Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sowar.vbs Registry Effects


  • Please log in to reply
8 replies to this topic

#1 Lai_Lan

Lai_Lan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 07 July 2008 - 10:38 AM

Ok. These are the files that keep popping out of nowhere.

Autorun.inf
[autorun]
open=wscript.exe sowar.vbs
shell\Open\Command=wscript.exe sowar.vbs
shell\Open\Default=1
shell\AutoPlay\Command=wscript.exe sowar.vbs
shell\Explore\Command=wscript.exe sowar.vbs

Cool USEP Scandal.vbs

sowar
a VBScript Script File


This is what I did:

I download DrWebCureIt.
Goes to safe mode.
Scan files.
At about 35000 scans, it stopped moving.
I browsed my files and sort them by the Date Created.
I delete all the suspicious files that was created this day.
The scanning is still not moving. So I stopped it.
I reboot my pc and the files didn't came back.
But its effects like the disabled Task Manager, Registry Editor and etc are bugging me.

How can I undo these effects?

BC AdBot (Login to Remove)

 


#2 Lai_Lan

Lai_Lan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 08 July 2008 - 06:30 AM

It seems my pc is fine now.

I have already enabled my Task Manager and Registry Editor.

Though, I don't know if I'm still infected by the virus.

What I'm doing now is every time I see a "sowar" in the file name or in the registries, I delete it without second thoughts. Is it ok to do that?

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:35 AM

Posted 08 July 2008 - 06:51 AM

Please insert your flash drive before we begin. Hold down the Shift key when inserting the drive until Windows detects it to bypass the autorun feature.

Reboot your computer in "Safe Mode" or "Safe Mode With Command Prompt" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode With Command Prompt".

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: attrib -s -h -r -a autorun.inf
  • Hit Enter.
  • Type: dir
  • Hit Enter. This will allow you to see and confirm the Autorun files.
  • Type: del autorun.inf
  • Hit Enter.
  • Repeat the above commands for each drive on your computer including your flash/usb drive.
Now search for and remove sowar.vbs
  • At the command prompt, type in your primay drive location, usually C:
  • Hit Enter.
  • Type: attrib sowar.vbs.* -s -h -r -a
  • Hit Enter.
  • Type: dir /s sowar.vbs
  • Hit Enter.
  • If the file is present, type: del sowar.vbs
  • Hit Enter.
  • Repeat the above commands for each drive on your computer including your flash/usb drive.
  • Then repeat these instructions to search for and delete SysRes.vbs, Cool USEP Scandal.vbs on each drive if present.
  • Exit the command prompt and reboot normally.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

When done, check for and remove any Startup RUN values by downloading and using Autoruns.

Edited by quietman7, 08 July 2008 - 06:52 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Lai_Lan

Lai_Lan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 08 July 2008 - 09:07 AM

Thanks. I did what you said and found out that I already deleted some of those files, maybe that's why it doesn't spread anymore.

I'm not really good at using cmd. So is it ok if I delete the files manually while on Safe mode next time? Like un-hiding system files and delete the suspicious files or the files I don't recognize being there. Or using search, where the files can be viewed but never did Open, AutoPlay or Explore and then deleting them there.

I already run Flash_Disinfector. I just want to know how that autorun.inf folder works? Or what is it? At least this information will give me better understanding on it. Hehe. All in all, thanks a lot!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:35 AM

Posted 08 July 2008 - 04:46 PM

So is it ok if I delete the files manually while on Safe mode next time? Like un-hiding system files and delete the suspicious files or the files I don't recognize being there

You can delete files manually in safe mode if you are sure they are bad. Don't ever delete a file just because you do not recognize it.

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
ThreatExpert Malware Search
If no search results are found, you are given the option to "Submit a New Sample".

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Then post back with the results of the file analysis.

I just want to know how that autorun.inf folder works? Or what is it?

Flash (usb, pen, thumb, jump) drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

"Autorun" is the feature built into Windows that automatically runs a program specified by an "autorun.inf" file whenever a CD-ROM, DVD or USB drive is plugged into a Windows-based computer. Autorun is intended as a convenience to automatically start an installer when removable media is inserted into the computer.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

You can hold down the Shift key when inserting the drive into your computer until Windows detects it to keep autorun.inf from executing automatically. However, I recommend disabling the Autorun feature feature on USB and removable drives as a method of prevention. This should keep the malicious file from automatically running upon insertion and infecting your system while allowing you to safely perform a scan.

The easiest way to disable Autorun on a specific drive is to download and use Tweak UI PowerToy.
  • After installation, launch Tweak UI, double-click on My Computer in the tree menu on the left, then click on AutoPlay > Drives. This will allow you to change the system settings for AutoPlay/autorun.
  • Uncheck the drives you want to disable AutoPlay on and click on Apply.
  • Next, click on the Types in the left tree. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. You may need to restart Tweak UI if it closes after step 2.
  • Uncheck the box to disable Autoplay for a particular type of drive.
  • Click Apply.
If needed, see Disable Autorun/AutoPlay in XP with Tweak UI" for instructions with screenshots.

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb/flash drive or external hard drive).

Always scan USB Flash Drives after they have been used in other computer systems, even your own. An easy way to do this is to download "ClamWin Portable Antivirus", put it on your USB Flash Drive, update its definition files and perform a scan.

Another prevention measure you can use is Symantec's NoScript utility. Scroll down to the section "How to disable (or re-enable) the Windows Scripting Host" to find the link and follow the instructions. Noscript will disable the Windows Scripting Host and prevent VBScripts from running on your machine until you run the utility again. Firefox also has a free NoScript Add-on for its browser.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Lai_Lan

Lai_Lan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 10 July 2008 - 01:42 AM

I am really thankful for your advices. I'll follow them. Thanks!

Oh and one more thing, if in any case that the infection is no longer spreading, is it ok to use the Format option to clean the Flash Drive?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:35 AM

Posted 10 July 2008 - 09:54 AM

The instructions I provided should have cleaned your flash drive but there is nothing wrong to reformatting it to start fresh. I would rerun Flash_Disinfector.exe when done to protect it.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Lai_Lan

Lai_Lan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 11 July 2008 - 02:00 AM

Done. Many many thanks! :D

And can you recommend me with a free reliable anti-virus scanner? Hehe.

Edited by Lai_Lan, 11 July 2008 - 03:37 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:35 AM

Posted 11 July 2008 - 06:41 AM

You're welcome.

Free Antivirus programs: (choose and install only one)
avast! 4 Home Edition (comes with built-in anti-rootkit and anti-spyware protection)
Avira AntiVir Personal - Free Antivirus (provides some rootkit detection and removal))
AVG Anti-Virus Free Edition 8.0

Tips to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid online gaming sites and peer-to-peer (P2P) or file sharing programs as they are a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans target and spread across P2P files sharing networks and gaming sites. In some instances the infection may cause so much damage to your system that recovery is not possible and the only option is to wipe your drive, reformat and reinstall the OS. The best way to reduce the risk of infection is to avoid gaming sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users