Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sowar.vbs, can't access taskmanager, folder option and regedit


  • Please log in to reply
6 replies to this topic

#1 magis

magis

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 27 October 2008 - 08:09 AM

Guys! help me,please! this sowar.vbs won't go away! i can't open my task manager and it has changed a lot of the registry items in my pc! i am using an xp pro sp2. help me. it always changes my IE homepage(www.redtube.com).

i tried in cmd but there no file about sowar.vbs

there's this NUDE SSG Sex Scandal file which is a VBScript File that won't go away too.

what should i do??

thx for replying...

BC AdBot (Login to Remove)

 


#2 Maniac

Maniac

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria, EU
  • Local time:07:42 AM

Posted 27 October 2008 - 08:20 AM

Scan with MalwareBytes' Anti-Malware:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Then, submit log file ESET SysInspector, to see what the situation.

Download ESET SysInspector
http://www.eset.com/download/sysinspector.php

- Start program through the SysInspector.exe
The program will collect information about the situation on your machine.
- When "inspector" is ready and log file - generated, select File> Save Log
- Confirm their wish

Choose to save the file somewhere and then upload on http://4storing.com/ (when you open the page, click on the Great Britain flag to open the page in English), then give me the link.


Posted Image

#3 magis

magis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 27 October 2008 - 06:35 PM

I come up to the same problem can't use either task manager and folder option after i scan it with Mbam and ask to restart also tshi annoying sowar browser....and here is the Mbam log file:

Malwarebytes' Anti-Malware 1.30
Database version: 1325
Windows 5.1.2600 Service Pack 2

10/28/2008 7:04:13 AM
mbam-log-2008-10-28 (07-04-13).txt

Scan type: Quick Scan
Objects scanned: 78771
Time elapsed: 18 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Maniac

Maniac

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria, EU
  • Local time:07:42 AM

Posted 28 October 2008 - 06:57 AM

MalwareBytes' Anti-Malware corrected your problem. In any event, if you want, give log of ESET SysInspector.
Posted Image

#5 magis

magis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 28 October 2008 - 10:32 AM

I tried it then rescan my system w/ Mbam and came up with this hijack.nofolder and taskmanager related problem and then restart my computer and poop i can't still access my folder option,task,regedit i dunno if mbam fix it or just the sowar.vbs restored it..and about thius IE homepage how to fix it..thx for helping out

by the way here is the download link:

http://4storing.com/19wmk/7042a9416400e30d...6831340e02.html

#6 Maniac

Maniac

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria, EU
  • Local time:07:42 AM

Posted 28 October 2008 - 11:14 AM

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/
Posted Image

#7 magis

magis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 31 October 2008 - 04:06 AM

I scan the super antispyware full scan at my D: drive in administrator(safe mode) i quarantine and remove what's found, it only detect a adware cookie thats all..and i restarted my pc and still my IE homepage(redtube.com).. i post my problem again for sufficient information hope to fixed everything...

It started to infect my pc when i used my usb flash and found this NGG Sex Scandal Script and my anti virus Avast not detected anything suspicious in when i scan my usb..then when i open my IE, homepage set to www.redtube.com and IE was change to SoWar Browser, then can't access taskmanager, regedit and folder option.. I'm using Windows Xp professional ver. 2002 sp 2...thx for helping...

I stated again the problem in my pc for review:

1. Use Mbam to scan and found this hijack.nofolderoption and hijack.disabletaskmanager removed it and then restart. Afterwards i scan MBAm again to check if there still a problem and come up to detect this hijack.nofolderoption and hijack.disabletaskmanager.. i can't still use my taskmanager and folder option. i'm not sure whether MBAM fix this problem can't trace what might be wrong..

2. Can't find this sowar.vbs, Sysres.vbs and NUDE SSG Scandal in my system but my IE homepage was www.redtube.com and The Internet Explorer was change to SoWar Browser.

3. Scan AD-Adware and Super Antispyware only detect same problem this adware cookie.

4.I run HIjackthis and found this log: (if permitted to post here ,for reading..hope to find solution)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:01 PM, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
C:\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\wscript.exe
D:\Program Files\Stardock\CursorFX\CursorFX.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\lkcitdl.exe
D:\WINDOWS\system32\lkads.exe
D:\WINDOWS\system32\lktsrv.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
D:\WINDOWS\system32\nisvcloc.exe
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.redtube.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = SoWar Browser
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - D:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NI Background Service] D:\Program Files\National Instruments\Shared\Update Service\BackgroundService.exe
O4 - HKLM\..\Run: [RawOs] wscript.exe "D:\WINDOWS\sowar.vbs"
O4 - HKCU\..\Run: [CursorFX] "D:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.4.lnk = D:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: ASRock WiFi-802.11g.lnk = ?
O4 - Global Startup: ASRock WiFi-802.11n Utility.lnk = D:\Program Files\ASRock\WiFi-802.11n\WiFi-80211n.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - D:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - D:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - D:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - D:\WINDOWS\system32\nisvcloc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - D:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8678 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users