Sober Y...Just can't remove it..Need Help?????

Swen2005 · 12-29-2005, 10:48 AM

Hi,

Son's XP computer is infected with the virus Sober Y and we have tried everything to remove it to no avail. Steps we have taken:

>Tried to run on-line Panda scan...Blocked by Sober
>Tried to run and update Symantec antivirus..blocked
>Search for hidden files Win Explor....blocked (search feature disabled)
>Tried to load Nod32....blocked
>Tried several removal tools....blocked
>Tried Kaspersky scan....blocked
>Tried emergency recovery disks (Symantec)...said corrupt command com.
>Tried the steps in Microsoft removal bulletin...didn't work because we couldn't find the files to delete.
>and many more on-line scans. Nothing works.

Any help is really appreciated.

I mentioned that he should try to reload XP. Not sure if that's a good idea, but everything is failing. The problem with that is he has sp2 and his XP disk is sp1. It said it will put defalt setting in. Then he would have to put sp2 in.

Is reinstalling going to give him a chance to bust this virus up? Or will he just have a new install with virus.

The last resort which he really doesn't want to think of is reformat. The question is if that is necessary, will the virus hitch a ride on data files copied to his second hd?

Sure hope someone can help with the virus removal. He is a comic seller on ebay and has a ton of files on the system.

Thanks from both of us and have a Happy New Year.

Swen
__________________
Aspire (Turbo Case)X-Superalien Case 500W/PS (WAY TRICKED-OUT SYSTEM)
Asus K8V Deluxe
AMD Athlon 64 3200+
Zalman CNPS7000A-Cu cooling
2x Corsair XMS LL 521mb DDR PC-3200PRO RAM
ATI Radeon 9800PRO 128mb Video Card
WD Raptor 74G SATA HD
WD 120G SATA HD
Plextor 8X DVD-RW
MSI DVD-Rom
Creative Labs Audigy2 ZS Sound Card
AG Neovo E-19A 19" LCD Monitor
Klipsch THX Speaker System
Windows XP
Firefox 1.0.6
Thunderbird 1.0.6

tetonbob · 12-30-2005, 08:00 AM

Reapplying SP2 isn't that bad, unless you're on dialup. MS also will provide it on CD, which your son should have to go with his XP SP1 install disk. He can then build a slipstream install CD to avoid such unpleasantness in the future...but that's another topic....

Let's see if his hosts file is out of whack, preventing access to these sites:

<Note: you may need to download these on another machine, and carry them to the infected machine via CDR or USB removable drive>

Download Hoster http://www.greyknight17.com/spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Click on Make Hosts Writable.

Download Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

Complete instructions if required:

Download the file to your desktop. Double click on it. In the left pane, there will be an option to Extract All Files. Click on that. A wizard window will pop up - Click Next.

A new Extraction Wizard window will open, with an address already in place to extract to. Click Next.

A new window will open, telling you that extraction is complete, with a check in a box to Show Extracted Files. Click Next, and the folder in which you've now extracted all files to will open. In this folder is a file called MVPS.bat Double click on this file. A DOS-type box will open and close quickly, this is normal.

Done. Hosts file installed.

Also, if possible, download an onboard scanning tool, such as Ewido and run a full scan.

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

Reboot in normal mode.

See if you can now access Panda online scan.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

12-29-2005, 10:48 AM	#1 (permalink)
Swen2005 Registered User Join Date: Oct 2005 Location: Chicago Area Posts: 35 OS: Win XP Home	Sober Y...Just can't remove it..Need Help????? Hi, Son's XP computer is infected with the virus Sober Y and we have tried everything to remove it to no avail. Steps we have taken: >Tried to run on-line Panda scan...Blocked by Sober >Tried to run and update Symantec antivirus..blocked >Search for hidden files Win Explor....blocked (search feature disabled) >Tried to load Nod32....blocked >Tried several removal tools....blocked >Tried Kaspersky scan....blocked >Tried emergency recovery disks (Symantec)...said corrupt command com. >Tried the steps in Microsoft removal bulletin...didn't work because we couldn't find the files to delete. >and many more on-line scans. Nothing works. Any help is really appreciated. I mentioned that he should try to reload XP. Not sure if that's a good idea, but everything is failing. The problem with that is he has sp2 and his XP disk is sp1. It said it will put defalt setting in. Then he would have to put sp2 in. Is reinstalling going to give him a chance to bust this virus up? Or will he just have a new install with virus. The last resort which he really doesn't want to think of is reformat. The question is if that is necessary, will the virus hitch a ride on data files copied to his second hd? Sure hope someone can help with the virus removal. He is a comic seller on ebay and has a ton of files on the system. Thanks from both of us and have a Happy New Year. Swen __________________ Aspire (Turbo Case)X-Superalien Case 500W/PS (WAY TRICKED-OUT SYSTEM) Asus K8V Deluxe AMD Athlon 64 3200+ Zalman CNPS7000A-Cu cooling 2x Corsair XMS LL 521mb DDR PC-3200PRO RAM ATI Radeon 9800PRO 128mb Video Card WD Raptor 74G SATA HD WD 120G SATA HD Plextor 8X DVD-RW MSI DVD-Rom Creative Labs Audigy2 ZS Sound Card AG Neovo E-19A 19" LCD Monitor Klipsch THX Speaker System Windows XP Firefox 1.0.6 Thunderbird 1.0.6

12-30-2005, 08:00 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,593 OS: 2000 Pro; XP Pro; XP Home	Reapplying SP2 isn't that bad, unless you're on dialup. MS also will provide it on CD, which your son should have to go with his XP SP1 install disk. He can then build a slipstream install CD to avoid such unpleasantness in the future...but that's another topic.... Let's see if his hosts file is out of whack, preventing access to these sites: <Note: you may need to download these on another machine, and carry them to the infected machine via CDR or USB removable drive> Download Hoster http://www.greyknight17.com/spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Click on Make Hosts Writable. Download Host.zip Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host Complete instructions if required: Download the file to your desktop. Double click on it. In the left pane, there will be an option to Extract All Files. Click on that. A wizard window will pop up - Click Next. A new Extraction Wizard window will open, with an address already in place to extract to. Click Next. A new window will open, telling you that extraction is complete, with a check in a box to Show Extracted Files. Click Next, and the folder in which you've now extracted all files to will open. In this folder is a file called MVPS.bat Double click on this file. A DOS-type box will open and close quickly, this is normal. Done. Hosts file installed. Also, if possible, download an onboard scanning tool, such as Ewido and run a full scan. Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. Reboot in normal mode. See if you can now access Panda online scan. Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\ Double click on HijackThis.exe to run the program. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? ** Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 12-30-2005 at 08:02 AM.