from different senders w/ "your_details" as a subject line, that carried
atts and were quaranteened by Norton. Something here seems strange.

On Fri, 19 Sep 2003 06:16:35 -0500, MM wrote:

> [...]
> it's embedded itself as a system file and is associated w/
> .pif ext. Access is denied due to it being a "system" program and neither I
> Norton, McAfee, or Sophos Anti Virus can gain access.
> [...]

This was a difficult post to read, but it seems that
you think you have Sobig. Sobig is not an issue for
me now that I mostly use Linux, but when I was using
Windows I sometimes had to change the attributes of
a file to manipulate it.

If you think that a "system" file is actually Sobig,
and you are not shy of re-installing Windows, you can
boot into "safe mode" and change the attribute of the
file using the "attr" command:

attr -r -h -s sobig.exe

Then you can delete it normally. But if sobig has infected
a system file that is truly needed for the system to run,
you have to reinstall Windows.

Although you are probably not in the mood for an OS change,
why not try out Linux? Mandrake Linux and SUSE Linux are
targeted toward normal users (not sysadmins), and (I've
heard) that they are relatively easy to install.

Anyway, good luck.

"Jason Wade" <(E-Mail Removed)> wrote in message news(E-Mail Removed)...
> On Fri, 19 Sep 2003 06:16:35 -0500, MM wrote:
>
> > [...]
> > it's embedded itself as a system file and is associated w/
> > .pif ext. Access is denied due to it being a "system" program and neither I
> > Norton, McAfee, or Sophos Anti Virus can gain access.
> > [...]
>
> This was a difficult post to read,

Reading was easy, but my comprehension is severely lacking.

> but it seems that
> you think you have Sobig. Sobig is not an issue for
> me now that I mostly use Linux, but when I was using
> Windows I sometimes had to change the attributes of
> a file to manipulate it.
>
> If you think that a "system" file is actually Sobig,
> and you are not shy of re-installing Windows, you can
> boot into "safe mode" and change the attribute of the
> file using the "attr" command:

I never tried that, I've always used attrib. ;o)

> attr -r -h -s sobig.exe
>
> Then you can delete it normally. But if sobig has infected
> a system file

To the best of my knowledge Sobig is a worm and not viral.
If correct, it cannot have "infected" any files ~ system or not.
(aside from any accidental aliasing that is)

> that is truly needed for the system to run,
> you have to reinstall Windows.
>
> Although you are probably not in the mood for an OS change,
> why not try out Linux? Mandrake Linux and SUSE Linux are
> targeted toward normal users (not sysadmins), and (I've
> heard) that they are relatively easy to install.
\
Therein lies the problem. ;o)

"MM" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Have had a real s~~t wave for past week + . Despite 3 days of battle (
> beginning w/ XP syst restores at every restore point available, followed by
> >reg restore to previous save points> searching w/ 1/2 dozen various
> OS/Reg/Diagnostic progs> hunting for hours in the reg> scanning for
> virus', tr horses spyware etc. w/ another 1/2 doz or so utilities> removal
> of over 1/2 of my apps and virtually all docs> and having Norton and Zone
> Alarm active on my syst) whatever came aboard effectively strangled my OS,
> took me offline, and ultimately rendered my syst useless.

Okay, but no indication of any worm or virus in all of this activity?

> Beginning slowly, intermittently, and seemingly out of nowhere, a Windows
> Installer message box "prepaining to install..." began popping up.

What applications do you normally run?

KaZaA?
Internet Relay Chat?
Sharing your drive?

> Because
> I had been updating and had recently gone through a software feeding frenzy,
> adding several new trial apps, I first thought I hadn't completed an install
> correctly, so I reinstalled a couple of the more recent downloads in an
> effort to "complete the install cycle".

Yeah, that seemed like a possibility.

> After all of this, tonight I do a scan of a Documents back-up CD and
> there are 2 viruses found. Furthermore, I have already copied this file
> onto the backup harddrive so 2 viruses are now on my computer.

> I sense that the above problems and Sobig may not be
> interelated,

I get the same sense, but also that they may be both related to
unsafe computing practices. (

> but would love hearing from an expert on this.

I'm not an expert, but no-one seemed to be responding, so...

> Additionally,
> I've traced the virus to a freeware prog I downloaded from the software cos.
> website well over a year ago, w/ purpose of giving me my_details from MS-DOS
> command line. it's embedded itself as a system file and is associated w/
> .pif ext. Access is denied due to it being a "system" program and neither I
> Norton, McAfee, or Sophos Anti Virus can gain access.

Is this in a _restore folder?

If not,

Go to DOS and type:

attrib -h -s -r "full path to, and filename of file in question"

This should remove the DOS "system" attribute and allow deletion by the
AVs.

> Any information or identification relating to my computer symptoms, the
> Sobig virus, getting rid of Sobig along w/ the infected (infecing?) app
> which essentialy is a little plug-in utility I don't need. Incidently,
> just as this problem began surfacing I started receiving a rash of emails
> from different senders w/ "your_details" as a subject line, that carried
> atts and were quaranteened by Norton. Something here seems strange.

Some of the Sobigs attempted to download and execute files IIRC.
I think that you have experienced other problems than just Sobig.

The fact that your "my_details" supposedly legitimate program has
a PIF doesn't really surprise me as it is a DOS program that you
may have wanted to run in a virtual DOS window. The unfortunate
circumstance that a PIF file has the string "my_details" may be too
much of a coincidence for a scanner to overlook ~ but if you don't
need it, why keep it.