Redkop

AVG picked up that I have sobig.f and couldn't quarantine it, so I ran the Symantec Removal Tool and it said I didn't have it on my computer.

Have run AVG again and it says I DO

What the **** do I do now. Am really stressed and panicing like hell

what would scooby do

maybe a false alarm ??

I would download stinger from NAI and see if it can detect or remove it.. just to be sure

Redkop

Have just ran an online scan from TrendMicro and that has picked it up as well [img]images/smilies/mad.gif[/img]

Can only deduce that Symantec/Norton must be crap!!!

Jye

My NAV picked it up NP, all 17 emails worth I got the other night, grrrr. Im using Norton 2003 Pro edition.

Redkop

My problem is not detecting it....it's how to fecking get rid of it - how the **** I got it I haven't a clue, as it's NOT been via an email - says it's \temp\movie0045.pif...which makes it even more confusing because I haven't seen any movies or popups

JackClark

http://vil.nai.com/vil/stinger

Redkop

The Trend Micro online thingie is still running - so if that doesn't remove the little ******, I will try Stinger.

Cheers

Redkop

Oh ****...went to delete it and this message came up

Unable to clean the file 'C :\ Documents and Settings\Windows\Local Settings\Temp\movie0045.pif because it is currently in use

What now? I am getting decidedly distraught

Nicks VR4

try this

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process WINPPR32.EXE
Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
WINPPR32.EXE
WINSTT32.DAT
Edit the registry
Delete the "TrayX" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run

Redkop

Don't have that showing in Processes. Have done a search on PC including Hidden Files and it doesn't show I have either WINPPR32.EXE or WINSTT32.DAT anywhere Are these the file names associated with the sobig.f virus?

But a search I did, threw up movie0045.pif as a shortcut to MS-DOS. I haven't opened any emails that have had attachments for the last 2-3 days - so can anyone throw any light on how on earth it got in my PC?

beemerboy

quarantine it

in avg, think its the virus vault....

BB

sorry if someones said it, didnt have time to read whole thread

Redkop

If you read the whole thread - you will see that I couldn't quarantine it bb

Nicks VR4

try this it has a removel tool halfway down the page
no 6


http://www.sophos.com/support/disinfection/sobigf.html

Redkop

Nick when the search threw up movie0045.pif as a shortcut to MS-DOS I deleted it and also deleted it from the Recycle Bin. I have run 2 more scans on AVG and each one has showed the PC as clean and virus free now

I am still confused as to how I got the virus, as I can honestly say I haven't opened any emails with attachments. I ran AVG last night about 9pm [altho it is set to autoscan every morning] and it was clear then. Yet when it had run autoscan this morning at 7.00am it found the sobig.f virus Also, I didn't receive any emails after 5.30pm yesterday afternoon!

[Edited by Redkop - 8/21/2003 5:08:35 PM]

Nicks VR4

It could have been a false alarm ?

Depending on how you recieve emails also you may not of opened the email but using pre-view pane etc can excute the .exe anyway

It seems pretty odd I must admit

Cheers Nick

Redkop

Yeah I do use the preview pane, but I thought you actually had to open an attachment to execute the virus.

Nicks VR4

Apparantly not
Using preview pane will excecute for you
There is a thread on this topic as well ove the last few days

Redkop

You don't happen to have a link for it - do you? How do you set Outlook Express so that you dont use the preview pane?

Nicks VR4

I'm not using outlook right now
There should be a button on the menu and should say preview pane or not

nope dont have the link either sorry