BleepingComputer.com: Sowar Browser

hi superbird. i hope you can help me. i have the exact same problem as binomial's.
i did what you said and this is the copy of the LOG content that i copied. What do i
do next? Please help me. Thank you so much in advance. Have a nice day.

Pinklady1123

Malwarebytes' Anti-Malware 1.30
Database version: 1310
Windows 5.1.2600 Service Pack 3

10/24/2008 4:49:08 AM
mbam-log-2008-10-24 (04-49-08).txt

Scan type: Quick Scan
Objects scanned: 75304
Time elapsed: 51 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi Pinklady,

I PM'd a mod to split the topic, because you came with your problem in an other one's topic.

- Do a full scan with MBAM, and post the new logfile in your next reply.

How to Remove sowar.vbs Virus

CAUTION: These steps involve making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own.

To fix the "Long Live Sowar" message in the title bar, see How to Change the Internet Explorer Window Title (be sure to read the section on backing up your registry first) or you can try using ieclear.bat by IE MVP Hans Le Roy which will reset the title to Windows default.

Then download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  
• Wait until it has finished scanning and then exit the program.
  
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

When done, check for and remove any Startup RUN values by downloading and using Autoruns.

Hi superbird and quietman7. Thank you so much for your help. I appreciate you helping out a newbie like me. I read the instructions on another topic here (the same one as what quietman7 quoted on his reply). The Sowar Browser Title changed back to Windows Internet Explorer. Now, whenever the computer starts up, a WINDOWS SCRIPT HOST appears with this message "Can not Find Script File "C:\WINDOWS\Sowar.Vbs" What does it mean? What can I do to remove it? Superbird, I am currently performing FULL SCAN as you suggested, I will post the logfile afterwards (i hope it's not too late). Thanks in advance to both of you. =]

pinklady

all you have to do is to download the autorun and run it...
and then CTRL+F and type the sowar.vbs on the dialog box...
and it will show you the RAWOS.VBS with the check on the box.... right click on that file and choose delete...

http://technet.microsoft.com/en-au/sysinte...s/bb963902.aspx (autorun download)

i hope this one will help you... coz i just figured out and it work with my pc...

Hi Pinklady,

Do a new full scan with MBAM. Post the new logfile.

Hi Xzibit13, i will do as you suggest. I hope it works. Thank you for taking the time to help me.

Hi Superbird. Here is the new logfile. Thanks.



Malwarebytes' Anti-Malware 1.30
Database version: 1310
Windows 5.1.2600 Service Pack 3

11/8/2008 12:52:52 PM
mbam-log-2008-11-08 (12-52-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122753
Time elapsed: 4 hour(s), 28 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi,

Seems you are clean now.

Quietman, what do you think?

How is your computer running now? Any more reports/signs of infection or the "Long Live Sowar" message in IE's title bar?

My computer is Sowar Free now! Thank You for being patient with me, Superbird, Quietman and Xzibit!
I appreciate all your help. More power to all of you. =]

Pinklady

Hi,

Nice to hear that.

Please do this:

1. Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  
• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Then go to Start > Run and type: Cleanmgr
  
• Click "OK".
  
• Click the "More Options" Tab.
  
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

2. Go to the Windows update site and download and install all available updates, so your computer is prtected against malware.

3. Read this page To prevent yourself against re-infection.

You can delete all used tools and programs.

More tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".
• "Use Task Manager to close pop-up messages to safely exit malware attacks"

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

hi i got infected by sowar.vbs and i used Malwarebytes' Anti-Malware 1.30 to try to fix the task bar problem but it didnt detect any malware after i deleted during the first scan but it still cant open the taskbar. this is the result of the second scan. help? thanks in advance


Malwarebytes' Anti-Malware 1.30
Database version: 1411
Windows 5.1.2600 Service Pack 3

11/19/2008 7:05:22 PM
mbam-log-2008-11-19 (19-05-22).txt

Scan type: Quick Scan
Objects scanned: 23058
Time elapsed: 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Welcome to BC raindrops

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff

quietman7, on Nov 19 2008, 08:14 PM, said:

hi! sorry bout that! thanks for the welcome!