Hacked By Godzilla – MS32DLL.dll.vbs – wscript.exe

Recently my IE title shows “Hacked by Godzilla” after transfer some files to a handy drive. “Hacked by Godzilla – MS32DLL.dll.vbs” also known as VBS.Zodgila worm was discovered since Nov 23, 2006. It has very low threat (according to symantec report). “Hacked by Godzilla – MS32DLL.dll.vbs” worm spread thru handy drive or floppy disk.

This is basically what Hacked by Godzilla – MS32DLL.dll.vbs – VBS.Zodgila do when it execute:

• Creates the following files:
  [DRIVE LETTER]:\MS32DLL.dll.vbs
  [DRIVE LETTER]:\MS32DLL.dll.vbs
  [DRIVE LETTER]:\autorun.inf
  Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
• Adds the value:
  “MS32DLL” = “%Windir%\MS32DLL.dll.vbs” to the registry subkey:
  HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Run
  so that it runs every time Windows starts.
• Adds the value:
  “Window Title” = “Hacked by[REMOVED]” to the registry subkey:
  HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer \Main
  to modify title in Internet Explorer.
• Attempts to copy itself to removable drives and create registry entries every 200 seconds.

Information above was taken from Symantec website.

If your computer affected by “Hacked by Godzilla – MS32DLL.dll.vbs” worms:-

• Your Internet Explorer title will end with “Hacked by Godzilla”
• You might not able to open any of your drive thru double click (you still able to open/explore using right click -> explore)

How to remove “Hacked by Godzilla – MS32DLL.dll.vbs” (VBS.Zodgila) worm?

• Open Task Manager ( Right click on your taskbar and click “Task Manager” )
• Click on Processes tab and select “wscript.exe” and click “End Process” button. (Remember to remove all wscript.exe)
• Go to My Computer, Click on Tools -> Folder Options, click on View tab
• Under Advance settings,
  check “Show Hidden files and folders“,
  uncheck “Hide extensions for known file types“,
  uncheck “Hide protected operating system files (Recommended)”
  and click “OK” button
• Go to C:\WINDOWS or C:\WINNT and delete file MS32DLL.dll.vbs
• Now go to all your drive in your computer, and delete autorun.inf and MS32DLL.dll.vbs including your USB Drive and Floppy disk. All the autorun.inf and MS32DLL.dll.vbs file is located at the root directory of your drive, ex: c:\MS32DLL.dll.vbs, d:\MS32DLL.dll.vbs …
  

  To access your drive, Go to My Computer, right click on the drive and select “Explore”

• Next we are going to clean your registry record. Click Start -> Run, type regedit
• Go to HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \Current Version \Run and delete MS32DLL (right click on it and select delete)
• Now we are going to disable CD Autorun, Go to HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Cdrom look for Autorun and double click on it and enter 0 as it’s DWORD value
  

  You can skip this steps if you do not wish to disable CD Autorun feature. But Hacked By Godzilla worm spread when CD Autorun is ON.

• Go to HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer \Main and delete “Window Title” which has it’s value of “Hacked by Godzilla“
• Now go back to My Computer, Click on Tools -> Folder Options, click on View tab
• Under Advance settings,
  uncheck “Show Hidden files and folders“,
  check “Hide extensions for known file types“,
  check “Hide protected operating system files (Recommended)”
  and click “OK” button
• Empty your Recycle Bin.
• Restart your PC and your PC should be clean from Hacked by Godzilla now

Happy surfing!

Technorati Tags: hacked by godzilla, worms removal, virus removal, fix hacked by godzilla, ms32dll.dll.vbs, wscript.exe, hacked by godzilla ms32dll.dll.vbs

Tags: fix hacked by godzilla, hacked by godzilla, hacked by godzilla ms32dll.dll.vbs, malware, ms32dll.dll.vbs, Security, virus removal, worms removal, wscript.exe

If you think this article helps you to solve your problem and clear your headache,
feel free to buy me a drink :)