Ever try to open a drive with double click and this error message pop up?

WINDOWS SCRIPT HOST, CANNOT FIND SCRIPT FILE “C:/Bha.dll.vbs

This “WINDOWS SCRIPT HOST, CANNOT FIND SCRIPT FILE “C:/Bha.dll.vbs” occur due to a worm infection known as VBS/ButSur-A . VBS/ButSur-A is a Visual Basic script worm for Microsoft Windows platform, and also known as

• VBS_BUTSUR.B
• VBS/Butsur.B

When active, VBS/ButSur-A:

1. Copies itself to C:\Windows\Bha.dll.vbs
2. Create the following registry entry:
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   MS32DLL
   C:\Windows\Bha.dll.vbs
3. Add the following registry entry:
   HKCU\Software\Microsoft\Internet Explorer\Main\Window Title\
4. Copies itself to all removeable and shared drives as Bha.dll.vbs and creates the file autorun.inf.

This autorun.inf files will run the script Bha.dll.vbs everytime the removeable drive are open with double click. This VBS/ButSur-A, VBS_BUTSUR.B, VBS/Butsur.B can be easily remove by deleting the files and the registry entries that this VBS/ButSur-A, VBS_BUTSUR.B, VBS/Butsur.B worms created.

Alternatively you can download this nifty utility called the Flash Disinfector to enable you to disinfect and open your removable drive with double click.

Download Flash Disinfector

A popup message will appear, click “OK” to start the disinfection process. That’s all to it.

See also:

• RoMeO A.K.A ILLS [CIXENT] (4)
• Trixcu.A worm (1)
• The Genealogy of Virus (8)
• The best antivirus program (2)
• RoMeO A.K.A ILLS [CIXENT] cleaner and remover (2)

This is virus is known as CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb] . This RoMeO A.K.A ILLS [CIXENT] copied these files to C:\WINDOWS\system32 folder:

C:\WINDOWS\system32\V3-Force.exe
C:\WINDOWS\system32\cipaplu.exe
C:\WINDOWS\system32\mycaption.reg
C:\WINDOWS\system32\butuhlu.bat
C:\WINDOWS\system32\forattrib.bat
C:\WINDOWS\system32\makedir.bat

and will change your C drive name to:

(C:) jadi RoMeO A.K.A ILLS [CIXENT]

RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb] will display a popup title:

Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!! x100 words

And will display a “51″ icon on the system tray.

The solutions to RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus is to delete all the files that it have copied, and delete all the registry entries containing the name of those files. To delete those registry entries:

1. Run regedit.
2. Click on the menu "Edit".
3. Choose "Find".
4. Type in the name of the files that the RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus have copied, and delete them.

Make sure to update your Antivirus or any other Malicious scanner program such as adware scanner or spyware scanner, and run a full scan using these Software after cleaning and removing this RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus manually.

virus cleaner and remover here.

See also:

• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)
• Trixcu.A worm (1)
• The Genealogy of Virus (8)
• The best antivirus program (2)
• RoMeO A.K.A ILLS [CIXENT] cleaner and remover (2)

What is the best antivirus software in the market nowadays? That is one of the most often ask question by my clients after their system have undergo an attack by malware, viruses, spyware, adware and trojans. Which so much antivirus programs to choose, which are the best for giving the most comprehensive virus protection?

Most IT Professional will recommend some Commercial Antivirus program from established companies, while others will recommend the free alternative for Antivirus program. For me, my answer will be fairly simple and straightforward, the best antivirus program is the one that is regularly updated and upgraded. It is true, whether you are using the commercial antivirus program, or the free antivirus programs out there, those antivirus programs will be useless if those antivirus programs are not regularly updated and upgraded.

So make sure you update your Antivirus programs regularly, if not daily, and don’t forget to install any upgrades available from the Antivirus manufacturer as soon as they are stable in their releases, for you to have the best Antivirus program protection.

Tags:

See also:

• Trixcu.A worm (1)
• The Genealogy of Virus (8)
• Descriptions of Malicious Programs (1)
• RoMeO A.K.A ILLS [CIXENT] (4)
• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)

Trixcu.A worm have been spreading through removable drives and I have been receiving a lot of queries regarding this worms.

Trixcu.A creates the following files, which copies itself when it’s run by opening the removable drives infected with the worm.

1. Trixcu.A creates the following files in the Windows system directory (C:\Windows\System32),:
   - Cmd.com
   - Dxdiag.com
   - Flash.10.exe
   - JambanMu.com
   - Msconfig.com
   - Ping.com
   - Regedit.com
2. Trixcu.A create the following file in C:\Program Files\Common Files\Microsoft Shared
   - Macromedia.10.exe
3. Trixcu.A create the following file in C:\Program Files\Common Files\Microsoft Shared\DAO
   - Msn.msn
4. Trixcu.A create the following file in C:\Documents and Settings\(User)\Start Menu\Programs\Startup
   - (Empty).empty
5. Trixcu.A will delete all the programs in the Startup directory to disable those programs to run whenever Windows is started.
6. Trixcu.A create the following Folder:
   - MY.SECRET.FOLD in My Documents
   - NEW SONG.LAGU and NEW VIDEO.VIDZ in My Document\My Music
   - AWEKS.PIKZ and SERAM.PIKZ in My Documents\My Pictures

Trixcu.A create the following entries in the Windows Registry:

1. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
   Windows MSN = C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn
   By creating this entry, Trixcu.A ensures that it is run whenever Windows is started.
2. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
   NoFind = 01, 00, 00, 00
   It disables the option Find of the Start menu.
3. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
   NoFolderOptions = 01, 00, 00, 00
   It disables the option Folder Options of the Start menu.
4. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System\ DisableRegistryTools = 01, 00, 00, 00
   It doesn’t allow the Windows Registry Editor to be run.
5. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System DisableCMD = 01, 00, 00, 00
   It doesn’t allow the CMD shell to be run.
6. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
   DisableTaskMgr = 01, 00, 00, 00
   It prevents the Task Manager from being run.
7. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ Date
   (Default) = 070617
8. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgDate
   (Default) = 070701
9. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgMkr
   (Default) = 0
10. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK AZAM
    (Default) = THIS GUY SHIT HEAD!!BIG LIER!!FUCKING GAY!!
11. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK DZULKIFLI
    (Default) = THIS GUY PIG HEAD!!!!U FUCKED EVERYBODY!!
12. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK ZAWAWI
    (Default) = THIS GUY DICK HEAD!!!NOBODY LIKES U!!!

Trixcu.A modifies the following registry entries

1. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
   Shell = Explorer.exe
   It changes this entry to:
   HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
   Shell = Explorer.exe %sysdir%\JambanMu.com
   where %sysdir% is the Windows system directory.
2. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
   load
   It changes this entry to:
   HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
   load = Flash.10.exe
   By modifying these entries, Trixcu.A ensures that it is run whenever Windows is started.
3. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   Hidden = 01, 00, 00, 00
   It changes this entry to:
   HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   Hidden = 00, 00, 00, 00
   By modifying this entry, Trixcu.A hides the files and subfolders that have the attribute hidden.
4. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   HideFileExt = 00, 00, 00, 00
   It changes this entry to:
   HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   HideFileExt = 01, 00, 00, 00
   By modifying this entry, Trixcu.A hides the extensions of the files.
5. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   ShowSuperHidden = 01, 00, 00, 00
   It changes this entry to:
   HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   ShowSuperHidden = 00, 00, 00, 00
6. HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
   RegisteredOwner = %name with which the system is registered%
   It changes this entry to:
   HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
   RegisteredOwner = JambanMuV2
7. HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
   RegisteredOrganization = %name of the organization with which the system is registered%
   It changes this entry to:
   HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
   RegisteredOrganization = HELP ME!!.html
   By modifying these entries, Trixcu.A changes the names with which the operating system and the organization are registered.

Trixcu.A created files can be remove manually or automatically by most of Antivirus, just make sure you update your virus definition files. The registry entry have to be remove manually though.

See also:

• The Genealogy of Virus (8)
• The best antivirus program (2)
• RoMeO A.K.A ILLS [CIXENT] (4)
• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)
• Descriptions of Malicious Programs (1)

Nowadays, there are many definitions for viruses, and a virus can’t be called a virus anymore. Ever heard of worms? Trojans? Adware? Spyware? Malware? What are those things? Are they viruses Read on to find the answer.

Worms
Worms are set of programs that are created, as I’ve explained earlier, to infect any system that is connected on a network. Some said ‘worms’ originated from email attachments circulated on the internet. Whenever the email attachment is run, the worm will infect the windows, and will slowly crawl itself into the network that the system is connected.

Some of worms are known as the Mass-mailing worms. This mass mailing worms, once it has infected the windows, will integrate itself into the windows email client, i.e Microsoft Outlook, and will mail itself in the form of an attachment to all the contacts in the user address book

These worms are the most deadly threats in ICT (Information Communication Technology) during these days. This is because these worms know no boundary, and can infect millions of systems in a split second. Be afraid, be very afraid.

Trojans
The ‘Trojan’ terms derived from the Greeks mythology, the war between the Greeks and the Trojans. Have you ever watch the movie “Troy”? The one with Brad Pitt as the main actor. In the movie, or in the mythology, the Greeks were losing the war, so they devised a plan to trick the Trojans into their doom. The Greeks build a huge wooden horse as a gift for the Trojan as a token from their defeat. Hidden in the wooden horses, is a platoon of Greeks soldier waiting to attack troy when they bring the horses inside their fortified fortress. And the plan succeeded, the Greeks defeated Troy.

The same concept is applied for ‘Trojan’ in ICT lingua. Trojan is a malicious program written with malicious intent, and disguise as a valid program to run on your windows. For example, you download a fun game from the internet, or a friend gave it to you. You run the game, and so far everything seems to be okay. But what you didn’t know is, that when the game run, a malicious program that come with the game, run silently in the background.

And, if your pc is connected to the internet, the malicious program, which is the trojans, will connect to its creator, and will open a port which will enable the creator of the trojan to hack into your pc, and that is bad. The hacker will have a full control of your pc once he is connected through the trojan on your pc. He can do anything he want with your pc, and, that is very bad.

Spyware/Adware
Spyware and Adware can’t be categorized in the same category as a virus. These programs are used for spying and displaying ads on your pc, as the name implies by corporations or companies involving in internet businesses. What are they spying? Well, mostly your data and habit on the internet. Why is it matter to them? It matter to them for their future marketing campaigns, that will bring them big money and profits.

Most of these spyware and adware won’t do any damage to your pc, but some of them will hog your pc resources and some of these malware can bring down your pc to a crawl, rendering it useless due to resource hogging.

By now you’ve know a little bit about all these Viruses and Malicious software (Malware), now I’m going to tell you how to protect your pc from these ‘no good for nothing’ software.

ANTIVIRUS

Antivirus software is a must on any pc running Microsoft Windows as an Operating System. Some of the common names in the Antivirus Industry are Norton Antivirus, Mcafee Viruscan, PC Cilin, AVG and the list goes on. Some are a freeware, but most are commercial software, meaning you have to pay for their license.

So there are a lot of antivirus software, but which one is the best? The one you want to use to protect your PC. This debate has been going on and on, and in the end, there is no answer. For us at Edubase, the answer is fairly simple; the best antivirus software is the one that is regularly updated.

It really doesn’t matter which Antivirus you use, as long as you keep their virus definition updated regularly, your pc will be safe from viruses.

FIREWALL

Firewall, simply speaking is software that monitors traffics between your pc and the internet, or network. The internet is a big network anyway. Nowadays, firewall software is a must, and not an option anymore.

Most of the soft firewall (firewall software) have the tendency to block or disallow any traffic or activity that is condemn to be malicious, for example a hack attempt by some digruntle hackers living thousand of miles away. Firewall can also hide your pc from any scan made by hackers; it will put all your port into ‘stealth’ mode thus making your pc appear to be offline, or invisible to the outside world.

Some of the soft firewall also come with what is call a ‘application policy’ , that is it can monitor programs and processes that is running on your pc, and give you the privileges either to allow or disallow the programs and processes, so unnecessary programs and processes can be block from running.

If your pc is connected to the Internet or Local Network most of the time, a software firewall is compulsory.

Preventative Measure

Below are some of the preventive measure you should take to protect your pc from viruses and other malicious software.

Do not open any email attachment from unknown, suspicious or untrustworthy source, even if it is a picture of the sexiest lady available today, hell even if it’s from your best friend. Better to confirm that they really sent the email, as if better to be safe than sorry.
Be very, very careful of file(s) you downloaded from the internet. Some of the website can run malicious code that can do harm to your pc even before you downloaded the files. Make sure to scan for viruses immediately after you save the file(s) to your pc.
Beware of file(s) from stranger. So you meet a new friend on IRC/Yahoo Messenger/MSN. He/She seems quite nice, you chat a while, and he/she make you laugh. And now he wants to send a picture of him/her to you. You accept the file, you run the file, and he/she is quite good looking. What you didn’t know is, hidden in the file, is a trojans that is lurking in your background process just after you view the picture. So be very careful to accept files from stranger.
Scan for viruses every removable media that is plug in into your pc, i.e, a floppy disk, thumb drive, flash card/memory etc. Most of this removable media is writable, meaning that a virus or malicious software can write themselves on the removable media, and easily infected any system when they’re plugged in.

These are some of the info that can make you become more aware of what is happening in the virtual world, with the Internet connecting millions of pc every second, and most of them running product from Microsoft, which is well known for its security issue, precautions and prevention is necessary.

See also:

• Trixcu.A worm (1)
• The best antivirus program (2)
• RoMeO A.K.A ILLS [CIXENT] (4)
• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)
• Descriptions of Malicious Programs (1)