Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newbie: Sowar.vbs - Help!


  • Please log in to reply
5 replies to this topic

#1 Amaya Bajaratt

Amaya Bajaratt

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 12 July 2008 - 11:39 AM

hi i'm a newbie here and a bummer when it comes to viruses, trojans, whatever. i came across another problem again. may u pls extend help? here goes:


i am usually very careful with removable medias but last night, somebody used a flash drive in my laptop without my approval so i have now a, i guess a worm..

when i turned on my unit, it doesn't seem to have a prob actually, but when a pirated cd began to lag, i usually end this process using task manager. but lo and behold, my task manager is disabled. so i went to Run and keyed in cmd, typed c:\>dir /ahs and found a sowar.vbs in the list. i tried running regedit to delete files which ends in vbs, but it was also disabled!


i am using semantec's av. it did detect the virus last night actually but wasn't able to destroy it, whatsoever. and i can't even update my virus definition now. my OS is windows xp sp 2.


Please HELP!! thanks a lot and God bless! :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:48 AM

Posted 12 July 2008 - 02:21 PM

Please insert your flash drive before we begin. Hold down the Shift key when inserting the drive until Windows detects it to bypass the autorun feature.

Reboot your computer in "Safe Mode" or "Safe Mode With Command Prompt" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode With Command Prompt".

Go to Start > Run and type: cmd
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: attrib -s -h -r -a autorun.inf
  • Hit Enter.
  • Type: dir
  • Hit Enter. This will allow you to see and confirm the Autorun files.
  • Type: del autorun.inf
  • Hit Enter.
  • Repeat the above commands for each drive on your computer including your flash/usb drive.
Now search for and remove sowar.vbs, SysRes.vbs, Cool USEP Scandal.vbs
  • At the command prompt, type in your primay drive location, usually C:
  • Hit Enter.
  • Type: attrib sowar.vbs.* -s -h -r -a
  • Hit Enter.
  • Type: dir /s sowar.vbs
  • Hit Enter.
  • If the file is present, type: del sowar.vbs
  • Hit Enter.
  • Repeat the above commands for each drive on your computer including your flash/usb drive.
  • Then repeat these instructions to search for and delete SysRes.vbs, Cool USEP Scandal.vbs on each drive if present.
  • Exit the command prompt and reboot normally.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

When done, check for and remove any Startup RUN values by downloading and using Autoruns.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Amaya Bajaratt

Amaya Bajaratt
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 13 July 2008 - 12:33 PM

Thank you.

i did what u said. but when i start windows normally, it'll still comeback.

so i tried another one, when i went to safe mode and logged in as administrator, i was able to open my registry, there i found sowar created a folder and deleted it manually and also the autorun which was c:\WINDOWS\Sysres.vbs.

when i started windows normally, sowar is gone and i just deleted cool usep scandal manually. after i reboot, they didn't comeback anymore. but my prob now is that my Task Manager and Regedit are still disabled.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:48 AM

Posted 13 July 2008 - 12:40 PM

Please download FixPolicies.exe and save to your Desktop. For Windows XP ONLY. Do not run on any other Operating System.
  • You can ignore the warning about downloading this type of file.
  • Double-click FixPolicies.exe (this is a a self-extracting ZIP archive).
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Open the FixPolicies folder and double-click on Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • Restart your computer.
This fix is used to remove certain restrictions on your system often disabled by malware and reset them to Windows default.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Amaya Bajaratt

Amaya Bajaratt
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 13 July 2008 - 01:40 PM

thank you so much for your site!

anyway, my bro also downloaded malwares last night. i know he intended well, he thought it might help with sowar. but well.. anyway, he DL'd Windows Antivirus 2008. i thought also that it's part of windows (or it really might be) since it attached itself to the control panel. i wanted to uninstall it but i can't so i searched how to's and landed on one of your forums: How to remove Windows Antivirus 2008 (Removal Guide)

and it really did! and it enabled my task manager and regedit!

i'm so happy because i got to delete all the files in my registry with sowar attach in it. so, HUGE THANK'S!!! i'm virus/worm-free now and made a restore point. Thanks again.


El Dios le bendice todo! God bless you all!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:48 AM

Posted 13 July 2008 - 02:42 PM

You're welcome.

Tips to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid online gaming sites and peer-to-peer (P2P) or file sharing programs as they are a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans target and spread across P2P files sharing networks and gaming sites. In some instances the infection may cause so much damage to your system that recovery is not possible and the only option is to wipe your drive, reformat and reinstall the OS. The best way to reduce the risk of infection is to avoid gaming sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users