My pc has been infected by malware and avast antivirus recognized it as Win32:Solow. I’ve try boot-scan but after a couple attempt the virus still there. Then it’s remembered me 'bout Brontok, boot scan itself won’t work. So I’ve show hidden files, uncheck the checkbox for hide ext for known files type and hide protected operating system files. I’ve found it, ms32dll.dll.vbs was the source for the virus and OS recognise it as MS Windows Script. I’ve delete the file then the prob solve but I didn’t really sure 'bout it. So a’one have better solution please reply…
Have you also looked for C:\autorun.inf
If you find it, scan it at Virus Total before deletion
http://www.virustotal.com/en/indexf.html
If other antivirus programs detect malware add the file to the avast! chest and upload to alwil.
Yeah, in that file I found this… [autorun] shellexecute=wscript.exe MS32DLL.dll.vbs.
The result for Virus Total scanning
Complete scanning result of “autorun.inf”, received in VirusTotal at 05.08.2007, 11:11:44 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.8.1 05.08.2007 no virus found
AntiVir 7.4.0.15 05.08.2007 VBS/IETitle.A
Authentium 4.93.8 05.07.2007 no virus found
Avast 4.7.997.0 05.07.2007 no virus found
AVG 7.5.0.467 05.07.2007 no virus found
BitDefender 7.2 05.08.2007 no virus found
CAT-QuickHeal 9.00 05.07.2007 no virus found
ClamAV devel-20070416 05.08.2007 Worm.Solow
DrWeb 4.33 05.08.2007 VBS.Generic.544
eSafe 7.0.15.0 05.07.2007 no virus found
eTrust-Vet 30.7.3618 05.08.2007 INF/Slogod.A
Ewido 4.0 05.07.2007 no virus found
FileAdvisor 1 05.08.2007 no virus found
Fortinet 2.85.0.0 05.08.2007 no virus found
F-Prot 4.3.2.48 05.07.2007 no virus found
F-Secure 6.70.13030.0 05.08.2007 VBS/Solow.C
Ikarus T3.1.1.7 05.08.2007 no virus found
Kaspersky 4.0.2.24 05.08.2007 no virus found
McAfee 5025 05.07.2007 no virus found
Microsoft 1.2503 05.07.2007 no virus found
NOD32v2 2248 05.07.2007 no virus found
Norman 5.80.02 05.07.2007 VBS/Solow.C
Panda 9.0.0.4 05.07.2007 no virus found
Prevx1 V2 05.08.2007 no virus found
Sophos 4.17.0 05.07.2007 no virus found
Sunbelt 2.2.907.0 05.05.2007 no virus found
Symantec 10 05.08.2007 no virus found
TheHacker 6.1.6.109 05.08.2007 VBS/Small.autorun
VBA32 3.11.4 05.07.2007 no virus found
VirusBuster 4.3.7:9 05.07.2007 no virus found
Webwasher-Gateway 6.0.1 05.08.2007 Script.IETitle.A
Aditional Information
File size: 104 bytes
MD5: 982c0443b070d968763a9077c08d51f2
SHA1: fbb81852741a3bfdf937923eeb5c4e76febcde6e
packers: Unicode
packers: Unicode
So what shall I do?
Put a copy of autorin.inf in the avast chest and delete if from C:\ drive.
Do you have any of these (sorry - I should have asked about these before)
c:\autorun.bat
c:\autorun.ini
c:\autorun.ini
c:\autorun.ico
c:\autorun.vbs
c:\autorun.reg
Hi Mauserme,
Isn’t this one identical to the so-called USB worm. It also infects with the autorun thingies…
polonus
I think so (now that I’ve realized it)
It sound just like the virus I had a few days ago.
You could try and follow this steps to clean the virus.
- Start Windows in safe mode.
- Stop a process in memory called wscript.exe using the task manager.
- Go to My PC and open your hard disk (c:)
- Go to file options and in disable the “hiding system files” option.
- You will see now several files named autorun (.exe .bat .inf .reg .vbs) in the root of your hard disk. You must delete them.
- Then you have to go looking for the same files in other folders, almost always is in the C:\Windows\system32\ but i have read that some variant hides a folder of itself.
The restart the system. You should clean your USB flash disks too, but don’t let them open with the AutoRun option. Open Windows Explorer, plug the USB flash and you will see the same autorun files in the root. On commons USB flash disks, you can delete them all, but you can keep the autorun.inf and see inside before to be sure.
If it don’t work, the you could still have the virus in some other folder and have to do a search.
Hope this help you, I know this virus can be a real problem.
PS: sorry for my mistakes, I have Win Xp in spanish so don’t really know the menus names in english
Hi Infotronis.
Excellent exposé. Will be helpful to many. Nothing wrong with your English there.
Con Dios,
polonus
In addition to what Infotronis posted I would run an F-Secure online scan
http://support.f-secure.com/enu/home/ols.shtml
From the results of Virus Total it looks able to identify the malware and it might help find files that could otherwise hide.
I’ve done all the step you’ve mentioned and I’ve del all the script that suspicious and related to the auto.inf. I’ve even del some registry key appointed to ms32dll.dll.vbs but the prob recurring last nite…
Have you tried the online scan yet?
After running F-Secure please download Deckard’s System Scanner (DSS) to your Desktop.
[*]Close all applications and windows.
[*]Double-click on DSS.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard’s System Scanner to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)
Post the main.txt from the C:\Deckard\System Scanner folder into your next reply. The log will be long so use multiple posts if needed.
Thanx for helping e’one. It’s seem that my pc clean now. No more warning from avast!
How did you clean it? Please let us know as this will help others with the same problem.