Removing "Hacked by Moozilla" from Internet Explorer

Details how to remove it manually apart from using antivirus.

1. Boot to safe mode (Press F8 when computer restarts)

2. Take out the USB storage devices if any plugged in. Any flash or thumb drives.

3. Go to control panel, folder options, under view, tick the box "Click Show hidden files and folders."
Uncheck the box Hide extensions for known file types.

Uncheck the box Hide Protected Operating system files (Recommended).

4. Click Start and click Run Type C:\ and hit enter.

5. Look out for the files named autorun.inf and ISSDLL.dll.vbs. Select them one by one and hit shift+delete keys together.

Navigate to the windows folder under C:\drive and look for the same files and sgift+delete them.


6. In the same way, follow the steps for all the drives listed under MY Computer.

7. Click Start and click Run. Type regedit and click OK. This will open the registry editor.

8. Back up the registry before making any changes to it as it may cause dangerous implications to the machine.

9. Navigate to the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ and delete Start Page on the right hand side.


Navigate to the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ and delete Window Title on the right hand side.

Navigate to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete MS32DLL on the right hand side.

10. Restart computer, and open IE again, to see if the "hacked by moozilla" is still there. Done!

Removing VBS/Butsur Worm

If u encounter problems like: Double clicking on drives will not open the drives. Instead, you will have to right-click on the drive and select open. You will see an Autoplay option when you right click the drive. You might be infected with this worm.

To remove this worm, first try to do a virus scan with yur resident antivirus, or do a online scan with ESET at here and remove it, or download a free trial from them and scan, OR follow the steps below to remove it.

1. Boot to safe mode (press F8 when computer restarts)

2. Go to the task manager by pressing Ctrl+Alt+Delete or Ctrl+Shift+Esc

3. Go to the processes tab and stop all wscript.exe processes.

4. Open Windows Explorer and go to Tools > Folder Options.

5. In Folder Options, uncheck the following options:

1. Hide extensions for known file types
2. Hide protected operating system files

Also ensure that Show hidden files and folders option is selected and press apply.

6. Go to the registry editor by typing regedit in the Run window.

7. Go to the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

8. There should be a key called MS32DLL or something to that effect. The value for that should be C:\Windows\MS32DLL.dll.vbs. This file name can change depending on what your Windows path is and what variant of the worm you have. However, the different versions of the worm that I have seen all install themselves in the registry and this will help you in removing the worm. Anyway, note the name and check that there is a file with the same name in the root of C:.

9. Delete this file as well as autorun.inf from your C: drive as well as all other drives. Be careful not to double click on any drive to go to it as you’ll have to start deleting the files from the beginning.

10. Delete the file from your Windows folder.

11. Delete the offending key from the registry.

12. Some variants, maybe even all, modify the title bar of Internet Explorer to show the title of the web page, followed by the text “Hacked by Godzilla” or “Hacked by Moozilla” or something else, again depending on the variant. This isn’t really a problem, but if you want the original text back, go to the registry entry at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. The key to be modified here is WindowTitle (I think). IE7 doesn’t seem to have an entry here, so I’m not too sure about the actual key text. Anyway, just change it to whatever you want, the default is “Microsoft Internet Explorer”

13. Restart the computer and check all drives to make sure that the Autoplay entry is no longer there on the right-click menu.

14. Done.

Combofix

Details on how to use combofix (advanced virus removal tool)

Note: Only use combofix under the supervision of a properly trained malware remover person. Use at your own risk.

You may download the tool from here

1. Close all other applications, and do not touch the computer at all when Combofix is running.It will stall the computer.

2. Double click on the icon of Combofix.

3. You will see a security warning , just ignore it and click run.

4. You will then see a disclaimer, press 1 and enter to continue.

5. Soon, your registry will be backed up. Once the Windows Registry has finished
being backed up, ComboFix will disconnect your computer from the Internet.
Therefore, do not be surprised or concerned if you receive any warnings stating
that you are no longer on the Internet as your connection will be completely
restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This
procedure can take some time, so please be patient.

6. While the program is scanning your computer, it will change your clock format, so
do not be concerned when you see this happen. When ComboFix is finished it will
restore your clock settings to what they were previously. You will also see the
text in the ComboFix window being updated as it goes through the various stages of
its scan.

7. When ComboFix has finished running, you will see a screen stating that it is
preparing the log report.

8. This can take a while, so please be patient. If you see your Windows desktop
disappear, do not worry. This is normal and ComboFix will restore your desktop
before it is finished. Eventually you will see a new screen that states the
program is almost finished and telling you the programs log file, or report, will
be located at C:\ComboFix.txt.

9. When ComboFix has finished, it will automatically close the program and change
your clock back to its original format. It will then display the log file
automatically for you.

10. You are done. You can attach the log to some of the well known forum for
analyzing of the logs. Example include: Bleeping Computer, Castle Cops, Safer
Networking.


Copyright goes to Bleeping Computer