vbs:solow

Hi

need some help…thz
my pc was infected by a virus called vbs:solow. AVAST scanning result showed the infected original file is “.MS32DLL.dll” in C:/WINDOWS

i have tried to repair, move it to chest for many times, scan again and again…finally it was gone. but everytime when i start my pc , it comes out a msg “cannot find the script file C:/WINDOWS/boot.ini”
besides, when i double click on my local drive C or D, it also comes out a msg “cannot find script file D:/.MS32DLL.dll.vbs” or “cannot find script file C:/.MS32DLL.dll.vbs”. Is the virus really gone? i have tried few software to remove it.the scanning results showed nothing too. but why these kind of msgs keep appearing?how can i remove the virus thoroughly.

thanks a lot

Regards,
Fish

With recurring infections, I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Hi flyingfish,

When the worm executes, it creates the following file:
%Windir%\FS6519.dll.vbs

If a removable drive exists, the worm creates the following files:

* [DRIVE LETTER]\FS6519.dll.vbs
* [DRIVE LETTER]\autorun.inf

Next, the worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"FS6519" = “%Windir%\FS6519.dll.vbs”

The worm also creates the following registry entry, which modifies the title bar of Internet Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"Window Title" = “TAGA LIPA ARE!”

HOW TO REMOVE VBS.Solow.B :

  1. Temporarily Disable System Restore (Windows Me/XP). [how to]

  2. Update the virus definitions.

  3. Reboot computer in SafeMode [how to]

  4. Run a full system scan and clean/delete all infected files

  5. Delete related files:

a) Open My Computer → Tools Menu → Folder Options → View Tab:
b) Select: Show hidden Files and Folders
c) Uncheck: Hide Extensions for known file type and Hide Protected operating system
d) Click Yes Then OK.
e) Delete autorun.inf and FS6519.dll.vbs in all your hard drive. Commonly found in root of Drive C. Use your Windows “Search” function to find all.

  1. Delete any values added to the registry. [how to edit registry]
    Navigate to and delete the following registry entries:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"FS6519" = “%Windir%\FS6519.dll.vbs”
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"Window Title" = “TAGA LIPA ARE!”

  2. Exit registry editor and restart the computer.

  3. In order to make sure that the threat is completely eliminated from your computer, run Flash_Disinfector from: http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

polonus

Hi Tech and Polonus,

Thanks a lot.
:slight_smile: My pc is ok already. again, so appreciate for u guys help.

got one question to ask…after all the steps, i found that some files (filename) turn to “blue”. is tat meant some problem with these files?

Thanks and regards,
fish