W32.Sober.x is killing me

[I forget]

NAV Corporate 10 would alert me that it had found and deleted an
infected zip file whenever I would try to send email from ACT!. It did
not fire when using OE or at anyother time, only when trying to email
from ACT! I rebootted to safe mode, did a full scan, found nothing.

I went to Symantec's site and read about all the files Sober puts on
your computer and none of them were present on my system. I was
beginning to think that the worm had been cleaned and there was a
remnant which was triggering false positives.

I downloaded Symantec's Sober removal tool, ran from safe mode, found
nothing.

I then installed the M$ Anti-Spyware tool and did a full scan, found
nothing.

I installed F-Prot for Windows, did a full scan, found nothing.

I installed NOD32, did a full scan, found nothing.

Now my CPU is maxxed and NAV Corporate is constantly telling me it
found and deleted an infected file.

Does anyone have a suggestion other than fdisk? Thanks.

 

[David H. Lipman]

From: "I forget" <[email protected]>

| NAV Corporate 10 would alert me that it had found and deleted an
| infected zip file whenever I would try to send email from ACT!. It did
| not fire when using OE or at anyother time, only when trying to email
| from ACT! I rebootted to safe mode, did a full scan, found nothing.
|
| I went to Symantec's site and read about all the files Sober puts on
| your computer and none of them were present on my system. I was
| beginning to think that the worm had been cleaned and there was a
| remnant which was triggering false positives.
|
| I downloaded Symantec's Sober removal tool, ran from safe mode, found
| nothing.
|
| I then installed the M$ Anti-Spyware tool and did a full scan, found
| nothing.
|
| I installed F-Prot for Windows, did a full scan, found nothing.
|
| I installed NOD32, did a full scan, found nothing.
|
| Now my CPU is maxxed and NAV Corporate is constantly telling me it
| found and deleted an infected file.
|
| Does anyone have a suggestion other than fdisk? Thanks.
|

Remove NAV.

Remove F-Prot.

Keep NOD32 installed !

 

[I forget]

Remove NAV.

Remove F-Prot.

Keep NOD32 installed !

Thank you for the reply. Do you actually feel that this might get rid
of Sober or are you just expressing your preference in programs? Thank
you!

 

[David H. Lipman]

From: "I forget" <[email protected]>


|
| Thank you for the reply. Do you actually feel that this might get rid
| of Sober or are you just expressing your preference in programs? Thank
| you!

For one, having theree formally installed AV applications is contrindicated. Of the three
NOD32 is best and F-Prot is number two.

You have also indicated you have performed numerous scans using different utilties and AV
vendors.

Remove NAV and F-Prot and just keep NOD32.

Just to be sure you don't have a Sober worm lingering around, you can use the Multi AV
Scanning Tool which is not a formally installed AV application and thus won't interfer with
NOD32 and will give you four different AV vendor scanners.

Start with the Mcafee module.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[I forget]

From: "I forget" <[email protected]>


|
| Thank you for the reply. Do you actually feel that this might get rid
| of Sober or are you just expressing your preference in programs? Thank
| you!

For one, having theree formally installed AV applications is contrindicated. Of the three
NOD32 is best and F-Prot is number two.

You have also indicated you have performed numerous scans using different utilties and AV
vendors.

Remove NAV and F-Prot and just keep NOD32.

Just to be sure you don't have a Sober worm lingering around, you can use the Multi AV
Scanning Tool which is not a formally installed AV application and thus won't interfer with
NOD32 and will give you four different AV vendor scanners.

Start with the Mcafee module.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

Hello, David, normally I would trim the original post, but your
information is so great that I cannot.

First of all, before I downloaded your great program, I saw that NOD32
gave me some path info I hadn't seen from the other AV apps. I deleted
a bunch of Temp Internet Files that were still present in spite of my
supposedly deleting them numerous times via IE, which brought my CPU
cyles down from 100% to 1% and Symantec's infected alerts stopped
coming.

I downloaded your package and updated all programs. McAfee would not
run in either Normal or Safe mode, but I ran Sophos, Trend, and
Kapersky in Normal Mode, then rebooted to Safe Mode and ran them all
again. I rebooted and Symantec went nuts, alerting me constantly about
infections. Interestingly, these infections were all in a Symantec
Application Data folder. I removed Symantec Corp 10 (whihch took about
10 minutes!) and rebooted and the machine is running like it should
be.

This seems like an odd sequence of events, but both NOD32 and F-Prot
say I am clean.

Question: Ziff-Davis used to be my source of knowledge and they
advocated running two or three AV programs, which you do not, saying
it is "contrindicated". I don't know this word, but Merriam-Webster
says that contraindicate (different spelling) means "inadvisable".
Presuming this is what you meant, can you point me to something saying
this? I have never heard that and am not sure how to Google it.

Suggestion: When I right-click and drag on Multi_AV.exe, one of my
options is to extract it to C:\Multi_AV, as oppposed to C:\AV-CLS as
required. Do you get my drift?

Also, please look for an email with the subject line, "Multi_AV". You
will be glad you did.

 

[David H. Lipman]

From: "I forget" <[email protected]>


|
| Hello, David, normally I would trim the original post, but your
| information is so great that I cannot.
|
| First of all, before I downloaded your great program, I saw that NOD32
| gave me some path info I hadn't seen from the other AV apps. I deleted
| a bunch of Temp Internet Files that were still present in spite of my
| supposedly deleting them numerous times via IE, which brought my CPU
| cyles down from 100% to 1% and Symantec's infected alerts stopped
| coming.
|
| I downloaded your package and updated all programs. McAfee would not
| run in either Normal or Safe mode, but I ran Sophos, Trend, and
| Kapersky in Normal Mode, then rebooted to Safe Mode and ran them all
| again. I rebooted and Symantec went nuts, alerting me constantly about
| infections. Interestingly, these infections were all in a Symantec
| Application Data folder. I removed Symantec Corp 10 (whihch took about
| 10 minutes!) and rebooted and the machine is running like it should
| be.
|
| This seems like an odd sequence of events, but both NOD32 and F-Prot
| say I am clean.
|
| Question: Ziff-Davis used to be my source of knowledge and they
| advocated running two or three AV programs, which you do not, saying
| it is "contrindicated". I don't know this word, but Merriam-Webster
| says that contraindicate (different spelling) means "inadvisable".
| Presuming this is what you meant, can you point me to something saying
| this? I have never heard that and am not sure how to Google it.
|
| Suggestion: When I right-click and drag on Multi_AV.exe, one of my
| options is to extract it to C:\Multi_AV, as oppposed to C:\AV-CLS as
| required. Do you get my drift?
|
| Also, please look for an email with the subject line, "Multi_AV". You
| will be glad you did.

Now I can tie the email to the post

The Multi AV Scanning Tool is deliberately hard coded to C:\AV-CLS (Anti Virus - Command
Line Scanners) and I am sorry to say that won't change.

Sorry about my spelling. It can be atrocious. The word was "contraindicated" which
basically means the application is inadvisable as you found out. The only time two AV
vendors package can be installed simultaneously if one goes through the lengths of only
allowing one application to perform "On Access" scanning. The other consequences are the
overhead of the extra application and the consumed resources. You really don't get added
protection, just wasted resources.

It is best to have just one AV application formally installed and performing "On Access
scanning and using multiple "On Demand" scanners. The Multi AV Scanning Tool is an example
of multiple "On Demand" scanners brought together in one front-end utility.

 

[I forget]

Now I can tie the email to the post

Gotcha!

The Multi AV Scanning Tool is deliberately hard coded to C:\AV-CLS (Anti Virus - Command
Line Scanners) and I am sorry to say that won't change.

I understand. What I'm saying is that WinZip, WinRAR, and maybe other
such apps allow right-click and drag, which gives you an option to
unzip to <current location><filename as new folder name> This is what
I did, which unzipped Multi_AV.exe into C:\Multi_AV instead of the
necessary C:\AV-CLS. This is so natural for me and it took a second to
see why it would not run. Anyway, what a great package, thank you!

Sorry about my spelling. It can be atrocious. The word was "contraindicated" which
basically means the application is inadvisable as you found out. The only time two AV
vendors package can be installed simultaneously if one goes through the lengths of only
allowing one application to perform "On Access" scanning. The other consequences are the
overhead of the extra application and the consumed resources. You really don't get added
protection, just wasted resources.

I can spell great, but usually have typos all over the place - in
newsgroups only, though.

It is best to have just one AV application formally installed and performing "On Access
scanning and using multiple "On Demand" scanners. The Multi AV Scanning Tool is an example
of multiple "On Demand" scanners brought together in one front-end utility.

Now that makes sense, David, thanks for taking the time to explain.