Win32:Solow (Malware)

[MeDIeVaL]

My pc has been infected by malware and avast antivirus recognized it as Win32:Solow. I've try boot-scan but after a couple attempt the virus still there. Then it's remembered me 'bout Brontok, boot scan itself won't work. So I've show hidden files, uncheck the checkbox for hide ext for known files type and hide protected operating system files. I've found it, ms32dll.dll.vbs was the source for the virus and OS recognise it as MS Windows Script. I've delete the file then the prob solve but I didn't really sure 'bout it. So a'one have better solution please reply...

[mauserme]

Have you also looked for C:\autorun.inf

If you find it, scan it at Virus Total before deletion

http://www.virustotal.com/en/indexf.html

If other antivirus programs detect malware add the file to the avast! chest and upload to alwil.

[MeDIeVaL]

Yeah, in that file I found this... [autorun] shellexecute=wscript.exe MS32DLL.dll.vbs.

The result for Virus Total scanning

Complete scanning result of "autorun.inf", received in VirusTotal at 05.08.2007, 11:11:44 (CET).

Antivirus   Version   Update   Result
AhnLab-V3   2007.5.8.1   05.08.2007   no virus found
AntiVir   7.4.0.15   05.08.2007   VBS/IETitle.A
Authentium   4.93.8   05.07.2007   no virus found
Avast   4.7.997.0   05.07.2007   no virus found
AVG   7.5.0.467   05.07.2007   no virus found
BitDefender   7.2   05.08.2007   no virus found
CAT-QuickHeal   9.00   05.07.2007   no virus found
ClamAV   devel-20070416   05.08.2007   Worm.Solow
DrWeb   4.33   05.08.2007   VBS.Generic.544
eSafe   7.0.15.0   05.07.2007   no virus found
eTrust-Vet   30.7.3618   05.08.2007   INF/Slogod.A
Ewido   4.0   05.07.2007   no virus found
FileAdvisor   1   05.08.2007   no virus found
Fortinet   2.85.0.0   05.08.2007   no virus found
F-Prot   4.3.2.48   05.07.2007   no virus found
F-Secure   6.70.13030.0   05.08.2007   VBS/Solow.C
Ikarus   T3.1.1.7   05.08.2007   no virus found
Kaspersky   4.0.2.24   05.08.2007   no virus found
McAfee   5025   05.07.2007   no virus found
Microsoft   1.2503   05.07.2007   no virus found
NOD32v2   2248   05.07.2007   no virus found
Norman   5.80.02   05.07.2007   VBS/Solow.C
Panda   9.0.0.4   05.07.2007   no virus found
Prevx1   V2   05.08.2007   no virus found
Sophos   4.17.0   05.07.2007   no virus found
Sunbelt   2.2.907.0   05.05.2007   no virus found
Symantec   10   05.08.2007   no virus found
TheHacker   6.1.6.109   05.08.2007   VBS/Small.autorun
VBA32   3.11.4   05.07.2007   no virus found
VirusBuster   4.3.7:9   05.07.2007   no virus found
Webwasher-Gateway   6.0.1   05.08.2007   Script.IETitle.A

Aditional Information
File size: 104 bytes
MD5: 982c0443b070d968763a9077c08d51f2
SHA1: fbb81852741a3bfdf937923eeb5c4e76febcde6e
packers: Unicode
packers: Unicode

So what shall I do?

[mauserme]

Put a copy of autorin.inf in the avast chest and delete if from C:\ drive.

Do you have any of these (sorry - I should have asked about these before)

c:\autorun.bat
c:\autorun.ini
c:\autorun.ini
c:\autorun.ico
c:\autorun.vbs
c:\autorun.reg

[polonus]

Hi Mauserme,

Isn't this one identical to the so-called USB worm. It also infects with the autorun thingies...

polonus

[mauserme]

I think so (now that I've realized it) 

[Infotronis]

It sound just like the virus I had a few days ago.

You could try and follow this steps to clean the virus.

1. Start Windows in safe mode.
2. Stop a process in memory called wscript.exe using the task manager.
3. Go to My PC and open your hard disk (c:)
4. Go to file options and in disable the "hiding system files" option.
5. You will see now several files named autorun (.exe .bat .inf .reg .vbs) in the root of your hard disk. You must delete them.
6. Then you have to go looking for the same files in other folders, almost always is in the C:\Windows\system32\ but i have read that some variant hides a folder of itself.

The restart the system. You should clean your USB flash disks too, but don't let them open with the AutoRun option. Open Windows Explorer, plug the USB flash and you will see the same autorun files in the root. On commons USB flash disks, you can delete them all, but you can keep the autorun.inf and see inside before to be sure.

If it don't work, the you could still have the virus in some other folder and have to do a search.

Hope this help you, I know this virus can be a real problem.

PS: sorry for my mistakes, I have Win Xp in spanish so don't really know the menus names in english

[polonus]

Hi Infotronis.

Excellent exposé. Will be helpful to many. Nothing wrong with your English there.
Con Dios,

polonus

[mauserme]

In addition to what Infotronis posted I would run an F-Secure online scan

http://support.f-secure.com/enu/home/ols.shtml

From the results of Virus Total it looks able to identify the malware and it might help find files that could otherwise hide.

[MeDIeVaL]

It sound just like the virus I had a few days ago.

You could try and follow this steps to clean the virus.

1. Start Windows in safe mode.
2. Stop a process in memory called wscript.exe using the task manager.
3. Go to My PC and open your hard disk (c:)
4. Go to file options and in disable the "hiding system files" option.
5. You will see now several files named autorun (.exe .bat .inf .reg .vbs) in the root of your hard disk. You must delete them.
6. Then you have to go looking for the same files in other folders, almost always is in the C:\Windows\system32\ but i have read that some variant hides a folder of itself.

The restart the system. You should clean your USB flash disks too, but don't let them open with the AutoRun option. Open Windows Explorer, plug the USB flash and you will see the same autorun files in the root. On commons USB flash disks, you can delete them all, but you can keep the autorun.inf and see inside before to be sure.

If it don't work, the you could still have the virus in some other folder and have to do a search.

Hope this help you, I know this virus can be a real problem.

PS: sorry for my mistakes, I have Win Xp in spanish so don't really know the menus names in english

I've done all the step you've mentioned and I've del all the script that suspicious and related to the auto.inf. I've even del some registry key appointed to ms32dll.dll.vbs but the prob recurring last nite...

[mauserme]

Have you tried the online scan yet? 

After running F-Secure please download Deckard's System Scanner (DSS) to your Desktop.

• Close all applications and windows.
  
• Double-click on DSS.exe to run it, and follow the prompts.
  
• The scan may take a minute. When the scan is complete, a text file will open - Main.txt
  

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the  Deckard's System Scanner  to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the  main.txt from the C:\Deckard\System Scanner folder into your next reply.  The log will be long so use multiple posts if needed.

[MeDIeVaL]

Thanx for helping e'one. It's seem that my pc clean now. No more warning from avast! 

[mauserme]

How did you clean it?  Please let us know as this will help others with the same problem.