unsobigf.inf is a little file I wrote. The “default install” for the file is to delete the two Sobig.f files from your Windows directory and remove the two startup commands from the registry. It will not delete the files if they’re currently in use. Run taskmgr and look for a process named winppr32.exe. Click on that process, then click the End Process button to shut the virus down. Save the file, right-click on it, and choose Install. As long as you stopped the program, the virus should be completely removed from your system. If you didn’t stop the program, the .inf should at least remove the startup commands from the registry. After rebooting, the virus shouldn’t run automatically. This will allow the .inf to remove the files that were running before.
The latest variant of the Sobig virus is going around. The easiest way to see if you’re infected is to look for a WINPPR32.EXE file in your Windows directory. Running dir %windir%\WINPPR32.EXE from a command prompt (run cmd) will tell you that the file isn’t found or give you info for the file. If you have the file, you’re infected. Update your virus scanner and/or do a free online virus scan at Trend Micro or Panda.
The virus spreads by email. If you get one of these emails, remember that the return address is forged. The virus picks a random address found on the infected PC (address book, old mass emails, saved webpages, etc.) and uses that as the return address. You can find the actual sender by viewing the header information of the email (usually hidden by default). In Outlook Express, you should be able to select the message and press Ctrl+F3 to view the raw data. There should be a line that starts with Recieved from. It will say that a message was received from an IP address, to your mail server, meant for your email address. The virus has a built-in mail server, so the IP address of the sending mail server is the infected PC. If you run ping -a 111.222.333.444 (using the infected IP address you just found), it will look up the hostname for that IP address. That will tell you the user’s ISP, and possibly their region. This can help you figure out who the infected user is. If the forged address is something like firstname.lastname@example.org, then you can probably assume that the infected user is subscribed to the same mailing list at mycoolcar.com that you are, and that’s where they got your address. Obviously the best way to contact them is probably going to be through mycoolcar.com.
Make sure you don’t run any of the email attachments while you’re doing this. That will infect your computer and just make things worse. As a general rule, you shouldn’t open any attachment unless you’re expecting it, even if you know the person. Many of the newer viruses spread using information from the address book, so you’re very likely to get an email virus from someone you know.