VBS/Sasan.a.worm

Hello!
I've read through some postings and found that you already helped other guys with this problem, I hope you can help me too.

I've got a Microstar notebook (3 yr old). About a month ago it began to act strangely, the switching on required a password and by switching off there were not the usual pics, but text instead to log off or switch on, etc.
Then one day (2 weeks ago) if I clidked on "own computer", or C: or D: driver, it would not open, because of a missing script file, and also the "task coordinator" (in the CTRL + ALT + Delete section) didn't work, and it appeared a failure message that there's a trojan spyware program on my PC, which can access to my personal data.
I went to the service and they rebooted everything, and gave my a new Panda Pro 2009 program. My PC worked fine for 10 days, without having to enter the password at the beginning, and with the images to switch off.
But 2 days ago I put in a pendrive (memory stick) and I saw two hidden files, and immeaditaly Panda told "C:/.MS32DLL.DLL.VBS file has VBS/Sasan.A.worm, it was cleaned." But the message came up every 2 minutes, again and again, with C and D driver, same worm.
I went to the service again but they couldn't help. Yesterday the Panda program by checking the whole PC found and deleted 3 worms, from the D driver, and the message doesn't come up any more, BUT I again get a failure message of a missing script file by trying to open in Own computer D: driver. (C: can open). And by switching on it asks for the password, and no images, but text instead by switching off, too. So partly the problem seems fixed, but I know that it's still on the computer somewhere! What shall I do? Can you help?
Thank you in advance.
(Sorry for not knowing the exact phrases as I'm Hungarian and I have Windows XP in Hungarian language.)

Thanks!
Ancsi

 

Hello there,

I went through the "Malware removal" "read first" points, installing and running all those different programs.
It did help in a way: now I can access D: driver through "Own computer", but it still asks a password (no password existing, just to click enter while logging in as User) and it still has written texts by switching off, not the three images (if you know what I mean...).
I attach the log files and zip which the programs gave me. You will find a "doc", where I saved the result of the three programs together: SUPERAntiSpyware Scan Log, Spybot – Search & Destroy, and Malwarebytes' Anti-Malware 1.28. (I run the first twice, so you'll find two dates, both today). I hope you'll understand the essential, even if it's in Hungarian...

Thanks for the help so far & I'm looking forward to get your response to the remaining problems. Thanks!
Ancsi

 

Hi there!
Thanks for your reply.
I'm afraid I can attach the same file, because I run MGTools again, but it did not ask me for a licence agreement and there was no pop up window about TrendMicro HijackThis.
I uninstalled Panda for this 20 minutes because I couldn't switch it off (it didn't work with the right-click on the icon), so it surely didn't block it now.

I read the possible error messages, but in the log it only said "Error: The system was unable to find the specified registry key or value" a dozen times.

I don't know why it's incomplete, and I don't know why the HijackThis doesn't come up or asks me for accepting...

I attach the new MGlogs.zip file.

I also think, all those antivirus programs that you suggested managed to clean the PC, but can you tell me how to adjust those 3 small things, that I mentioned, that are not working now the way they were before? (1. By switching on the desktop appeared, I didn't have to press enter for the non-existing password, 2.) by switching off there are not the 3 images, but a text-box where I have to scroll down for restart or log off and 3.) for some reason I can't change the form of the date, which is shown in the desktop, down and right. Before it was "15:44" but now it's 15:44 v1.0. Also in the Outlook it says "12.10.2008. 16:20 v1.0." and I'd love to "delete" this v1.0 and have only the time, but it wouldn't disappear, whatever I try to change.)

If there's a trick how to get the licence's approval request, please let me know.

Thanks for your help!

Aniko

 

"Still did not run properly. Are you using a 64 bit version of Windows?"

I just called the PC-service where they repaired it, and the guy said I'm using a 32 bit version. So I don't know, why MG tools doesn't run properly. :-( Could it be something to do with the firewall? If you have any other idea what to do, I'll try.

As for the small inconveniences:
OK, I listen to you and leave the logon session on by switching on the PC.

As for the time format v1.0 - you are the best! Thanks, I found where to adjust it and now it's just perfect, so much better! Thanks!

The 3rd thing, by switching off: I made two photos and attach them, these are what I can see now. First: "Start menu" I click on "Switch off", then a window appears, where I have to choose from "switch off" or "log off" or "restart PC" or "saver mode". Before the virus attacked the PC, it wasn't like this, but a window with 3 small images symbolizing these different buttons, not written by letters. I hope I could understand it better now. I tried to change the setting to "Start menu" from "Classic start menu" but it didn't make a difference.

And there is one more thing which changed since the virus. Before when I put in a CD then there was a pop up window, and asked what I wanted to do, to open the folders or print the files, etc. Now I have to go to "Own computer" and click on "E:" to open the CD, even if it's a program installation. But it is not a big problem, I just told it to say that it also changed since the malware.

Thanks a lot!

Aniko

 

I have the feeling, something is still not perfect here...
I entered cmd, it opened a window, said C:\Documents and Settings\Owner>
I entered cd\MGtools . It changed to C:\MGTools>
I entered GetRunKey (enter)
Message: "The system doesn't recognize the given name (GetRunKey) as an inner or outer command, runable program or packagefile"
(this is probably a bad translation, but I don't know these PC phrases...)

I entered ShowNew and get the same message, with the name ShowNew in the brackets. So it showed C:\MGTools> again, and I closed the window.

I'll try to follow the other things about the switching off procedure. Thanks!
Aniko

 

Absolutely the same. I get the same error messages twice, that the system doesn't recognize these names (names with bat extension)
I lost some windows file associations? Couldn't there be a connection with that I downloaded Windows Recovery Console when I cleared the PC? By switching on the PC, after the image Pentium 4, the next window shows I can choose between normal mode or the recovery console mode, but if I don't adjust anything, it stays on the "normal mode".
Or should I uninstall those programs that I downloaded by the procedure, like CCleaner, Malwarebytes AM, AntySpyware or ComboFix? I don't know how to make the recovery console disappear though.
Or shall I just take the PC to a service and ask them to reinstall the whole system?

Thanks!
Aniko

 

I clicked on the batch fixing link, saved it, I opened the zip file, then double clicked on the reg file. It asked: "Are you sure you want to add this information to the system describing database?" I click "yes", and it says "The (batch file reg) information was successfully added to the database."
But even then, Run - cmd - MGTools - GetRunkey.bat and ShowNew.bat, it says that the system doesn't recognize these names. :-(

As for the bootable Windows CD, I'm not sure if I have one or not, because I did buy the notebook with an official Windows on it, and got some CDs, Medion HomeCinema, Medion Nero Burning, and there is a Medion Product Recovery CD-ROM Windows XP Home Edition SP1. But I never used it yet, so I'm not sure whether it's all I need to reboot.
As far as I know, you can reboot it in a way, that all your data (images, documents, etc.) stay on the PC, the other way would delete everything and give you a blank new computer. I don't know which way this CD, which I have, works? But I don't want to loose my data...
What do you suggest?
Thanks!
Aniko

 

I brought my PC to a service and let it reinstall again, so now all is new and many programs have been deleted. I just started to go through the Malware read & run capture again, I download all those programs again and will send you the logs I get this time. I hope it runs completely! I will send you the files this evening or tomorrow, depending how long it'll take to scan the system with all new programs.

Aniko

 

Hello! It was reinstalled, but the guy saved my old programs, drivers, files and after the installation he "put" them back to the D: driver.
But I won't run the procedure if you think it's not necessary any more. Before getting your last reply, I downloaded and run CCleaner, SUPERAntySpyware, Spybot S&D and Malwarebytes A-M, and I scanned the PC with all, but none of them found any malware (except some Cookies first).
Thanks for the link about how to protect myself, I read it and kept one of the necessary programs.
One last thing: I understand that you suggest Mozilla FireFox instead of Internet Explorer, but I am used to the Explorer, so I'd prefer to keep this. Before the last reinstallation I had Explorer 7, but I got back the PC with Explorer Version 6.0. Then the next automatic Microsoft update wanted to DL the Explorer 7, but it didn't manage. Since then I tried to download it manually, and after installing it I always get an error message, that it couldn't be installed, and I should restart the computer to delete the changes. I don't understand why I can't get it run.
I think it's not a malware problem, but can you tell me where to turn to with this problem?
Thanks a lot for everything!

Aniko

 

All right, I'll do this, and thanks for telling me about the Internet - Explorer difference
Thanks!
Aniko