Ok, so I’ve been using Avast for about 1.5 years, Ewido, and Zone Alarm for 3 days, and twice in the last couple of days, the virus Win32.Sober.W!ZIP has sent out unauthorized spam from my computer. Ran HijackThis, but it doesn’t find it. Zone Alarm finds it but says it is unable to “treat” it. Don’t think Avast is even finding it there. Anyone else having this problem? What did you do? I tried a Housecall.trendmicro scan (from IE), but it wouldn’t even work.
the way I know this is happening is that yesterday I got a delivery failure notification, listing a whole long list of email addresses that I supposedly sent posts to (but I didn’t), and at the end it says:
“ZoneAlarm Security Suite has detected the following infected attachment(s):
*Message Part>reg_pass-data.zm9 : Win32.Sober.W!ZIP : Unable to repair”
These addresses were all to “setonimaging.com” Don’t even know who that is.
This morning, I got another one, slightly different:
The original message was received at Sat, 10 Dec 2005 10:06:00 -0500 (EST)
from host-216-153-135-93.buf.choiceone.net [216.153.135.93]
"Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: “----- The following addresses had permanent fatal errors -----”.
The reason your mail is being returned to you is listed in the section
labeled: “----- Transcript of Session Follows -----”.
The line beginning with “<<<” describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
–AOL Postmaster"
Again, with a long list of AOL addresses, none of which I know. They seem to be just CG.
I’ve been getting occasional Avast Timeout - Connection elapsed! messages, with (thunderbird.exe → charter.net:110) underneath. What port is 110? What does it do?I think this is the source of the generation, but can’t block Thunderbird, as it is my email program.
the way I know this is happening is that yesterday I got a delivery failure notification, listing a whole long list of email addresses that I supposedly sent posts to (but I didn’t), and at the end it says:
“ZoneAlarm Security Suite has detected the following infected attachment(s):
*Message Part>reg_pass-data.zm9 : Win32.Sober.W!ZIP : Unable to repair”
These addresses were all to “setonimaging.com” Don’t even know who that is.
This morning, I got another one, slightly different:
The original message was received at Sat, 10 Dec 2005 10:06:00 -0500 (EST)
from host-216-153-135-93.buf.choiceone.net [216.153.135.93]
"Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: “----- The following addresses had permanent fatal errors -----”.
The reason your mail is being returned to you is listed in the section
labeled: “----- Transcript of Session Follows -----”.
The line beginning with “<<<” describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
–AOL Postmaster"
Again, with a long list of AOL addresses, none of which I know. They seem to be just CG.
I’ve been getting occasional Avast Timeout - Connection elapsed! messages, with (thunderbird.exe → charter.net:110) underneath. What port is 110? What does it do?I think this is the source of the generation, but can’t block Thunderbird, as it is my email program.
First of all, the fact that you get infected emails returned to you does not necessarily mean that your computer is infected: an infected machine could be faking your address.
I installed ZA because it was pointed out to me that I didn’t have a Firewall - you can read the series of posts that led to that on the Home/Pro forum, just a few days ago.
I was getting a different Timeout message on port 25, which with ZA, I was able to block the program that was sending the offending emails. I had also had my ISP block my access because it percieved too many multiple-addressee emails being generated from my computer. So using ZA fixed it. The person who advised this said that ZA worked well with Avast. NO?
A couple of entries are highlighted by Castlecops as undesirable- these require investigation by yourself and a decision as to whether you will want to keep them:
ZA firewall will work with avast! ZA security suite includes an AV which may conflict- both have on-access scanners which may conflict when checking a file as it is opened, like two dogs fighting over a bone.
Blacklight found nothing. Kaspersky found 23 viruses. The report is attached to this post. Unfortunately, it didn’t offer the option of deleting them, so they’re still there. Can’t figure out how to get rid of them.
Got another Delivery Failure email today of another virus sending spam out without my knowledge. This message attached:
ZoneAlarm Security Suite has detected the following infected attachment(s):
*Message Part>mail.zm9 : Win32.Sober.W!ZIP : Unable to repair
avast! Antivirus: Inbound message INFECTED:
\PartNo_2#3888668134\mail.zm9#3246972437 (Win32:Sober-AB2 [Wrm]) was deleted from the message., \PartNo_5#3888668134\mail.zm9#3246972437 (Win32:Sober-AB2 [Wrm]) was deleted from the message.
Virus Database (VPS): 0550-0, 12/10/2005
Have run Ewido - nothing. Avast apparently doesn’t know they are there. Why not?
I used HJT to “fix” the one nasty that you identified, above. The others I’m not so sure about. Some are ActiveX applications that I just installed in order to run TrendMicro. Are they really a problem?
Thanks for the advice on the ZA Suite vs. Firewall. I’ll try to get that fixed tomorrow.
Hi and welcome back,
You say kapersky scanned but didnt clean/remove, how do you know this to be so? i had always expected that KAV online scan to fix as well.
My guess is that it hasnt announced that they were removed or given you the option, its just gone ahead and deleted them. KAV is very much like that in that it gives you no authority to decide anything.If you take another look at your scan you will see that there are three virus and you had 23 instances or objects and they are all sitting in the same file. Could i suggest you go here http://virusscan.jotti.org/ and scan just the one file that they were sitting in and see what turns up.
Anyway please post back if you are still having trouble. As FWF has suggested one AV is best, two is trouble. but you only need remove the AV from ZA suite and keep the firewall if thats possible. I hope you didnt have to pay for it. You might feel better removing avast ,thats up to you.
You dont need to worry about the sober virus warnings as they are inbound and to use your/Avasts words (Win32:Sober-AB2 [Wrm]) was deleted from the message so perhaps the others were calling this one in .did you get this warning before or after visiting KAV .
Can you post another hjt log for us to look at?
The bad news is that the Kaspersky online scanner will not remove malware.
The good news is that all the viruses seem to be in your email archive and inactive. avast! probably didn’t detect them because you didn’t enable archive scanning. They all seem to be a junk folder anyway. Go to Thunderbird and delete your junk mail and that should get rid of them.
As Cloussau said, the virus warnings were inbound so you don’t need to worry. Somebody with an infected computer had your address on their machine and the virus is faking your address. See the link I posted earlier.
So avast! is protecting you now from viruses in email.