Sunday, November 9, 2008

Virus Alert: MS32DLL and resycled\boot.com

I got this latest virus infiltration in my PC at the office. It was actually a result of a very dumb mistake of running a suspected .exe file. I was looking for a wares version of this membership software needed for a website of my client. I actually found one but because it wasn’t the latest version, I continued looking for it on the net and resulted in downloading this .exe file named with the software I am looking for.

The AV detected that it was a Trojan virus but didn’t made any actions (wtf???) so I immediately ran a full system scan but it was too late. You won’t actually see the effect at first but when I copied several files to my flash drive, it showed that copying will took 46 minutes. (another wtf???)

Using Filezilla, I was able to detect that the virus has affected my drives C and D. It copied a folder named “resycled” with a file named boot.com in it. Also, it placed autorun.inf in all of the drives. So I took some solution search for this and found out the name which is “MS32DLL” and having the files ms32dll.dll.vbs or ms32dll.dll. Here’s what I used:

Deleting the value using the regedit,
a. Click Start > Run.
b. Type regedit
c. Click OK.
d. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

e. In the right pane, delete the value:

"MS32DLL" = "%Windir%\MS32DLL.dll.vbs"

f. Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

g. In the right pane, delete the value:

"Window Title" = "Hacked by[REMOVED]"

h. Exit the Registry Editor.

To make sure the file is removed from the registry, run regedit under Safe Mode. I also used the same procedure above in removing the resycled/boot.com and autorun.inf. After deleting the files in the registry, go to your local drives and delete the folder resycled and the autorun.inf. I used Filezilla or Winrar to be able to see these files. If you don’t have any of these programs, use the procedure below:

- Go to My Computer
- Click Tools at the top menu and then Folder Options.
- In the Folder Options window, click on the View tab.
- Look for Hidden files and folders
- Click on Show hidden files and folders and press OK.

After deleting those files, make sure you have emptied your recycle bin. Restart your computer and then you’ll see that the virus is gone in your local hard drives.

I’m also planning to do the said repair procedure to my flash drive but I’m still looking for other options. They say that this can be done using Flash Disinfector but I haven’t tried it yet. I suggest you install anti-malware software in your PC so that it would be easy for detection.

Another safety measure is turning off auto runs. Here’s how it is done:

- Click on Start --> Run
- Type gpedit.msc and press ENTER
- You will come to the Group Policy window
- Go to User Configuration --> Administrative Templates --> System
- Look for Turn off Autoplay and double click it. You will come to Turn Off Autoplay Properties window.
- Click Enable and select All drives from the drop-down combo box. It is suggested to turn it off to avoid further potential virus infections in future)
- You can now close the Group Policy window

I hope these methods helped you remove resycled\boot.com and Ms32dll in your pc. As of the writing of this, I think I got another pop malware in my Firefox browser named mtn5.goole.ws. Waaahhh… I’ll be writing a solution search report of this later.

Source

3 comments:

cvh said...

i too have got infected the same way.
i was searching foir th cracked version of the software. when in installed the crack this problem started.

now on all my hard drives autostart.inf and recycled/boot.com is present.

it is coming even after removing
what to do ?

Monalisa said...
This comment has been removed by the author.
Monalisa said...

How to remove resycled/boot.com

http://www.tips29.com/2009/01/how-to-remove-resycledbootcom.html