infected with win32:sober-x3

Email attachment was opened (by the wife) which said thanks for your registration, see attachment for details. email attachment was reg_text.zip.

Avast identified this as win32.sober-x3[wrm!]

Don’t see anything with this specific name, except a .x in German.

Recommended action was to move to chest. Email is still opened, will not allow to move to chest due to file in use.

Going home (15 minutes) to see if I can get it moved to chest.

Any help would be appreciated.

Regards, Kevin ???

Hello :slight_smile:

If you have NT based operating system you can do a boot-time scan :wink:

I got the details in a text file, scheduled a boot time scan, and its running now…

  1. Too late now, but without knowing what your email client is, you could be in danger of losing your inbox or any email database file containing the infected email.

So advising a boot-time scan is not recommended unless you know the email program. Even then with windows not running, I’m not sure that avast could extract an infected email from an email folder (single database file), so you could be liable to lose the complete database file.

Most email programs store emails in a single file (database) for each email folder to save space through storing individual emails as a file in its own right. avast is able to extract emails from some email programs (OE) without damage or corruption, other like (Tbird) it can’t, so the only option is deletion of the complete file containing the infected email.

The inbox is the one most likely to become infected or corrupt due to a system crash so it isn’t advisable to use it as an email storage area, rather a pending tray, where emails are read and moved to a more appropriate email folder (personal, newsletters, etc.), that way if the inbox is corrupted/deleted you don’t lose much.

So far so good. Boot scan hit a file with JS:ClassLoader-1 and I managed to mess up the scan by hitting 8 to ignore all, (attempting to go up, arrow key was 8 as well,) at which point I hit the power button and started over.

Having restarted, I started a thorough virus scan.

It found the file with the JS:ClassLoader-1 as well as the sober-x3 file in the temporary internet files folder.

The JS:ClassLoader-1 file is
a.jar-228d5c98-4a9f9e49.zip and was in the c:\documents and setting(user)\application data\sun\java\deployment\cache\javapi\v1.0\jar

Email is fastmail.fm, not an internal pc client such as outlook.

Should we forward email to avast?

No, don’t send the email if the infected attachment has been detected by avast unless incorrectly detected.

Clear the temporary internet files and java cache and scan again to ensure you are clear.

Often the classloader stuff is related to having an old version of Sun’s Java, ensure that you have the latest version.

So I assume fastmail.fm is web based email as the email and attachment ended up in the temporary internet files folder and I assume again was detected by the Standard Shield provider?

now i can’t even find the java cache folder.

I deleted temp files and cookies, tho.

How do I check java level?

Do you have an entry of Java into Control Panel?

Hello kevinlflanagan,

Here is a link to read all about restoring in case of such a disaster.
There is also a link to acquire Outlook Express Backup Genie.
Go to: http://www.pchell.com/support/restoreoe.shtml
We all should do this in case of a disaster looming.
Patch and backup that is the life of the security aware.

For java info go to Dos prompt and type: jview
Bingo.

Greets,

polonus

The clue is in the path you gave, follow it in windows explorer.

  • c:\documents and setting(user)\application data\sun\java\deployment\cache\javapi\v1.0\jar