Microsoft Office Words virus
- Thread starter ug18
- Start date
- Status
tomrca
Posts: 924 +3
hi ug18.
please go to https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and follow all the instructions exactly. after which, poste all required logs such as avg,combo,vundo and hjt. be sure to chang the name of hijack this and place it within its own folder in programme files or docs. eg, C:/prog files/hijackthis/analysethis v_2.exe.
please post your logs as attachments and not a copy and paste. to do this go to additional options ,attach files and select manage attachments. these are located below the reply box
this thread is for the use of UG18 only, if you have similar problems, please start a new thread in security and the web forum
please go to https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and follow all the instructions exactly. after which, poste all required logs such as avg,combo,vundo and hjt. be sure to chang the name of hijack this and place it within its own folder in programme files or docs. eg, C:/prog files/hijackthis/analysethis v_2.exe.
please post your logs as attachments and not a copy and paste. to do this go to additional options ,attach files and select manage attachments. these are located below the reply box
this thread is for the use of UG18 only, if you have similar problems, please start a new thread in security and the web forum
Used AVG AV to scan for virus and found
1. Downloader.Generic3.MVR
2. Worm/vb.asd
How do I remove these 2 virus?
I tried to find methods to remove the Downloader.Generic3.MVR but I can't find any.
the virus database doesn't have this virus too... weird.
I found a method to remove/vb.asd but it's from a forum and i'm not sure if it's a trustworthy method.
the method is as follow...
Hello,
It seems that you have been infected with the VB.ASD worm (as can be detected by AVG) also known as W32.Sohanad.AG variant caused by infected lsass.exe, worm2007.exe and/or New Folder.exe. (btw, lsass.exe is a legitimate Windows system file, the worm has just infected it) Here are some common symptoms (you may have a few, some or all of these symptoms if you are infected):
-Internet Explorer default webpage can not be changed and is locked to a webpage (sometimes an adult page or for example thecoolpics.something)
-Norton Anti-Virus or McAfee don't work and/or neither does Trend Micro's HouseCall ... ActiveX controls seem disabled
-System Restore, Regedit, Task Manager don't work
-Run in Start Menu and Tools>Folder Options.... in Windows Explorer, both disabled
-Firefox (if installed) is deleted on startup
-On shutdown, End now dialog opens regarding lsass.exe
-IM Apps (Yahoo Mssgr, Windows Live) don't work properly
-New Folder.exe in C Drive, BOOT.exe and corresponding autorun.inf that loads it, on removable flash drives appear
These are the steps I took to remove this worm:
1. Run AVG Anti-Virus Free Edition (get it here: free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff) twice and then once in safe mode to ensure that the process lsass.exe and other VB.ASD infected programs (which have been corrupted by the worm) are taken care of.
2. On bootup, Windows should pop an error saying it can't find lsass.exe, which is a good sign since it means that AVG has removed the infected lsass.exe.
3. Open Notepad and save the following script as sohanad_ag_remover.vbs Just copy and paste the portion between the 5 forward slashes (but not including the slashes)
/////
'W32Sohanad Worm AG Variant Removal Tool by Jsmaster25
'jsmaster25 [At] yaHoo (d0t) Ca
'This script is to restore the damaged/modified registry by the W32Sohanad Worm AG Variant. This code may be freely distributed/modified.
'It is based on the original W32Sohanad Worm Removal script available at: http://www.precisesecurity.com/blogs/2007/03/06/w32sohanadvbs/
'and follows the specifications available at: http://www.pspl.com/virus_info/worms/sohanadag.htm
If MsgBox("W32Sohanad Worm AG Variant Removal Tool by Jsmaster25" + vbCRLF + vbCRLF + "This tool is to restore the damaged/modified registry by the W32Sohanad Worm AG Variant." + vbCRLF + vbCRLF + "This code may be freely distributed/modified. It is based on the original W32Sohanad Worm Removal script available at: http://www.precisesecurity.com/blogs/2007/03/06/w32sohanadvbs/ and follows the specifications available at: http://www.pspl.com/virus_info/worms/sohanadag.htm" + vbCRLF + vbCRLF + "Continue?", vbOKCancel, "W32Sohanad Worm AG Variant Removal Tool by Jsmaster25") = vbCancel Then
WScript.quit
End If
'Prevents errors from values that don’t exist
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
'Delete the keys that has disabled the Windows Registry Tools and Task Manager.
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
'Delete the registry keys that changes your Yahoo Messenger status
WshShell.RegDelete "HKCU\Software\Yahoo\pager\View\YMSGR_buzz\content url"
WshShell.RegDelete "HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast\content url"
'Delete the entries which make the worm start up while booting.
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Manager"
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost"
'Delete Disable Homepage Buttons in IE
WshShell.RegDelete "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage"
'Delete Disable Explorer No Folder Options
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions"
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions"
'Delete lsass.exe on startup
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell", "explorer.exe", "REG_SZ"
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", "userinit.exe", "REG_SZ"
'Enable Run on Start Menu
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun"
'Enable System Restore Config
WshShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig"
'Reset Homepage
WshShell.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page", "http://www.google.com", "REG_SZ"
X = MsgBox("Registry successfuly restored from the damage made by W32Sohanad Worm AG Variant.", vbOKOnly, "W32Sohanad Worm AG Variant Removed!")
/////
4. Run sohanad_ag_remover.vbs You will probably have to disable the anti-scripting features of anti-virus software in order to run the script properly.
5. Restart the computer.
6. Optional but highly suggested: Have your Windows CD ready and in the Run Command (which should appear in the Start Menu now) type:
sfc /scannow
This is Windows' built in system file checker, since important files were affected by the worm, it will attempt to restore fresh copies of them from the CD.
Also, the worm has deleted firefox.exe if you have Mozilla Firefox installed so you will probably have to reinstall it. As well, just double check if all the applications that are supposed to run on startup are doing so properly since the worm probably messed with those as well; reinstall those programs if necessary.
The worm should now be removed. Here's how you can check:
-Internet Explorer should have as a default webpage google.com and you should be able to change it
-There is a Run option in the Start Menu, Tools>Folder Options in Windows Explorer
-System Restore, Regedit, Task Manager should work
-IM Apps (Yahoo, Windows live) should work properly
-No missing lsass.exe error on startup
-ActiveX controls should work again
How to avoid this problem again???
-Use Mozilla Firefox or the new IE7, install critical updates to Windows, be wary of files sent across Instant Messaging applications like Yahoo Messenger or Windows Live, Scan your computer with anti-virus and anti-spyware or just use Linux!
-Hope this helps,
Pls advise...
Thank you very much.
1. Downloader.Generic3.MVR
2. Worm/vb.asd
How do I remove these 2 virus?
I tried to find methods to remove the Downloader.Generic3.MVR but I can't find any.
the virus database doesn't have this virus too... weird.
I found a method to remove/vb.asd but it's from a forum and i'm not sure if it's a trustworthy method.
the method is as follow...
Hello,
It seems that you have been infected with the VB.ASD worm (as can be detected by AVG) also known as W32.Sohanad.AG variant caused by infected lsass.exe, worm2007.exe and/or New Folder.exe. (btw, lsass.exe is a legitimate Windows system file, the worm has just infected it) Here are some common symptoms (you may have a few, some or all of these symptoms if you are infected):
-Internet Explorer default webpage can not be changed and is locked to a webpage (sometimes an adult page or for example thecoolpics.something)
-Norton Anti-Virus or McAfee don't work and/or neither does Trend Micro's HouseCall ... ActiveX controls seem disabled
-System Restore, Regedit, Task Manager don't work
-Run in Start Menu and Tools>Folder Options.... in Windows Explorer, both disabled
-Firefox (if installed) is deleted on startup
-On shutdown, End now dialog opens regarding lsass.exe
-IM Apps (Yahoo Mssgr, Windows Live) don't work properly
-New Folder.exe in C Drive, BOOT.exe and corresponding autorun.inf that loads it, on removable flash drives appear
These are the steps I took to remove this worm:
1. Run AVG Anti-Virus Free Edition (get it here: free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff) twice and then once in safe mode to ensure that the process lsass.exe and other VB.ASD infected programs (which have been corrupted by the worm) are taken care of.
2. On bootup, Windows should pop an error saying it can't find lsass.exe, which is a good sign since it means that AVG has removed the infected lsass.exe.
3. Open Notepad and save the following script as sohanad_ag_remover.vbs Just copy and paste the portion between the 5 forward slashes (but not including the slashes)
/////
'W32Sohanad Worm AG Variant Removal Tool by Jsmaster25
'jsmaster25 [At] yaHoo (d0t) Ca
'This script is to restore the damaged/modified registry by the W32Sohanad Worm AG Variant. This code may be freely distributed/modified.
'It is based on the original W32Sohanad Worm Removal script available at: http://www.precisesecurity.com/blogs/2007/03/06/w32sohanadvbs/
'and follows the specifications available at: http://www.pspl.com/virus_info/worms/sohanadag.htm
If MsgBox("W32Sohanad Worm AG Variant Removal Tool by Jsmaster25" + vbCRLF + vbCRLF + "This tool is to restore the damaged/modified registry by the W32Sohanad Worm AG Variant." + vbCRLF + vbCRLF + "This code may be freely distributed/modified. It is based on the original W32Sohanad Worm Removal script available at: http://www.precisesecurity.com/blogs/2007/03/06/w32sohanadvbs/ and follows the specifications available at: http://www.pspl.com/virus_info/worms/sohanadag.htm" + vbCRLF + vbCRLF + "Continue?", vbOKCancel, "W32Sohanad Worm AG Variant Removal Tool by Jsmaster25") = vbCancel Then
WScript.quit
End If
'Prevents errors from values that don’t exist
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
'Delete the keys that has disabled the Windows Registry Tools and Task Manager.
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
'Delete the registry keys that changes your Yahoo Messenger status
WshShell.RegDelete "HKCU\Software\Yahoo\pager\View\YMSGR_buzz\content url"
WshShell.RegDelete "HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast\content url"
'Delete the entries which make the worm start up while booting.
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Manager"
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost"
'Delete Disable Homepage Buttons in IE
WshShell.RegDelete "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage"
'Delete Disable Explorer No Folder Options
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions"
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions"
'Delete lsass.exe on startup
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell", "explorer.exe", "REG_SZ"
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", "userinit.exe", "REG_SZ"
'Enable Run on Start Menu
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun"
'Enable System Restore Config
WshShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig"
'Reset Homepage
WshShell.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page", "http://www.google.com", "REG_SZ"
X = MsgBox("Registry successfuly restored from the damage made by W32Sohanad Worm AG Variant.", vbOKOnly, "W32Sohanad Worm AG Variant Removed!")
/////
4. Run sohanad_ag_remover.vbs You will probably have to disable the anti-scripting features of anti-virus software in order to run the script properly.
5. Restart the computer.
6. Optional but highly suggested: Have your Windows CD ready and in the Run Command (which should appear in the Start Menu now) type:
sfc /scannow
This is Windows' built in system file checker, since important files were affected by the worm, it will attempt to restore fresh copies of them from the CD.
Also, the worm has deleted firefox.exe if you have Mozilla Firefox installed so you will probably have to reinstall it. As well, just double check if all the applications that are supposed to run on startup are doing so properly since the worm probably messed with those as well; reinstall those programs if necessary.
The worm should now be removed. Here's how you can check:
-Internet Explorer should have as a default webpage google.com and you should be able to change it
-There is a Run option in the Start Menu, Tools>Folder Options in Windows Explorer
-System Restore, Regedit, Task Manager should work
-IM Apps (Yahoo, Windows live) should work properly
-No missing lsass.exe error on startup
-ActiveX controls should work again
How to avoid this problem again???
-Use Mozilla Firefox or the new IE7, install critical updates to Windows, be wary of files sent across Instant Messaging applications like Yahoo Messenger or Windows Live, Scan your computer with anti-virus and anti-spyware or just use Linux!
-Hope this helps,
Pls advise...
Thank you very much.
momok
Posts: 2,127 +6
Hi,
That looks like a very comprehensive means of settling your problem. However, something to be concerned is that infections often come in multiple instances on any system. I would advise you to read the following.
Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.
Let me know if you wish to format or clean.
If you wish to clean your system, please follow the thread as tomrca provided and follow the steps exactly. Post all required logs as attachments.
Regards,
Your friendly momok =)
This thread is for the use of ug18 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
That looks like a very comprehensive means of settling your problem. However, something to be concerned is that infections often come in multiple instances on any system. I would advise you to read the following.
Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.
Let me know if you wish to format or clean.
If you wish to clean your system, please follow the thread as tomrca provided and follow the steps exactly. Post all required logs as attachments.
Regards,
Your friendly momok =)
This thread is for the use of ug18 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Similar threads
