HELP - the VBS/Butsur virus

[Aporosa]

I have an iomega external HD. I used it to get some files off a mates computer. When I reconnected it to my laptop, AVG detected the VBS/Butsur virus, so I used AVG to HEAL the virus. But then when I tried to open the ext HD, a window came up saying "Can not find script file F:\MS32DLL.dll.vbs"
I looked on the AVG website and there is no mention of the VBS/Butsur virus???
On the net there are a few references to VBS/Bursur, and it says it originated in Thiland in Dec 2006 and normally attaches itself to .avi files.
PLEASE HELP as I need to access the data on the ext HD, but dont want the virus on my laptop.
Please use meathead language as I'm new to this. Cheers

[Speedy Gonzales]

It is also known by other names.

It looks like Symantec calls it Zodgila

Its says to:

1. Click Start > Run.
2. Type regedit
3. Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool and then continue with the removal.

4. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

5. In the right pane, delete the value:

"MS32DLL" = "%Windir%\MS32DLL.dll.vbs"

6. Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

7. In the right pane, delete the value:

"Window Title" = "Hacked by[REMOVED]"

8. Exit the Registry Editor.

It doesn't attach itself to avi files, it copies itself to removable drives.

[Aporosa]

Speedy, thanks heaps, but 1 problem so far, I tried to downlad the TOOL and a window opened with this:

[Version]
Signature="$Chicago$"
Provider=Symantec

[DefaultInstall]
AddReg=UnhookRegKey

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"reg edit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""% 1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies \System,DisableRegistryTools,0x00000020,0

BUT NO PROOGRAMME. The instructions says it should be an executable programme. Can you assist please

[Speedy Gonzales]

Speedy, thanks heaps, but 1 problem so far, I tried to downlad the TOOL and a window opened with this:

[Version]
Signature="$Chicago$"
Provider=Symantec

[DefaultInstall]
AddReg=UnhookRegKey

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"reg edit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""% 1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies \System,DisableRegistryTools,0x00000020,0

BUT NO PROOGRAMME. The instructions says it should be an executable programme. Can you assist please

Right mouse on the Symantec link I posted and select save as, and then save it to the desktop.

Then follow the rest of the steps as stated on the Symantec site. ie:

# Locate the download file, either on the Windows desktop or the floppy disk.

# Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

# Follow any other instructions for the threat that you are trying to remove.

Its not an executable / exe file, its an inf file.

Once u download it, you right mouse / select install.

[Aporosa]

Hi Speedy, I followed all of the instructions as stated. The "tool" was not required and I was able to enter the registry editor. BUT, there was no "MS32DLL" = "%Windir%\MS32DLL.dll.vbs" OR "Window Title" = "Hacked by[REMOVED]" to remove.
Why do I feel panicy??????
Any further ideas PLEASE. Cheers

[Speedy Gonzales]

Cant be in the system then.

Try trojan remover

From here

Did u go into the registry and look for those entries?

Click on scan first then go to the utils menu and select the 3rd to 7th option here as well.

[Aporosa]

Speedy,
Thanks for your help, I really appreciate it.
I'm currently downloading the trojan remover (on my budget dial-up).

Re question "Did u go into the registry and look for those entries?"

I followed these steps
1. Click Start > Run.
2. Type regedit
3. Click OK. and then navigated the subkeys. I even went back and double checked to make sure I had got it right, but they were not there???

Unless you have any other ideas, I will get back to you once I have run the trojan remover. Cheers, A

[Speedy Gonzales]

No prob.

No other ideas yet. Does AVG still pick it up??

Do a search for the files relating to it. If they appear delete them.

You may have to show all files.

[Aporosa]

Hi Speedy AND ANYONE ELSE WITH AN IDEA,

As suggested, I ran the Trojan Remover and it located two files in the HKEY_LOCAL directory, but it was not "MS32DLL" = "%Windir%\MS32DLL.dll.vbs" or "Window Title" = "Hacked by[REMOVED]". I used the Trojan Remover to fix those suspect files. Also, as suggested, I ran “options 3 and 7” (resetting Internet Explorer etc).

I then rebooted and tried again to access my ext HDD, but still no luck, and only got the window (again) saying "Can not find script file F:\MS32DLL.dll.vbs".

I have just run AVG again, checking both the Ext HDD and my laptop HDD, but no viruses were found. The interesting thing is, AVG is able to scan all the files on the ext HDD (and you can see the files running on the bttom bar of the AVG scanner), so why can AVG get into the ext HDD, but I cannot access it through My Computer?

Also, I searched for those files "MS32DLL" = "%Windir%\MS32DLL.dll.vbs" and "Window Title" = "Hacked by[REMOVED]" using the search system, and did it AFTER I changed the “Folder Options” to “show all hidden files”. Those files are not on my system.

So, that brings us full circle back to the window saying, "Can not find script file F:\MS32DLL.dll.vbs". Can I simply replace this script?? or what ever it is, and fix the problem?

Man, I’m 4 days away from finishing my Masters thesis, and this has seriously stuffed things up. Again, your assistance would be grateful.

Cheers

[Speedy Gonzales]

You don't WANT MS32DLL.dll.vbs since it's part of a worm.

It must be in startup somewhere, why its trying to look for this file

Run msconfig and look in the startup tab, see if there's an entry for it here.

Or use ccleaner and look under tools/startup tab. If that entry is there highlight it and delete it. Then reboot.