October 9, 2008 @10:26 PM
Okay, so the past month has been a blissful blur (quite redundant) of case presentations, research proposals and duties. Due to the huge number of requirements, several which are group work, USBs are used often. A USB can travel from one laptop to another, even to the dreaded public internet shop. Most often, this results in your usb's infection.
One of the more prevalent viruses I have seen on campus and at the nearby computer shops is the sowar.vbs virus.
So what does this virus do to your computer?
- it changes the name of the Internet Explorer Browser to SoWar Browser (or something similiar)
- it also changes your homepage to redtube.com (a porn site) [you can't change this manually w/o removing the virus first, as far a I know]
- it DISABLES you from accessing the TASK MANAGER and REGISTRY EDITOR. This of course makes it a bit harder to remove the virus.
- it reruns itself when you restart the PC
So how do you get rid of this virus permanently?
METHOD 1
I found this on a site, but this was not the method I used. I'll place it here so you can check out if it works for you.
It is a virus to remove it follow:
1. load command prompt
2. go to root directory (eg. C
3. Type: attrib -s -h -r -a autorun.inf, , then press Enter
4. Type: dir then press Enter. This will display if Autorun file is present.
5. Type: del autorun.inf, , then press Enter
6. Search for and remove sowar.vbs, SysRes.vbs, Cool USEP Scandal.vbs
7. You may need to change the directory to root of C:, type: cd \, then press Enter
8. Type: attrib sowar.vbs.* -s -h -r -a, then press Enter
9. Type: dir /s sowar.vbs, then press Enter
10. If the file is present, type: del sowar.vbs, then press Enter
11. Repeat the above commands for each drive on your computer including your flash/usb drive.
12. Repeat these instructions to search for and delete SysRes.vbs, Cool USEP Scandal.vbs on each drive if present.
13. Exit the command prompt by typing “exit” and reboot your computer.
METHOD 2
Okay, so this is what I did. (Thanks to the mighty help of the internet )
*Note: This is a compilation of various methods I found on the web I didn't find out about this by myself.
1.) Go to My Computer or My Documents and go to the Tools tab, then go to Folder Options. Under the View Tab make sure that Show hidden files is checked. Uncheck the Hide protected operating system files
2.) Open drive (By right click and select Open/Explore. DO NOT DOUBLE CLICK!) Delete autorun.inf and SoWar.vbs (Press Shift+Delete) in all drives including external drives. Open folder C:\WINDOWS to delete SoWar.vbs inside (press Shift+Delete )
3.) Download Process Explorer here. Once you have downloaded and run process explorer, search for the process wscript.exe. TERMINATE this process.
4.) Download RRT.exe. This is a.k.a. Remove Restrictions Tool. Run it and remove the restrictions on Registry Tools and Task Manager by checking them and clicking Apply/Remove
5.) Now, go to your Start menu and click Run. Type in regedit or regedit.exe
- Select HKEY_LOCAL_MACHINE --> Software --> Microsoft --> Windows --> Current Version --> Run to delete SoWar.vbs(press Delete key on keyboard)
- Select HKEY_CURRENT_USER --> Software --> Microsoft --> Internet Explorer --> Main to delete Window Title “SoWar Browser” (press Delete key on keyboard)
6.) Since this virus replicates itself upon start-up you should go to Run (again) then type msconfig. In the Startup tab, disable or remove Sowar.vbs
7.) Restart your computer. Update your antivirus, antimalware/spyware program, then do a full scan.
Lastly, always remember that prevention is better than cure.
Hope this helps. If you have any problems, feel free to interchange the sequencing. of the steps.
comment
