Options

Assistance required with Worm.VBS.Solow.a (aka VBS.Small?)

The other day I merrily surfaced the web as I noticed my Internet Explorer title includes the ominous addition of "TAGA LIPA ARE". A quick search with AVG antivirus revealed a virus called VBS.Small, and Kaspersky reports VBS.Solow.a. Further, I cannot access my drives through My Computer (as reported on various virus descriptions).

I tried running "Clean autoruns.bat" as recommended on another thread, but the problem persists. I cannot seem to find the troublesome files myself, and neither AVG nor Kaspersky clean them. I will appreciate any assistance the wonderful people here may be able to offer.

Attached: the Kaspersky report, Part1.txt and part2.txt from clean autoruns, and a HJT report.

Comments

  • edited June 2007
    Hi dtelad11 and welcome to Icrontic. I'm checking your log, so please be patient.
  • edited June 2007
    :) Hi dtelad11
    It seems you don't have any evidence of a third party firewall.
    As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
    1) ZoneAlarm
    2) Agnitum
    3) Sunbelt/Kerio
    4) Comodo
    If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

    Step 1: Remove bad HijackThis entries
    Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TAGA LIPA ARE!
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [FS6519] C:\WINDOWS\FS6519.dll.vbs
    Close ALL open windows
    Click Fix Checked
    Close HijackThis

    Step 2: Download and run Combofix
    1. Download combofix from one of these links:
    Link1
    Link2
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Step 3: Please, post these logs:
    ComboFix-Do.txt
  • edited June 2007
    Thank you for your help. I've installed the COMODO firewall, followed your instructions, and now attaching ComboFix and DSS results.

    "My Computer" is back to normal and the silly Latin disappeared from IE, at least for now. This computer has been junk free for the past two or three years (at least I think it has been junk free), so I hope you'll help restore my naive belief that I somehow manage to protect it from the slime of the human species.

    Thanks again.
  • edited June 2007
    :)Hi dtelad11
    Good Work!
    COMODO firewall :thumbsup:
    How is your system running now?

    Please do the following...

    Step 1 : Combofix - do
    Open notepad and copy/paste the text in the quotebox below into it:
    File::
    C:\WINDOWS\system32\ssprs.dll
    C:\WINDOWS\system32\lsprst7.dll

    Folder::
    C:\Qoobox\Quarantine

    Registry::
    [-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daf39560-bfea-11da-8c6a-00111123dcd0}]
    Save this as ComboFix-Do.txt
    Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
    Combo-Do.gif
    This will start ComboFix again. After reboot, (in case it asks to reboot)

    Step 2: Download and Run AFT Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
    Double-click ATF Cleaner.exe to open it.
    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
    Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    Click Exit on the Main menu to close the program.

    Step 3: Download AVG Anti-Spyware
    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

    Step 4: Run AVG Anti-Spyware
    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine[/color] (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
        scanavgjk2.jpg
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    Step 5: Please, post these logs:
    ComboFix-Do.txt
    AVG Anti-Spyware Report
  • edited June 2007
    Done. I had to run ComboFix twice (I accidentally added a space to one of the lines on the first run), log attached. After running AVG and applying changes, I couldn't save the log (the option was grayed), I've run it again and there was no results, and still I couldn't save the log although "Even if no threats were found" was checked on.
  • edited June 2007
    :) Hi dtelad11
    Please do the following...

    Step 1: Stop some processes with Task Manager
    Press Control+Alt+Del to enter the Task Manager.
    Click on the Processes tab and end the following processes (if present):
    wscript.exe
    Exit the Task Manager when finished.

    1: Show your hidden files
    To enable the viewing of Hidden files follow these steps:
    Close all programs so that you are at your desktop.
    Double-click on the My Computer icon (or click Start, then select My Computer)
    Select the Tools menu and click Folder Options.
    After the new window appears select the View tab.
    Put a checkmark in the checkbox labeled Display the contents of system folders.
    Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    Remove the checkmark from the checkbox labeled Hide protected operating system files.
    Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.

    Step 2: Boot into Safe Mode
    Reboot your computer in Safe Mode.
    • shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    Step 3: Delete bad files
    Use Explorer to navigate to and delete the following files (if they are present):
    Files:
    C:\WINDOWS\FS6519.dll
    C:\WINDOWS\system32\wscript.exe
    Now just exit Explorer.

    Step 4: Back up the registry
    Go to Start > Run
    Type:
    • regedit
    Click OK.
    • On the leftside, click to highlight My Computer at the top.
    • Go up to "File > Export"
      • Make sure in that window there is a tick next to "All" under Export Branch.
        Leave the "Save As Type" as "Registration Files".
        Under "Filename" put backup
    • Choose to save it to C:\
    • Click save and then go to File > Exit.
    This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


    Step 5: Removing Autostart Entry from the Registry

    If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

    1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
    2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
    3. In the right panel, locate and delete the entry:
    FS6519 = "%Windows%\FS6519.dll.vbs"
    (Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

    Deleting Other Entries from the Registry

    1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Internet Explorer>Main
    2. In the right panel, locate and delete the entry:
    Window Title = "TAGA LIPA ARE!"
    3. Close Registry Editor.

    Step 6: Deleting AUTORUN.INF
    1. Right-click Start then click Search... or Find...,
    2. In the Named input box, type:
    AUTORUN.INF
    3. In the Look In drop-down list, select My Computer, then press Enter.
    4. Once located, select the file then open with Notepad. Check if it contains the following strings:
    shellexecute=wscript.exe FS6519.dll.vbs
    5. If the said strings are found,
    close Notepad, select the file then press SHIFT+DELETE.

    Step 7 : Reboot into Normal Mode


    Step 8 : download and run Flash_Disinfector.exe

    Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
    NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.
    * Double-click Flash_Disinfector.exe to run it.
    * Follow any prompts that may appear.
    * Your desktop will vanish for a while, and then reappear. This is normal.
    * Wait until the program has finished scanning, then please exit the program
    .
    Step 9 : Run Dss.exe
    Close all applications and windows.
    Double-click on dss.exe to run it, and follow the prompts.
    When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized

    Finally, please post Dss.main.txt
Sign In or Register to comment.