Hacked By Godzilla

[jbowman1993]

I got this message on the top of my Internet Explorer window this morning (It actually says Internet Explorer - Hacked by Godzilla)

What does this mean? Is it a viris? I have AVAST running and up to date, as well as AdAware SE, and use window's firewall.

Only thing I can think of this that my wife brings her thumb drive home from work.

Can I get rid of it?

Thanks

[Farma]

I found this on the net. Hope it helps

December 08

Hacked by Godzilla... Let's kill it!

Beware of your Handy drive!

This is an English translation of the fix for "Hacked by Godzilla" virus to hopefully help non-Thai readers get rid of it. It follows the fix in Thai above, but adds a couple of points like backing up the registry and handling System Restore so the virus cannot restart that if you have to use System Restore. This fix applies to Windows XP (but might also work in Windows 2000) :

1. Symptoms: You can't double click to open a drive, but you can right click and select Open or Explore. Internet Explorer shows 'Hacked by Godzilla' in the title bar.

EXTREMELY IMPORTANT

Before you do anything else, make a backup of the windows registry!! To do this, Go to Start | Run.Type in regedit. Click OK. This will open the registry editor. With the Registry Editor Open click once on "My Computer" to highlight it.

Then click File, then select Export. Save the export as Registry Backup. If you do not make a backup and make a mistake in changing the registry which must be done to get rid of the virus, you may have to reformat and reinstall Windows to get back to normal operation. Since you cannot create a system restore point, making this backup of the registry is critical.

The Fix

1. Double click the My Computer icon on the desktop. Then select Tools | Folder Options

2. Click the View Tab and in the list of options:

1) Click the radio button for Show Hidden files and folders

2) Uncheck the boxes for

"Hide Extensions for known file types" and

"Hide Protected Operating System Files Recommended)"

(After removing the virus, you should reverse these actions - instructions for doing this are at the end of the Fix)

3) Click OK at the bottom of the Folder Options Window. Do not close Windows Explorer yet!

3. Press Control-Alt-Del to bring up the Task Manager

4. Click the "Processes" Tab

1) - 3) Under the column 'Image Name" locate the item "wscript.exe". Click on it to highlight it, then right click and select "End Process"

5. Go back to Windows Explorer - do not double click anything. Locate the files autorun.inf and MS32DLL.dll.vbs (although the instructions do not specify a location, they should be located at c:\autorun.inf and c:\MS32DLL.dll.vbs (or on the drive that contains the operating system, if not C drive). Left click ONCE on each to highlight it. Then Press Shift+Del. Do this for the root of each drive, e.g., (c:\ is the root...folders appearing after the root are not!)

d:\autorun.inf and d:\MS32DLL.dll.vbs

e:\autorun.inf and e:\MS32DLL.dll.vbs

f:\autorun.inf and f:\MS32DLL.dll.vbs, etc.

(but note that if you have a CD/DVD burner program, like Roxio and possibly Nero, autoruns.inf is a legitimate file.

Delete those files from any USB drive, floppy disk, DVD drive and/or Writeable CDs (CD-RW) that you have.

6. Open the folder c:\Windows and delete the file MS32DLL.dll.vbs by using Shift+Del

IF YOU DIDN'T BACK UP THE REGISTRY YET, DO IT NOW!!

7. Go to Start | Run.Type in regedit. Click OK. This will open the registry editor

8. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Current Version\Run. In the right frame, locate MS32DLL. Click it once to highlight it and right click and delete it. If you do not find it, proceed to the next step

9. While still in the Registry Editor, navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. In the right frame locate the name Windows Title "Hacked by Godzilla" Right click the item Windows Title and delete it.

10 - 11. Click Start | Run. Type in gpedit.msc then click OK

In the left frame double left click User Configuration, then Administrative Templates then System. In the right frame locate Turn off Autoplay. Double left click it and

Click the radio button for Enabled and select "All drives" . Then click OK. By disabling autoruns, you will be able to run virus and spyware scans on a CD/DVD Floppy or USB BEFORE a virus or spyware can execute. Now you can close the Group Policy Editor.

12. Click Start | Run. Type in msconfig, then click OK. When the Configuration editor opens click the Startup tab.

Locate the item ms32dll (it should be in the startup item column) and uncheck the box.

Click OK at the bottom to close the Configuration Editor, and, when asked (and you will be), select "Exit Without Restart"

13-14. Double click the My Computer icon on the desktop. Then select Tools | Folder Options

1) Click the View Tab and in the list of options:

2) Click the radio button for "Do Not Show Hidden files and folders"

3) Check the boxes for

"Hide Extensions for known file types" and

"Hide Protected Operating System Files Recommended)"

4) Click OK at the bottom of the Folder Options Window.

15. Locate the Recycle bin in Windows Explorer an click right on it and select Empty Recycle bin

16. Reboot your computer. The virus should be gone.

17. Right click the My Computer icon on your desktop and select properties. Then click the System Restore tab

Select "Turn off System Restore on all drives. Then Click "Apply" and OK

18. Reboot your computer.

19. Right click the My Computer icon on your desktop and select properties. Then click the System Restore tab.

Uncheck the box for "Turn off System Restore on all drives. Then Click "Apply" and OK

When you are sure that you no longer have the virus, create a system restore point and call it something like "After Godzilla virus removal.

From:http://www.pantip.com/tech/software/topic/SV2216063/SV2216063.html

[silvero]

I cleaned this from a friends pc recently, and those instructions will work fine. Once you have removed the registry entry and stopped the process running, be sure to search for MS32DLL.dll.vbs on all your hard drives, any USB memory sticks, USB hard drives and any other writable media where it may be hiding. As of two weeks ago, most AVs don't detect this so don't rely on them for protection or cleaning.

[cdnvic]

Seems almost all the documentation on this is in Thai. Funny how it's so localised. Thanks for the translation Farma

[Farma]

Seems almost all the documentation on this is in Thai. Funny how it's so localised. Thanks for the translation Farma

Sorry I can't take credit for the translation as I took it off the net. Thanks anyway. It does look like a localised Thai virus.

There's more information on ThaiCERT: Thai Computer Emergency Response Team site but in Thai with screen shots that may help. It's located at the top of the Alerts list and a PDF file. http://thaicert.nectec.or.th/index.php

almog thai I found this link on another forum. Hopefully it will work. It claims to be an auto remove tool.

http://www.softbkk.com/software/antispywar...move_tools.html

Edited December 14, 2006 by Farma

[chanchao]

Indeed it's interesting that it's so local to Thailand. Google it and almost only Thai pages come up.

I think it's because in a sense this is a 'good old' virus that still requires manual transmission through USB memory sticks, rather than the currently most common (and MUCH faster) internet/email way of transmitting viruses where the whole world can get infected in hours.

Still, I think it's disgraceful. The following:

1. No anti virus software seems to pick it up. What's keeping them so long?

2. What a silly idea in Windows to AUTO-RUN stuff off drives!? Even good old floppy disks that had viruses required you actually boot from one. But now in this day and age of security threats, MS Windows (latest version) thinks it's a good idea to run just anyhting specified in a autorun file!! Ridiculous!

(Yes I know it can be turned off, but it's inexcusable that the default is to run anything automatically that that gets inserted in your computer)

Cheers,

Chanchao

[Crushdepth]

There seems to be a couple of things like this on the loose at the moment - I caught something that sounds very similar a couple of weeks ago (it was called RavMon and AdobeR on my machine), which did the same trick with jumping onto flash cards and creating autorun.inf files to ensure that it got installed on the next insertion.

The references to this were also mostly in Thai and Chinese, and it was not listed by Avast or Symantech. Maybe a 'home grown' nasty?

Anyway, I have come to appreciate the 'write protect' switch on my SD cards.

[jbowman1993]

MANY THANKS!

[Farma]

Good thing I searched for a fix for this yesterday. My wife's computer has just been infected.

We're working our way through a fix now.

[Farma]

The softbkk link http://www.softbkk.com/download/antispywar...move_tools.html goes to ESAT Thailand NOD32 website. The fix is a 156k download and it cleaned the offending virus instantly.

We have now searched for MS32DLL.dll.vbs files and none are found.

[cdnvic]

I just bought a few nod32 licenses... good timing

[chanchao]

Sorry, I wrote a reply that didn't make sense. I'm dyslexic I guess.

Edited December 15, 2006 by chanchao

[oliveror]

Hi guys,

here is the medicine for this little problem: http://eclc.info/3/KillGodzilla.zip . It has cleaned my PC in seconds. Just load it , unzip and run.

Good Luck!

[james512]

Useful thread... thanks to all for the info

[karazyal]

I got this message on the top of my Internet Explorer window this morning (It actually says Internet Explorer - Hacked by Godzilla)

What does this mean? Is it a viris? I have AVAST running and up to date, as well as AdAware SE, and use window's firewall.

Only thing I can think of this that my wife brings her thumb drive home from work.

Can I get rid of it?

Thanks

Returned from Thailand last night. I used my flash drive a lot when I was there. The flash drive was bug free when I left home. Ran my flash drive through Norton and a virus came up. Norton Anti Virus, on my Mac couldn't repair it so it put the virus in quarantine, (what ever that means.) Thought the name was UBS Bodgila on the read out. Could be Godzila or Dogzila.

I have a lot of stuff with a Firefox home page, almost like having regular computer with me when I am in internet shops.

Ran the flash drive through Norton on my laptop PC and again on the Mac and nothing shows up anymore.

[Farma]

Another virus that spreads through flash drives is “clipvideo.com”. There seems to be a series of them and net searches refer to Thai web sites for the fixes. Anti virus programs don’t appear to have updates on these viruses.

[cdnvic]

Nod32 gets them all fortunately.

http://www.eset.com/

[JohnC]

Thaivisa forum comes up trumphs again! Recently I downloaded mozilla as it was highly recommended but I didnt like it for various reasons so I reverted to IE& only to find all my pages had "hacked by godzilla" on them, I thought it was because I had exported my favs to bookmarks in morzilla but found out I was wrong I spen two long nights trying to clean up my laptop , found other viruses that avast had missed after downloading a seperate anti virus programme (frisk) but could not clear godzilla, I tried microsoft, google, live search. computeractive readers forum all to no avail then toay during my usual hour in the forum I though I would look here on the off chance and bingo! got a download ran it and its clear! I will now do all my USB pens and sd cards! Thanks folks it was really beginning to pxxx me off! I have saved the programme in case some other unfortunate has this problem. Thanks again guys.

[LWT]

I try the method suggested in the site but I still can't remove MS32DLL from my computer. I can not find ""Window TItle" = ""Hacked by [Remove]" in the registry editor and I found MS32Dll but the MS32DLL in the registry is "MS32DLL" = "C:\windows\MS32DLL.dll.vbs" rather than "%window%\MS32DLL.dll.vbs". Can anyone help me.

Edited February 17, 2007 by LWT

[talatnat]

I try the method suggested in the site but I still can't remove MS32DLL from my computer. I can not find ""Window TItle" = ""Hacked by [Remove]" in the registry editor and I found MS32Dll but the MS32DLL in the registry is "MS32DLL" = "C:\windows\MS32DLL.dll.vbs" rather than "%window%\MS32DLL.dll.vbs". Can anyone help me.

The "C:\windows\MS32DLL.dll.vbs" rather than "%window%\MS32DLL.dll.vbs" is the same. Just delete any file that has MS32DLL.dll.vbs in it; you would generally be safe, but loose some functionality (better for security).

Again, open hidden files, search for autorun.inf and open (double-click the autorun.inf file in Explorer) each file and delete any that have the words MS32DLL.dll.vbs.

I just popped in a Compact Flash memory card from my camera into my computer, and Nod32, an antivirus program caught MS32DLL.dll.vbs before it even came on board the computer. I had to then (as per the instructions from the Thai site), open hidden files on the Compact Flash and sure enough there was MS32DLL.dll.vbs lurking in the autorun.inf file... If you have MS32DLL.dll.vbs on your camera's Compact Flash, you would endlessly reload it to your computer each time you popped in the CF to download some pictures.

Oh, the virus came from my photo-processing store, and when I dropped in to "suggest" that they check their AV programs, they hadn't a clue. So, from now on, I'll burn my photos onto a CD (readable-only) and then head out to the store to get the photos printed.

[britmaveric]

Anyone sent the virus to the major players? symantec ect, so they can add it to their virus defs.

[cdnvic]

Anyone sent the virus to the major players? symantec ect, so they can add it to their virus defs.

I uploaded it to Eset(nod32) and Avast.

[britmaveric]

Anyone sent the virus to the major players? symantec ect, so they can add it to their virus defs.

I uploaded it to Eset(nod32) and Avast.

Top Man!!!!

[djinn]

As usually TV is very informative.Thanks to all of you guys (and gals)

And especially cdnvic who always post useful infos

I just ran AVAST .It doesn't detect the hacked by godzilla yet

The virus came by compact flash from GF (I don't have any compact flash..that's how I am sure)and infected 2 of our computers

I don't know how to test wich of these devices is infected

[cdnvic]

Go to windows explorer with the flash drive plugged in and right click on the drive and there should be an option to scan it with Avast.

Make sure your standard scanner is enabled before doing this.

[djinn]

Go to windows explorer with the flash drive plugged in and right click on the drive and there should be an option to scan it with Avast.

Make sure your standard scanner is enabled before doing this.

Thanks but avast didn't detect it on the PC before I removed it ,so little problem I fear

[cdnvic]

Disable Avast and download the 30day trial of nod32. Scan with it.

Nod32's page on godzilla is here, though much of it is in Thai.

http://www.nod32th.com/component/option,co...id,290/lang,en/

[oooooo]

my friend inserted his mem stick into my machine and AVG sniffed it out right away.

[Gihan]

Hi All,

My Name is Gihan and im glad i cud help mail me at [email protected]

How to get rid of the Hacked by Godzilla, John Sena and ms32dll.dll.vbs virus.

I was one of the few who got this virus and thought i'd never be able to get rid of it

unless i format the whole computer but after many trials i figured out a way to beat the

virus. I asked everyone i knew and searched on the web for a favourable soution and many

said i'll have to format it and the web solution was ok partly but it didnt take off the

whole virus, and this method will make sure u're virus free. If it doesn't work write to me

and I will see to it that u get it sorted.

The forums already posted on this virus are quite helpful but what it doesnt do is kill it

completely,

To get rid of it completely once and for all this is all you need to do.

1. Install latest AVG on u're C Drive

2. Run a scan and try and get it detected, might fail, in this case, go to folder options

and say show all files, note there shouldn't be any autorun.inf files on u're c drive if

that shows up you have to delete them.

3. go to windows directory and look for this file ms32dll.dll.vbs..if its there delete it

4. open task manager and look for the same file and if its there end task it

5. then type regedit in the "run"

6. PLease make sure its related to virus and if it is just go ahead and delete it. To do

this run a search in the windows registry for ms32dll.dll.vbs and del anything which comes

in the search results..but please double check.

7. ok almost there, now scan the computer again with the latest avg

8. Important note, when you have this virus you cannot open the D Drive with a double click

you then an error pops us saying ms32dll.dll.vbs is missing, and this is the virus and

everytime you say ok when the error msg pops up the virus spreads and you dont want to do

this, to avoid this right click on d drive and say explore or open then it wont spread

11. if by chance you do forget and double click it to open you have to follow all the steps

to see whether it spread anywhere.

12. ok after running the scan open d drive by right clicking and copy all the stuff u need

on to the c drive

13. format d drive

14. run antivirus again

15. and then put all the stuff you need in D Drive and format C Drive..

16. and now u're good to go u're machine will be out of the virus

17. its that simple if by chance you still have a problem please e-mail me and i'd be glad

to help coz I myself found it so hard to get rid of it cos i didnt want to format the whole

comp cos i had a whole lot of data which needed to be backed up if i was gng to format the

whole computer, so this solution is for those who are faced with the same problem.

my e-mail address is [email protected], ITS TIME TO BE VIRUS FREE AGAIN!!..cheers

mate. hope this helps