Tuesday, May 6, 2008

IE Hacked by Pokemon

Did your Internet Explorer title bar shown this "Hacked by Pokemon"?Don't worry this is not a high risk virus.Just some visual basic program.The file that run this visual basic is BHA.VBS.DLL.We at Zooltechnology.com will show you how to remove this bug manually.

Description

-This thread will infected every of your partition including removable drive.This is because the script was written to generate bha.vbs.dll and autorun.inf.

-This thread can spread via removable drive such as pendrive or other storage device because of its capability to generate dll file using vbs script.

-This thread also will generate new registry value in your windows registry that is:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL - winpath&"\Bha.dll.vbs

HKCR\vbsfile\DefaultIcon - shell32.dll

And also modify this registry value:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by pokemon"

-All your partition cannot open normally if your PC infected because the authority was given to the 'autoplay' option not 'open' option if normal condition.To ensure this,just right click one of your drives and see the first bolt option,is it open or autoplay.

Did your pc infected by these thread?

-Just right click any of your hard disk partition drive or removable disk, if the AutoPlay is the main authority of your right click popup, you PC might be infected but not confirmed yet because these symptom cause by autorun.inf file.


In normal windows operation, the ‘Open’ option always on top not ‘AutoPlay’

-To confirmed that your PC infected by this thread, you will see these word on top of your Internet Explorer bar:


This thread caused by these two files: Autorun.Inf and bha.vbs.dll as seen on figure below.


-This file is a system file, you cannot see this file until you unhidden this file. So, how to unhidden this file?


Step to unhidden

Firstly, open My Computer, click tools and choose Folder Options…

-This Window will popup:


-Uncheck Hide protected operating system files (Recommended) and Use simple file sharing(Recommended)

-Click Apply and Close the window.

-Then open any of your drive and you may see the file.Don’t delete it first because you may find an error that the file is in use.To stop the process, open windows task manager by press CTRL+ALT+DELETE.


-Select wscript.exe and click End Process. Continue the step by clicking OK.

-After that you may delete that file in every partition of your drive including removable drive.


WARNING: When you open your drive partition, MAKE SURE you open by right clicking it and choose Open, IF NOT,the thread will RUNNING again.

Is your PC free from this thread after you delete all that files?

Not yet,why?Because the generated script file still in the system volume!System volume is the placed that windows will save their system restore file.Every partition has its own system volume file.But you cannot access the folder because access to the are denied by windows security.To access this folder you must get permission from windows security.How?

Enable the access

Right click System Volume Information and choose Sharing and Security...


-Then System Volume Information Properties window will popup.Click at the security* tab and Choose Add...

*-Make sure you log in as Administrator to access this security tab.


-Then enter your current Administrator name,if none just type Administrator and click OK


After you done this step,you can now access the System Volume information folder.



Clearing the .vbs file in system volume information

How to clearing the .vbs file in System Volume Information with many folder in it?In this case,we just using windows file search on

START-->Search


-Choose option search for File And Folders

-follow the above figure step.

-Choose browse..* and search for system volume information folder in every drive partition.

*- Windows will not search the system volume information folder if you just choose to search local disk.you must set the search manager to search for the system volume information for each drive including removable drive.


-After you finish searching,the result of this .vbs file is in A00XXXXX.vbs and the file size is 4kb.Delete all the files and do all these step to all partition drive.Make sure no files left!


Cleaning the registry

-After clean and delete the file, now you must clean the windows registry because this thread generate new registry value after they were activated.

-Run registry editor:START--->Run (type regedit)

-Open this location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL

Delete registry named MS32DLL

-And open this location:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

-Choose Window title and edit the string.

-You may put any names or delete the string value (Window title)

-Then reboot your PC

-See the result!!! hope can remove... try it 1st...