Microsoft Office Words virus

By ug18 · 4 replies
Aug 2, 2007
  1. Hi,

    i need some help..

    whenever i open a word doc thru microsoft office words,
    the data inside the word doc will be automatically deleted!
    hence i cant use words.

    is there any kind of known virus for this???

    i tried to scan for virus but there was nothing.
    help pls.......

  2. tomrca

    tomrca TS Rookie Posts: 1,000

    hi ug18.
    please go to and follow all the instructions exactly. after which, poste all required logs such as avg,combo,vundo and hjt. be sure to chang the name of hijack this and place it within its own folder in programme files or docs. eg, C:/prog files/hijackthis/analysethis v_2.exe.

    please post your logs as attachments and not a copy and paste. to do this go to additional options ,attach files and select manage attachments. these are located below the reply box

    this thread is for the use of UG18 only, if you have similar problems, please start a new thread in security and the web forum
  3. raybay

    raybay TS Evangelist Posts: 7,241   +10

    You might also consider uninstalling and reinstalling your Microsoft Office and delete the registry entries.
  4. ug18

    ug18 TS Rookie Topic Starter Posts: 16

    Used AVG AV to scan for virus and found
    1. Downloader.Generic3.MVR
    2. Worm/vb.asd

    How do I remove these 2 virus?

    I tried to find methods to remove the Downloader.Generic3.MVR but I can't find any.
    the virus database doesn't have this virus too... weird.

    I found a method to remove/vb.asd but it's from a forum and i'm not sure if it's a trustworthy method.
    the method is as follow...

    It seems that you have been infected with the VB.ASD worm (as can be detected by AVG) also known as W32.Sohanad.AG variant caused by infected lsass.exe, worm2007.exe and/or New Folder.exe. (btw, lsass.exe is a legitimate Windows system file, the worm has just infected it) Here are some common symptoms (you may have a few, some or all of these symptoms if you are infected):

    -Internet Explorer default webpage can not be changed and is locked to a webpage (sometimes an adult page or for example thecoolpics.something)
    -Norton Anti-Virus or McAfee don't work and/or neither does Trend Micro's HouseCall ... ActiveX controls seem disabled
    -System Restore, Regedit, Task Manager don't work
    -Run in Start Menu and Tools>Folder Options.... in Windows Explorer, both disabled
    -Firefox (if installed) is deleted on startup
    -On shutdown, End now dialog opens regarding lsass.exe
    -IM Apps (Yahoo Mssgr, Windows Live) don't work properly
    -New Folder.exe in C Drive, BOOT.exe and corresponding autorun.inf that loads it, on removable flash drives appear

    These are the steps I took to remove this worm:

    1. Run AVG Anti-Virus Free Edition (get it here: twice and then once in safe mode to ensure that the process lsass.exe and other VB.ASD infected programs (which have been corrupted by the worm) are taken care of.
    2. On bootup, Windows should pop an error saying it can't find lsass.exe, which is a good sign since it means that AVG has removed the infected lsass.exe.
    3. Open Notepad and save the following script as sohanad_ag_remover.vbs Just copy and paste the portion between the 5 forward slashes (but not including the slashes)


    'W32Sohanad Worm AG Variant Removal Tool by Jsmaster25
    'jsmaster25 [At] yaHoo (d0t) Ca
    'This script is to restore the damaged/modified registry by the W32Sohanad Worm AG Variant. This code may be freely distributed/modified.
    'It is based on the original W32Sohanad Worm Removal script available at:
    'and follows the specifications available at:

    If MsgBox("W32Sohanad Worm AG Variant Removal Tool by Jsmaster25" + vbCRLF + vbCRLF + "This tool is to restore the damaged/modified registry by the W32Sohanad Worm AG Variant." + vbCRLF + vbCRLF + "This code may be freely distributed/modified. It is based on the original W32Sohanad Worm Removal script available at: and follows the specifications available at:" + vbCRLF + vbCRLF + "Continue?", vbOKCancel, "W32Sohanad Worm AG Variant Removal Tool by Jsmaster25") = vbCancel Then
    End If

    'Prevents errors from values that don’t exist
    On Error Resume Next

    Set WshShell = WScript.CreateObject("WScript.Shell")

    'Delete the keys that has disabled the Windows Registry Tools and Task Manager.
    WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
    WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"

    'Delete the registry keys that changes your Yahoo Messenger status
    WshShell.RegDelete "HKCU\Software\Yahoo\pager\View\YMSGR_buzz\content url"
    WshShell.RegDelete "HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast\content url"

    'Delete the entries which make the worm start up while booting.
    WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Manager"
    WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost"

    'Delete Disable Homepage Buttons in IE
    WshShell.RegDelete "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage"

    'Delete Disable Explorer No Folder Options
    WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions"
    WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions"

    'Delete lsass.exe on startup
    WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell", "explorer.exe", "REG_SZ"
    WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", "userinit.exe", "REG_SZ"

    'Enable Run on Start Menu
    WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun"

    'Enable System Restore Config
    WshShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig"

    'Reset Homepage
    WshShell.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page", "", "REG_SZ"

    X = MsgBox("Registry successfuly restored from the damage made by W32Sohanad Worm AG Variant.", vbOKOnly, "W32Sohanad Worm AG Variant Removed!")


    4. Run sohanad_ag_remover.vbs You will probably have to disable the anti-scripting features of anti-virus software in order to run the script properly.
    5. Restart the computer.

    6. Optional but highly suggested: Have your Windows CD ready and in the Run Command (which should appear in the Start Menu now) type:
    sfc /scannow
    This is Windows' built in system file checker, since important files were affected by the worm, it will attempt to restore fresh copies of them from the CD.

    Also, the worm has deleted firefox.exe if you have Mozilla Firefox installed so you will probably have to reinstall it. As well, just double check if all the applications that are supposed to run on startup are doing so properly since the worm probably messed with those as well; reinstall those programs if necessary.

    The worm should now be removed. Here's how you can check:
    -Internet Explorer should have as a default webpage and you should be able to change it
    -There is a Run option in the Start Menu, Tools>Folder Options in Windows Explorer
    -System Restore, Regedit, Task Manager should work
    -IM Apps (Yahoo, Windows live) should work properly
    -No missing lsass.exe error on startup
    -ActiveX controls should work again

    How to avoid this problem again???

    -Use Mozilla Firefox or the new IE7, install critical updates to Windows, be wary of files sent across Instant Messaging applications like Yahoo Messenger or Windows Live, Scan your computer with anti-virus and anti-spyware or just use Linux!

    -Hope this helps,

    Pls advise...
    Thank you very much.
  5. momok

    momok TS Rookie Posts: 2,265


    That looks like a very comprehensive means of settling your problem. However, something to be concerned is that infections often come in multiple instances on any system. I would advise you to read the following.

    Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

    Let me know if you wish to format or clean.

    If you wish to clean your system, please follow the thread as tomrca provided and follow the steps exactly. Post all required logs as attachments.

    Your friendly momok =)

    This thread is for the use of ug18 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...