this annoying virus has infected my friend's pc. she has tried to combat it with avg free, nod32 and hijackthis to no avail. it has a "restore" component.
does anyone know how to effectively remove sowar.vbs?
2
sowar.vbs
Started by
coolbuster2007
, Jul 28 2008 09:51 AM
3 replies to this topic
#2
-
- Members
-
- 10,178 posts
TMN Seasoned Veteran
- Location: Florida
Posted 28 July 2008 - 09:58 AM
re install windows...
Its the most effective way to get rid of a virus.
Its the most effective way to get rid of a virus.
#3
-
- Moderators
-
- 9,039 posts
TMN Seasoned Veteran
- Location: In The Plex
Posted 28 July 2008 - 11:39 AM
Here's a bit I found last week , this virus is running rapid.
When first run VBS/Autorun-FM copies itself to:
RootCool USEP Scandal.vbs
Rootsowar.vbs
WindowsSysRes.vbs
and creates the following files:
RootAutorun.inf
Windows%ORIGFILENAME%
Whenever a removable drive is inserted, the following files are copied over:
Autorun.inf Cool USEP Scandal.vbs
The following registry entry is created to run SysRes.vbs on startup:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun System Restore wscript.exe "WindowsSysRes.vbs"
VBS/Autorun-FM changes settings for Microsoft Internet Explorer by modifying values under:
HKCUSoftwareMicrosoftInternet ExplorerMainStart Page
EDIT: oops forgot to get the rest to you
Go to Start > Run and type: cmd
press Ok.
At the command prompt, type in your primay drive location, usually C:
You may need to change the directory. If so type: cd
Hit Enter.
Type: attrib -s -h -r -a autorun.inf
Hit Enter.
Type: dir
Hit Enter. This will allow you to see and confirm the Autorun files.
Type: del autorun.inf
Hit Enter.
Repeat the above commands for each drive on your computer including your flash/usb drive.
Now search for and remove sowar.vbs, SysRes.vbs, Cool USEP Scandal.vbs
At the command prompt, type in your primay drive location, usually C:
Hit Enter.
Type: attrib sowar.vbs.* -s -h -r -a
Hit Enter.
Type: dir /s sowar.vbs
Hit Enter.
If the file is present, type: del sowar.vbs
Hit Enter.
Repeat the above commands for each drive on your computer including your flash/usb drive.
Then repeat these instructions to search for and delete SysRes.vbs, Cool USEP Scandal.vbs on each drive if present.
Exit the command prompt and reboot normally.
DISABLE AUTORUN !!!!!!!!!
When first run VBS/Autorun-FM copies itself to:
RootCool USEP Scandal.vbs
Rootsowar.vbs
WindowsSysRes.vbs
and creates the following files:
RootAutorun.inf
Windows%ORIGFILENAME%
Whenever a removable drive is inserted, the following files are copied over:
Autorun.inf Cool USEP Scandal.vbs
The following registry entry is created to run SysRes.vbs on startup:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun System Restore wscript.exe "WindowsSysRes.vbs"
VBS/Autorun-FM changes settings for Microsoft Internet Explorer by modifying values under:
HKCUSoftwareMicrosoftInternet ExplorerMainStart Page
EDIT: oops forgot to get the rest to you
Go to Start > Run and type: cmd
press Ok.
At the command prompt, type in your primay drive location, usually C:
You may need to change the directory. If so type: cd
Hit Enter.
Type: attrib -s -h -r -a autorun.inf
Hit Enter.
Type: dir
Hit Enter. This will allow you to see and confirm the Autorun files.
Type: del autorun.inf
Hit Enter.
Repeat the above commands for each drive on your computer including your flash/usb drive.
Now search for and remove sowar.vbs, SysRes.vbs, Cool USEP Scandal.vbs
At the command prompt, type in your primay drive location, usually C:
Hit Enter.
Type: attrib sowar.vbs.* -s -h -r -a
Hit Enter.
Type: dir /s sowar.vbs
Hit Enter.
If the file is present, type: del sowar.vbs
Hit Enter.
Repeat the above commands for each drive on your computer including your flash/usb drive.
Then repeat these instructions to search for and delete SysRes.vbs, Cool USEP Scandal.vbs on each drive if present.
Exit the command prompt and reboot normally.
DISABLE AUTORUN !!!!!!!!!
#4
-
- Members
-
- 2,189 posts
TMN Veteran
Posted 28 July 2008 - 05:13 PM
thank you. 
am gonna apply that when I visit her tonight
am gonna apply that when I visit her tonight
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
