Sat 23 Jun 2007
Hacked by MOOzilla - Autoplay on all drives - IISdll.dll.vbs virus
Posted by FunDa under Firefox , Task Manager , antivirus , download , free , problems , virus , websitesA type of USB pen / flash drive virus is a trojan worm made with VB Script. It gives an Autoplay or “Auto” option on all drives in the computer, affecting C: , D: , E: and so on.
It changes the Internet Explorer homepage to http://www.lastchaos.in.th/
And puts “Hacked by MOOzilla” in the Internet Explorer title
So, it comes like “Google -Hacked by MOOzilla” Or MySpace - Hacked by MOOzilla
This is in addition to affecting the pen drive (USB flash drive) with the same “autorun” and “autoplay”
To remove the infected files, you don’t have to send it to authorised service personnel or buy a new USB drive !
You just have to delete the “autorun.inf” and “IISdll.dll.vbs” files from the USB drive and the hard drive and kill the process “wscript.exe”
When you press Alt-Ctrl-Del (The three finger exercise - Alter + Control + Delete ), the Task Manager runs and shows you the programs which are running. Click “Processes” in the Task Manager.
Select “wscript.exe” and “End Process”
wscript.exe is not a virus, but a normal windows scripting host file which runs several Windows scripts or functions written in VB Script. But the virus is also programmmed in VBScript and so it has to be stopped but not deleted.
Right click and open the drives and delete the files “autorun.inf” and “IISdll.dll.vbs”
These files may not be visible (they are set as hidden files and system files) , so if you don’t see them,
take Tools > Folder Options… > View
Choose “Show hidden files and folders” in “Hidden files and folders”
And remove the tick from “Hide protected operating system files (Recommended)”
Now, when you go to the drives ( ALWAYS RIGHT CLICK AND OPEN - NEVER DOUBLE CLICK ),
you can see and delete the files autorun.inf and IISdll.dll.vbs
There is also a copy of the virus in the Windows directory “C:/Windows/iidDLL.dll.vbs” in most computers. Or just do this del %windir%\IISDLL.dll.vbs (It deltes the virus from your windows folder)
Then you should clear the registry too at these places.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Window Title”
Another wayto do it is like this.
Search each partition for : (include hidden and system files)
kernel32.dll.vbs and autorun.inf
delete both the files.
Also open cmd and type the following command :
del %windir%\IISDLL.dll.vbs
Then Start -> Run type regedit
- Navigate to and delete the following entries:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\”kernel32″ = “%WinDir%\kernel32.dll.vbs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Window Title” = “Hacked by 8BITS”
HKEY_CURRENT_USER\Software\Microsoft\”nFlag” = “[NUMBER OF TIMES SCRIPT HAS RUN]”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Start Page” = “about:_______________________________________:Hac ked_By_8BITS:_____________________________________ __” - Restore the following registry entry to its original value, if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\”Timeout” = “0″
Next thing is to delete IISDLL.dll.vbs, kernel32.dll.vbs, autorun.inf from your USB drive.
Reboot in normal mode. (remember to check boot.ini settings if you followed the msconfig method to boot into safe mode.)
Or you can do this !*** Remember not to Double click any drive ***
*** Close your PC , insert USB drive
*** Start your PC normally1. Download pocket killbox.exe ….and copy to your desktop ….http://download.bleepingcomputer.com/spyware/KillBox.zip
2. Fix these with hijackthis …………..
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lastchaos.in.th/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by MOOzilla
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\IISDLL.dll.vbs
3. Double click at ……… Killbox
– Click “delete on reboot”
– Click “all files”
– Hilight the files below , rt.click and copy ,
C:\WINDOWS\IISDLL.dll.vbs
C:\autorun.inf
X:\autorun.inf
X:\IISDLL.dll.vbs
X = the letter of USB drive
- Go to Killbox , click file>> Paste from clipboard >>click “red cross ” to delete , it will prompt to delete the next file , click delete , till the last and click “Yes” to restart .
.
Restart normally
