Options
Assistance required with Worm.VBS.Solow.a (aka VBS.Small?)
The other day I merrily surfaced the web as I noticed my Internet Explorer title includes the ominous addition of "TAGA LIPA ARE". A quick search with AVG antivirus revealed a virus called VBS.Small, and Kaspersky reports VBS.Solow.a. Further, I cannot access my drives through My Computer (as reported on various virus descriptions).
I tried running "Clean autoruns.bat" as recommended on another thread, but the problem persists. I cannot seem to find the troublesome files myself, and neither AVG nor Kaspersky clean them. I will appreciate any assistance the wonderful people here may be able to offer.
Attached: the Kaspersky report, Part1.txt and part2.txt from clean autoruns, and a HJT report.
I tried running "Clean autoruns.bat" as recommended on another thread, but the problem persists. I cannot seem to find the troublesome files myself, and neither AVG nor Kaspersky clean them. I will appreciate any assistance the wonderful people here may be able to offer.
Attached: the Kaspersky report, Part1.txt and part2.txt from clean autoruns, and a HJT report.
0
Comments
It seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Step 1: Remove bad HijackThis entries
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TAGA LIPA ARE!
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FS6519] C:\WINDOWS\FS6519.dll.vbs
Close ALL open windows
Click Fix Checked
Close HijackThis
Step 2: Download and run Combofix
1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Step 3: Please, post these logs:
ComboFix-Do.txt
"My Computer" is back to normal and the silly Latin disappeared from IE, at least for now. This computer has been junk free for the past two or three years (at least I think it has been junk free), so I hope you'll help restore my naive belief that I somehow manage to protect it from the slime of the human species.
Thanks again.
Good Work!
COMODO firewall
How is your system running now?
Please do the following...
Step 1 : Combofix - do
Open notepad and copy/paste the text in the quotebox below into it: Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot)
Step 2: Download and Run AFT Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step 3: Download AVG Anti-Spyware
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Step 4: Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine[/color] (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Step 5: Please, post these logs:IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
ComboFix-Do.txt
AVG Anti-Spyware Report
Please do the following...
Step 1: Stop some processes with Task Manager
Press Control+Alt+Del to enter the Task Manager.
Click on the Processes tab and end the following processes (if present):
wscript.exe
Exit the Task Manager when finished.
1: Show your hidden files
To enable the viewing of Hidden files follow these steps:
Close all programs so that you are at your desktop.
Double-click on the My Computer icon (or click Start, then select My Computer)
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.
Step 2: Boot into Safe Mode
Reboot your computer in Safe Mode.
- shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Step 3: Delete bad filesUse Explorer to navigate to and delete the following files (if they are present):
Files:
C:\WINDOWS\FS6519.dll
C:\WINDOWS\system32\wscript.exe
Now just exit Explorer.
Step 4: Back up the registry
Go to Start > Run
Type:
- regedit
Click OK.- On the leftside, click to highlight My Computer at the top.
- Go up to "File > Export"
- Make sure in that window there is a tick next to "All" under Export Branch.
- Choose to save it to C:\
- Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.Leave the "Save As Type" as "Registration Files".
Under "Filename" put backup
Step 5: Removing Autostart Entry from the Registry
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
FS6519 = "%Windows%\FS6519.dll.vbs"
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
Deleting Other Entries from the Registry
1. Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Internet Explorer>Main
2. In the right panel, locate and delete the entry:
Window Title = "TAGA LIPA ARE!"
3. Close Registry Editor.
Step 6: Deleting AUTORUN.INF
1. Right-click Start then click Search... or Find...,
2. In the Named input box, type:
AUTORUN.INF
3. In the Look In drop-down list, select My Computer, then press Enter.
4. Once located, select the file then open with Notepad. Check if it contains the following strings:
shellexecute=wscript.exe FS6519.dll.vbs
5. If the said strings are found,
close Notepad, select the file then press SHIFT+DELETE.
Step 7 : Reboot into Normal Mode
Step 8 : download and run Flash_Disinfector.exe
Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.
* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Your desktop will vanish for a while, and then reappear. This is normal.
* Wait until the program has finished scanning, then please exit the program
.
Step 9 : Run Dss.exe
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Finally, please post Dss.main.txt