my system is infected with vb.asd worm,?

2 Responses to my system is infected with vb.asd worm,?

1. belgian_malinois_7 | February 21, 2013 at 9:32 pm |

   try this link for updates to AVG software and usefull info on your worm

   http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=228782&start=0

   HTH

   Report Spam/Abuse
   

2. jsmaster25 | February 21, 2013 at 10:31 pm |

   Hello,
   It seems that you have been infected with the VB.ASD worm (as can be detected by AVG) also known as W32.Sohanad.AG variant caused by infected lsass.exe, worm2007.exe and/or New Folder.exe. (btw, lsass.exe is a legitimate Windows system file, the worm has just infected it) Here are some common symptoms (you may have a few, some or all of these symptoms if you are infected):

   -Internet Explorer default webpage can not be changed and is locked to a webpage (sometimes an adult page or for example thecoolpics.something)
   -Norton Anti-Virus or McAfee don’t work and/or neither does Trend Micro’s HouseCall … ActiveX controls seem disabled
   -System Restore, Regedit, Task Manager don’t work
   -Run in Start Menu and Tools>Folder Options…. in Windows Explorer, both disabled
   -Firefox (if installed) is deleted on startup
   -On shutdown, End now dialog opens regarding lsass.exe
   -IM Apps (Yahoo Mssgr, Windows Live) don’t work properly
   -New Folder.exe in C Drive, BOOT.exe and corresponding autorun.inf that loads it, on removable flash drives appear

   These are the steps I took to remove this worm:

   1. Run AVG Anti-Virus Free Edition (get it here: http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff ) twice and then once in safe mode to ensure that the process lsass.exe and other VB.ASD infected programs (which have been corrupted by the worm) are taken care of.
   2. On bootup, Windows should pop an error saying it can’t find lsass.exe, which is a good sign since it means that AVG has removed the infected lsass.exe.
   3. Open Notepad and save the following script as sohanad_ag_remover.vbs

   You can download the script file from http://www.geocities.com/jsmaster25/sohanad_ag_remover.txt , just rename it to sohanad_ag_remover.vbs :

   4. Run sohanad_ag_remover.vbs You will probably have to disable the anti-scripting features of anti-virus software in order to run the script properly.
   5. Restart the computer.

   6. Optional but highly suggested: Have your Windows CD ready and in the Run Command (which should appear in the Start Menu now) type:
   sfc /scannow
   This is Windows’ built in system file checker, since important files were affected by the worm, it will attempt to restore fresh copies of them from the CD.

   Also, the worm has deleted firefox.exe if you have Mozilla Firefox installed so you will probably have to reinstall it. As well, just double check if all the applications that are supposed to run on startup are doing so properly since the worm probably messed with those as well; reinstall those programs if necessary.

   The worm should now be removed. Here’s how you can check:
   -Internet Explorer should have as a default webpage google.com and you should be able to change it
   -There is a Run option in the Start Menu, Tools>Folder Options in Windows Explorer
   -System Restore, Regedit, Task Manager should work
   -IM Apps (Yahoo, Windows live) should work properly
   -No missing lsass.exe error on startup
   -ActiveX controls should work again

   How to avoid this problem again???

   -Use Mozilla Firefox or the new IE7, install critical updates to Windows, be wary of files sent across Instant Messaging applications like Yahoo Messenger or Windows Live, Scan your computer with anti-virus and anti-spyware or just use Linux!

   -Hope this helps,
   Jsmaster25 – jsmaster25 [At] yaHoo (d0t) Ca

   My own research

   Report Spam/Abuse