JohnDas FunDas & Ideas

A type of USB pen / flash drive virus is a trojan worm made with VB Script. It gives an Autoplay or “Auto” option on all drives in the computer, affecting C: , D: , E: and so on.

It changes the Internet Explorer homepage to http://www.lastchaos.in.th/

And puts “Hacked by MOOzilla” in the Internet Explorer title

So, it comes like “Google -Hacked by MOOzilla” Or MySpace - Hacked by MOOzilla

This is in addition to affecting the pen drive (USB flash drive) with the same “autorun” and “autoplay”

To remove the infected files, you don’t have to send it to authorised service personnel or buy a new USB drive !

You just have to delete the “autorun.inf” and “IISdll.dll.vbs” files from the USB drive and the hard drive and kill the process “wscript.exe”

When you press Alt-Ctrl-Del (The three finger exercise - Alter + Control + Delete ), the Task Manager runs and shows you the programs which are running. Click “Processes” in the Task Manager.

Select “wscript.exe” and “End Process”

wscript.exe is not a virus, but a normal windows scripting host file which runs several Windows scripts or functions written in VB Script. But the virus is also programmmed in VBScript and so it has to be stopped but not deleted.

Right click and open the drives and delete the files “autorun.inf” and “IISdll.dll.vbs”

These files may not be visible (they are set as hidden files and system files) , so if you don’t see them,

take Tools > Folder Options… > View

Choose “Show hidden files and folders” in “Hidden files and folders”

And remove the tick from “Hide protected operating system files (Recommended)”

Now, when you go to the drives ( ALWAYS RIGHT CLICK AND OPEN - NEVER DOUBLE CLICK ),

you can see and delete the files autorun.inf and IISdll.dll.vbs

There is also a copy of the virus in the Windows directory “C:/Windows/iidDLL.dll.vbs” in most computers. Or just do this del %windir%\IISDLL.dll.vbs (It deltes the virus from your windows folder)

Then you should clear the registry too at these places.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Window Title”

(more…)

I saw this file OfcpfSvcs.exe running in the processes tab of Windows Task manager.

Looks suspicious - I’m not going to trust any file which I can’t confirm is a system file. Especially if it’s run by the user or admin and not system.

Maybe its a malicious virus which gets into all your pen drives and hangs your computers and destroys your data. Or maybe it’s just a harmless system file which runs in some computers alone. Because I checked inanother computer with the exact same configuration of software and this was not there.

Definitely a suspicious file - probably a virus. I’m killing it.

Die OfcpfSvcs.exe die.

There - gone. Now I can safely run the virus scan a see if the antivirus can detect it.

Here, use Norton Antivirus and AntiSpyware free versions from Google. It’s not a time limited trial ersion. Select the software you want from Google Pack. - Firefox, Norton Antivirus, Google Earth, .. Use the antivirus well.

Antivirus software is absolutely essential . Use it.