I have been unable to run the sobig removal tool on my computer
through the complete process.  I have tried this several ways: I have
it downloaded on my desktop, have run it several times in regular
mode, with NAV temporarily disabled, in safe mode, tried downloading
the removal tool a second time doing the same things, tried
disconnecting from the internet and also staying connected.  My NAV
says I do not have the virus but I am still receiving multiple emails
periodically.  This has not been as bad as last week when I received
hundreds.  I have only received about 50 in the past few days this
time around.  No one with microsoft, my ISP or symantec has been able
to offer any suggestions. I will get to a certain point and the
download stops and creates an error log.  I have downloaded updates
regularly, do virus scans regularly, downloaded the patch for the
blaster worm.  Does anyone have a suggestion on how I can run this
removal tool completely?

Hi nan1dayx,

It sounds like you really DON'T have the virus. Rest assured, the
emails that you are receiving are from OTHER PEOPLE who *ARE* infected
with the virus: you are just the unlucky recipient of the emails.

You have done everything I would have suggested to you to protect
yourself--however, receiving the virus emails will NOT harm your
system (as long as they are not open/executed(!)). It is simply
something that should be deleted from your inbox. Nothing more needs
to be done other than what you are already doing (keeping updated with
Symantec, Microsoft, etc).

Hope this puts your mind at rest!

However, if you wish to double-check that the virus does not exist in
your system manually, here is the Technical details on the virus:

(All information from Symantec Anti-Virus Research Center at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
)
***

When W32.Sobig.F@mm is executed, it performs the following actions:

Copies itself as %Windir%\winppr32.exe.

NOTE: %Windir% is a variable. The worm locates the Windows
installation folder (by default, this is C:\Windows or C:\Winnt) and
copies itself to that location.

Creates the file, %Windir%\winstt32.dat.

Adds the value:

"TrayX"="%Windir%\winppr32.exe /sinc"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Adds the value:

"TrayX"="%Windir%\winppr32.exe /sinc"

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Enumerates any network shares to which the infected computer has write
access. The worm uses standard Windows APIs to do this.

NOTE: Due to a bug in the code, the worm does not copy over network
shares.

***

Thanks,

Legolas-ga

Your answer was complete as far as the virus is concerned and very
thorough.  I had done all of that research myself.  My real concern
was how to download the Removal Tool.  I am assuming I cannot download
it unless I have the virus, according to your answer.  In any case, I
continue to receive emails from someone who is infected which is
basically just a pain in the neck.  Hence, no solutions I know of
other than continuing to delete, delete, delete.  Thank you.