infected by naruto.sys.vbs/recycle.sys.vbs [resolved]

To give more info on Ageia.

[quote]Delivering physics in games is no easy task. It’s an extremely compute-intensive environment based on a unique set of physics algorithms that require tremendous amounts of simultaneous mathematical and logical calculations.

This is where NVIDIA

yep, this wscript.exe, i notice it a day before i post this topic.
if i remember correctly, i start getting this wscript this when i plug & open a USB drive from my friend. i block this wscript.exe from running, but then i can’t open the drive. then i open it via start (right click)/explore .
i don’t get the wscript.exe warning for a while until 2 days ago i’m trying to open my C: drive.


oh, where am i, oh yeah the trojan ;D
yes the “recycle.vbs” seems similar. but i still can open task manager, and nothing show up when i open start/run (it shows only the last thing i open, like regedit or mspaint, no fishy thing).

this is the steps to clean it from tiffany’s site (the failed steps):
1) Start Run command, type “regedit” go the registry > Current_User\ Software\ Microsoft\ Window\ CurrentVersion\ Policies\ System. This is to Enable the Task Manager. Change from ‘1’ to ‘0’.
2) In the Task Manager- Stop the processes named “wscript”
3) Go to C:/Windows/System 32 => Delete file name called “recycle.vbs” (Have to show all hidden files in folder options)
4) Start Run command and go to the registry, go to Edit and Find “recycle” and delete > “Ageia”
5) In the registry , go to Edit and Find "attack"and delete > “” on start page and “::ATTACK::” on windows title.
6) In the registry, go to Edit and Find for “Rahadian” and delete > “Rahadian Restore”

and this is what i do:

  1. skipped(i can still open task manager)
  2. done
  3. can’t find recycle.vbs on system32 folder ???
  4. done
  5. done (i delete the “powerful curse seal”)
  6. skipped

well, the cursed seal has been broken 88) , now my IE seems shows “about:blank-microsoft internet explorer”.
i deleted wscript.exe but then i get this error message (attached) when i’m trying to open C: or any other drive. why do i need wscript.exe to open things? ??? and why can’t i find this recycle.vbs ???
btw, i’ve finished full scanning with SAS & MBAM, found nothing :o

is it normal to have that error message after removing wscript.exe? perhaps i should get it back? 88)

i copied wscript.exe from my other comp. the cursed seal is coming back >:( , i block every wscript related D+ pop up, but i don’t know why it still manage to change my IE title.
and attachment #2, i got that D+ alert, but can’t find it on regedit ???

now i’m downloading norton security scan 88)

[attachment deleted by admin]

When you looked for recycle.vbs did you enable look for hidden files and folders?

Windows XP
Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

[]Close all programs so that you are at your desktop.
]Double-click on the My Computer icon.
[]Select the Tools menu and click Folder Options.
]After the new window appears select the View tab.
[]Put a checkmark in the checkbox labeled Display the contents of system folders.
]Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
[]Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
]Remove the checkmark from the checkbox labeled Hide protected operating system files.
[]Press the Apply button and then the OK button and shutdown My Computer.
]Now your computer is configured to show all hidden files.

oops, i’ve done those things except unticking the “hide protected system file” (:TNG)
OK. i found the recycle.vbs.delete it.i once again delete the “powerful curse seal” reg entry & restart.
after rebooting, i tried open IE, the cursed seal is gone.
but then i tried double click my C: drive, and got the same “wscript trying to modify recycle.vbs” D+ alert.
i block it, but the cursed seal is back >:(
i’m sure i’ve deleted that recycle.vbs. i can’t find it anymore on system32. but why D+ still alert me of that thing.
oh, norton security scan catch 23 nasties (trojan.zlob…something). but i need to purchase the full product if i want to remove them >:(

does anyone know good scanner for this nasty except SAS & MBAM (those 2 failed), norton (need to buy the full version) & CureIt (freeze my PC)? 88)

Stupid question, but does Avast pick it up?

i’m downloading avast & bitdefender right now. ;D
but i don’t like installing things. is there any portable scanner like DrWebCureIt? but nevermind, i’ll try these two first :stuck_out_tongue:

hey, how do you know the virus name called naruto ???
i’ve just plugged a flashdisk to this comp, and i found autorun.inf & naruto.sys.vbs in it. ???

I think this is what happens:

  • The trojan placed a autorun.inf on your hard drive.

  • If you double click your c drive, it gets executed (uncritical, wscript.exe is a known ms application)

  • The IE titlebar is changed (uncritical)

  • The trojan tries to place itself in your windows system folder (critical)

  • Defense+ reports, that wscript tries to modify a file in your system directory (here it would be very nice, if D+ would give the possibility to see the command line arguements of wscript, to see which script tries to do so…)

  • This time you cancel it (good)

  • So, be sure to kill all running processes of wscript.exe

  • delete the autorun.inf file(s) on your hard drive(s)

  • delete the autorun entry which executes wscript.exe

  • try to find the .vbs files causing the problems and remove them

Naruto is a game that has Cursed Seal.

Your friend’s flash drive gave you your problem.

I would suggest you post your HijackThis log on a good specialist help forum and let them guide you as just trying different scanners could take forever.

Some of those forums are very busy and you would have a long wait, so I suggest:

This one is small but has very good helpers. You would need to register.

update! :-La
after knowing my system is attacked by fellow ninja naruto.

  1. i reboot in safe mode
  2. i use “search”,and look for “naruto” & delete all of it.
  3. i use regseeker to find “naruto” reg.entry & delete them.
  4. once again, i remove the “powerful seal” entry via regedit
    HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cursed Seal is The Powerful

reboot in normal mode. and i think my PC’s fine now :BNC
i am soooo KEWL! (:KWL)

wow heey, i was just pushing my luck playing with reg.entry & deleting stuff, but it seems my way of gut+luck+del is similar to your suggestion ;D

hmm, i was suspicious about my friend’s flashdisk. i knew there’s a big chance that flashdisk has malware in it. but since i need to open it (and i think i have D+), i still open it (i was thinking, should any executable wants to run, i’ll block it). and i remember D+ alert me about the same wscript.exe (and i blocked it). but why this naruto can still enter my system ??? pretty sneaky huh? ???

anyway, i’ve finished installing bitdefender. i’m updating it right now. i’ll post my result later.
thx James :-TU & thx to all.

oh did i mention I AM SO KEWL already?
i am so KEWL! (:KWL)

Trojan.Zlob is a Trojan that allows the remote attacker to perform various malicious actions on the compromised computer. There are many variations of it.

Suggest you do that Norton scan again to see if you got all of it.

Maybe you should consider to add “c:\autorun.inf” to “My Protected Files” (would have prevented wscript.exe to write to c:\autorun.inf according to the access to your system directory) or to disable the autorun feature for hard drives.
Probably you allowed wscript sometimes later, when you double clicked your hard drive icon.

i deleted all autorun.inf i found yesterday 88)
oh, and i’ve disabled autorun function from Disk & removable drive long time ago using “tweakUI”.

errr, i remove norton & delete the installer as soon as i notice it won’t clean anything (:TNG)
i’m redownloading right now.could take a while.
btw, finished scanning with bitdefender, found nothing :■■■■
i’ll post my result with norton after i finish scanning. thx a lot guys

Then I don’t understand, why the script got executed, when you inserted the flash drive or double clicked your hard drive. This is typically autorun behaviour!

oh, sorry, i didn’t disable on the hard drive part. i disabled removable disk & disk (CD/dvd) drive.

hmm,maybe i accidentally allow it after i plugged the flash disk?perhaps that’s why that recycle.sys.vbs (naruto.sys.vbs) can enter my comp? :-X

Ok, is it cracked game or porn this time?

How many times have I warned you in the past about those hot XP theme modifiers?;msg166751#msg166751;msg170914#msg170914

You need to uncurse the seal with a similar technique like the Finger Engraving Seal aka (Gogyou Kaiin) that was applied to Naruto

soya >:(
it really is a malware from my friend’s flashdisk!

finished scan with Norton security scan. no virus found (:HUG)

i’m gonna lock this topic now.thx everyone (except soya >:( ) :■■■■

With friends like those, who needs hackers (:TNG). It’s deja vu again.

Traitor 88)

Yeah, trust Norton, let the malware spread around :slight_smile:
Great friends you have btw :-TU


Or it’s a nice Rootkit and Norton can’t find it any more,
have you tried running a scan with GMER and/or Rootrepeal ?