Removing VBS/Butsur Worm
If u encounter problems like: Double clicking on drives will not open the drives. Instead, you will have to right-click on the drive and select open. You will see an Autoplay option when you right click the drive. You might be infected with this worm.
To remove this worm, first try to do a virus scan with yur resident antivirus, or do a online scan with ESET at here and remove it, or download a free trial from them and scan, OR follow the steps below to remove it.
1. Boot to safe mode (press F8 when computer restarts)
2. Go to the task manager by pressing Ctrl+Alt+Delete or Ctrl+Shift+Esc
3. Go to the processes tab and stop all wscript.exe processes.
4. Open Windows Explorer and go to Tools > Folder Options.
5. In Folder Options, uncheck the following options:
1. Hide extensions for known file types
2. Hide protected operating system files
Also ensure that Show hidden files and folders option is selected and press apply.
6. Go to the registry editor by typing regedit in the Run window.
7. Go to the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
8. There should be a key called MS32DLL or something to that effect. The value for that should be C:\Windows\MS32DLL.dll.vbs. This file name can change depending on what your Windows path is and what variant of the worm you have. However, the different versions of the worm that I have seen all install themselves in the registry and this will help you in removing the worm. Anyway, note the name and check that there is a file with the same name in the root of C:.
9. Delete this file as well as autorun.inf from your C: drive as well as all other drives. Be careful not to double click on any drive to go to it as you’ll have to start deleting the files from the beginning.
10. Delete the file from your Windows folder.
11. Delete the offending key from the registry.
12. Some variants, maybe even all, modify the title bar of Internet Explorer to show the title of the web page, followed by the text “Hacked by Godzilla” or “Hacked by Moozilla” or something else, again depending on the variant. This isn’t really a problem, but if you want the original text back, go to the registry entry at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. The key to be modified here is WindowTitle (I think). IE7 doesn’t seem to have an entry here, so I’m not too sure about the actual key text. Anyway, just change it to whatever you want, the default is “Microsoft Internet Explorer”
13. Restart the computer and check all drives to make sure that the Autoplay entry is no longer there on the right-click menu.
14. Done.
To remove this worm, first try to do a virus scan with yur resident antivirus, or do a online scan with ESET at here and remove it, or download a free trial from them and scan, OR follow the steps below to remove it.
1. Boot to safe mode (press F8 when computer restarts)
2. Go to the task manager by pressing Ctrl+Alt+Delete or Ctrl+Shift+Esc
3. Go to the processes tab and stop all wscript.exe processes.
4. Open Windows Explorer and go to Tools > Folder Options.
5. In Folder Options, uncheck the following options:
1. Hide extensions for known file types
2. Hide protected operating system files
Also ensure that Show hidden files and folders option is selected and press apply.
6. Go to the registry editor by typing regedit in the Run window.
7. Go to the key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
8. There should be a key called MS32DLL or something to that effect. The value for that should be C:\Windows\MS32DLL.dll.vbs. This file name can change depending on what your Windows path is and what variant of the worm you have. However, the different versions of the worm that I have seen all install themselves in the registry and this will help you in removing the worm. Anyway, note the name and check that there is a file with the same name in the root of C:.
9. Delete this file as well as autorun.inf from your C: drive as well as all other drives. Be careful not to double click on any drive to go to it as you’ll have to start deleting the files from the beginning.
10. Delete the file from your Windows folder.
11. Delete the offending key from the registry.
12. Some variants, maybe even all, modify the title bar of Internet Explorer to show the title of the web page, followed by the text “Hacked by Godzilla” or “Hacked by Moozilla” or something else, again depending on the variant. This isn’t really a problem, but if you want the original text back, go to the registry entry at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. The key to be modified here is WindowTitle (I think). IE7 doesn’t seem to have an entry here, so I’m not too sure about the actual key text. Anyway, just change it to whatever you want, the default is “Microsoft Internet Explorer”
13. Restart the computer and check all drives to make sure that the Autoplay entry is no longer there on the right-click menu.
14. Done.
posted by Ernest at
4:44 PM
<< Home