Page 1 of 5 12345 LastLast
Results 1 to 10 of 46
  1. #1
    Junior Member
    Join Date
    Feb 2005
    Posts
    245

    Default HELP - the VBS/Butsur virus

    I have an iomega external HD. I used it to get some files off a mates computer. When I reconnected it to my laptop, AVG detected the VBS/Butsur virus, so I used AVG to HEAL the virus. But then when I tried to open the ext HD, a window came up saying "Can not find script file F:\MS32DLL.dll.vbs"
    I looked on the AVG website and there is no mention of the VBS/Butsur virus???
    On the net there are a few references to VBS/Bursur, and it says it originated in Thiland in Dec 2006 and normally attaches itself to .avi files.
    PLEASE HELP as I need to access the data on the ext HD, but dont want the virus on my laptop.
    Please use meathead language as I'm new to this. Cheers

  2. #2
    Member
    Join Date
    Dec 2004
    Location
    NZ
    Posts
    44,851

    Default Re: HELP - the VBS/Butsur virus

    It is also known by other names.

    It looks like Symantec calls it Zodgila

    Its says to:

    1. Click Start > Run.
    2. Type regedit
    3. Click OK.

    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool and then continue with the removal.

    4. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

    5. In the right pane, delete the value:

    "MS32DLL" = "%Windir%\MS32DLL.dll.vbs"

    6. Navigate to the subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    7. In the right pane, delete the value:

    "Window Title" = "Hacked by[REMOVED]"

    8. Exit the Registry Editor.

    It doesn't attach itself to avi files, it copies itself to removable drives.

  3. #3
    Junior Member
    Join Date
    Feb 2005
    Posts
    245

    Default HELP - the VBS/Butsur virus - ATTN: Speedy Gonzales

    Speedy, thanks heaps, but 1 problem so far, I tried to downlad the TOOL and a window opened with this:

    [Version]
    Signature="$Chicago$"
    Provider=Symantec

    [DefaultInstall]
    AddReg=UnhookRegKey

    [UnhookRegKey]
    HKLM, Software\CLASSES\batfile\shell\open\command,,,"""% 1"" %*"
    HKLM, Software\CLASSES\comfile\shell\open\command,,,"""% 1"" %*"
    HKLM, Software\CLASSES\exefile\shell\open\command,,,"""% 1"" %*"
    HKLM, Software\CLASSES\piffile\shell\open\command,,,"""% 1"" %*"
    HKLM, Software\CLASSES\regfile\shell\open\command,,,"reg edit.exe ""%1"""
    HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""% 1"" %*"
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies \System,DisableRegistryTools,0x00000020,0

    BUT NO PROOGRAMME. The instructions says it should be an executable programme. Can you assist please

  4. #4
    Member
    Join Date
    Dec 2004
    Location
    NZ
    Posts
    44,851

    Default Re: HELP - the VBS/Butsur virus - ATTN: Speedy Gonzales

    Quote Originally Posted by Aporosa View Post
    Speedy, thanks heaps, but 1 problem so far, I tried to downlad the TOOL and a window opened with this:

    [Version]
    Signature="$Chicago$"
    Provider=Symantec

    [DefaultInstall]
    AddReg=UnhookRegKey

    [UnhookRegKey]
    HKLM, Software\CLASSES\batfile\shell\open\command,,,"""% 1"" %*"
    HKLM, Software\CLASSES\comfile\shell\open\command,,,"""% 1"" %*"
    HKLM, Software\CLASSES\exefile\shell\open\command,,,"""% 1"" %*"
    HKLM, Software\CLASSES\piffile\shell\open\command,,,"""% 1"" %*"
    HKLM, Software\CLASSES\regfile\shell\open\command,,,"reg edit.exe ""%1"""
    HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""% 1"" %*"
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies \System,DisableRegistryTools,0x00000020,0

    BUT NO PROOGRAMME. The instructions says it should be an executable programme. Can you assist please
    Right mouse on the Symantec link I posted and select save as, and then save it to the desktop.

    Then follow the rest of the steps as stated on the Symantec site. ie:

    # Locate the download file, either on the Windows desktop or the floppy disk.

    # Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

    # Follow any other instructions for the threat that you are trying to remove.

    Its not an executable / exe file, its an inf file.

    Once u download it, you right mouse / select install.
    Last edited by Speedy Gonzales; 17-01-2007 at 03:22 PM.

  5. #5
    Junior Member
    Join Date
    Feb 2005
    Posts
    245

    Default Re: HELP - the VBS/Butsur virus

    Hi Speedy, I followed all of the instructions as stated. The "tool" was not required and I was able to enter the registry editor. BUT, there was no "MS32DLL" = "%Windir%\MS32DLL.dll.vbs" OR "Window Title" = "Hacked by[REMOVED]" to remove.
    Why do I feel panicy??????
    Any further ideas PLEASE. Cheers

  6. #6
    Member
    Join Date
    Dec 2004
    Location
    NZ
    Posts
    44,851

    Default Re: HELP - the VBS/Butsur virus

    Cant be in the system then.

    Try trojan remover

    From here

    Did u go into the registry and look for those entries?

    Click on scan first then go to the utils menu and select the 3rd to 7th option here as well.
    Last edited by Speedy Gonzales; 17-01-2007 at 04:23 PM.

  7. #7
    Junior Member
    Join Date
    Feb 2005
    Posts
    245

    Default Re: HELP - the VBS/Butsur virus

    Speedy,
    Thanks for your help, I really appreciate it.
    I'm currently downloading the trojan remover (on my budget dial-up).

    Re question "Did u go into the registry and look for those entries?"

    I followed these steps
    1. Click Start > Run.
    2. Type regedit
    3. Click OK. and then navigated the subkeys. I even went back and double checked to make sure I had got it right, but they were not there???

    Unless you have any other ideas, I will get back to you once I have run the trojan remover. Cheers, A

  8. #8
    Member
    Join Date
    Dec 2004
    Location
    NZ
    Posts
    44,851

    Default Re: HELP - the VBS/Butsur virus

    No prob.

    No other ideas yet. Does AVG still pick it up??

    Do a search for the files relating to it. If they appear delete them.

    You may have to show all files.

  9. #9
    Junior Member
    Join Date
    Feb 2005
    Posts
    245

    Exclamation Re: HELP - the VBS/Butsur virus

    Hi Speedy AND ANYONE ELSE WITH AN IDEA,

    As suggested, I ran the Trojan Remover and it located two files in the HKEY_LOCAL directory, but it was not "MS32DLL" = "%Windir%\MS32DLL.dll.vbs" or "Window Title" = "Hacked by[REMOVED]". I used the Trojan Remover to fix those suspect files. Also, as suggested, I ran “options 3 and 7” (resetting Internet Explorer etc).

    I then rebooted and tried again to access my ext HDD, but still no luck, and only got the window (again) saying "Can not find script file F:\MS32DLL.dll.vbs".

    I have just run AVG again, checking both the Ext HDD and my laptop HDD, but no viruses were found. The interesting thing is, AVG is able to scan all the files on the ext HDD (and you can see the files running on the bttom bar of the AVG scanner), so why can AVG get into the ext HDD, but I cannot access it through My Computer?

    Also, I searched for those files "MS32DLL" = "%Windir%\MS32DLL.dll.vbs" and "Window Title" = "Hacked by[REMOVED]" using the search system, and did it AFTER I changed the “Folder Options” to “show all hidden files”. Those files are not on my system.

    So, that brings us full circle back to the window saying, "Can not find script file F:\MS32DLL.dll.vbs". Can I simply replace this script?? or what ever it is, and fix the problem?

    Man, I’m 4 days away from finishing my Masters thesis, and this has seriously stuffed things up. Again, your assistance would be grateful.

    Cheers

  10. #10
    Member
    Join Date
    Dec 2004
    Location
    NZ
    Posts
    44,851

    Default Re: HELP - the VBS/Butsur virus

    You don't WANT MS32DLL.dll.vbs since it's part of a worm.

    It must be in startup somewhere, why its trying to look for this file

    Run msconfig and look in the startup tab, see if there's an entry for it here.

    Or use ccleaner and look under tools/startup tab. If that entry is there highlight it and delete it. Then reboot.

Similar Threads

  1. Replies: 19
    Last Post: 12-02-2008, 07:04 PM
  2. Virus Like Activity - but no Virus.
    By Growly in forum PressF1
    Replies: 6
    Last Post: 14-06-2004, 06:09 PM
  3. Replies: 8
    Last Post: 02-01-2003, 01:47 PM
  4. Replies: 4
    Last Post: 28-05-2002, 10:16 AM
  5. Replies: 2
    Last Post: 10-12-2001, 05:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •