Sunday, November 4, 2007

How to remove Imgkulot and How to Avoid infecting your Harddrive and Other Storage Devices

Disclaimer: The following article is based on my personal experience and from what I've read from the net. Link(s) are made to the source of file(s) and or information, to give credit to them. The procedure given below worked for me and other computers and storage devices that I has been infected by imgkulot alone. I could not give a 100% guarantee if the process below will work for you especially if you have other viruses in your PCs. However you can contact me anytime if you encounter some problems in following the procedures below. PAY ATTENTION to the WARNING!

Probably some of you already have encountered this annoying virus named imgkulot that prevents you from opening your harddrives and /or other storage devices( This includes Flash drives, memory cards of Cell Phones, Digital Cams, Mp3/Mp4 players) . And when you right click on one of your drives you'll get something like this (see image)

Now before you call your computer technician to deal with this problem, read on and you will be able to solve this problem yourself. And even if you call a technician and if he/she says you need to reformat your drive, (believe me I have encountered some technicians who would readily reformat a harddrive or a flash disk for a simple problem like this — I'll post another entry about these kind of "technicians"), throw them out of your door as soon as they say the word reformat! You DON'T NEED TO REFORMAT ANYTHING!.

Understanding What imgkulot does.

ImgKulot is simply annoying which copies itself to any storage devices available, including your hard drives, flash drives, even the memory cards of your cellphones, digital cams, and mp3/mp4 players.

Specifically, imgkulot copies and hides the following files:

  • Autorun.inf - this is not a virus in itself. Generally its an instruction file which, as its name implies, runs automatically when a drive is opened. However, this is the part that launches the actual virus.
  • imgkulot.vbs- a VB (Visual Basic)Script which is the actual malware (malicious software)/virus.
  • imgkulot.reg - a part of the malware which is saved in the windows registry.

Double clicking on the infected drive(s), like we usually do, would launch the virus and when you insert another removable drive (flash disk or even the memory card(s) of your cellphones and digital cameras), the virus would copy the files listed above to the uninfected drive. Right Clicking the drive and clicking Open would do the same (see image above).

Anti-Virus Programs.

As for the anti-virus programs, I'm using AVG which removes the files from the memory and from the storage devices, but not all of them sad to say. AVG leaves the imgkulot.reg and the Autorun.inf on the drives. As a result when you double click the infected drive, you'll get an error message that says, "imgkulot.vbs not found", (or something similar) and makes your drive inaccessible still. I'm not sure how other commercial anti-virus programs deals with imgkulot.

Removing imgkulot

So far downloading and running this imgkulot remover is the easiest and much safest. I found this file in Titu's Site when I was looking for such a remover. This is a simple batch file which removes the virus from the memory and from the infected drives and its very easy to use

  • Unzip the file to your hard drive
  • Double click the file.
    -it will first attempt to kill the wscript.exe from the process
    -then it will ask for the letter of the drive to be cleaned- e.g. D:
  • Repeat the process until all drives are clean.

However, I don't see a line that cleans the registry. Although This is good enough to clean the infected storage. This and another anti-virus program like AVG can completely remove the imgkulot virus from your system.

Before I found this I made a batch file which I copy on each infected drive and run. And manually remove the imgkulot.reg from the registry and kill the wscript.exe from the process manually. Here's what I did.

  • First of all kill the process from the memory.
    1.Bring up the Task Manager by pressing 'Control-Alt-Delete (Ctr-Alt-Del)' ,
    2.Click on the Processes tab.
    3. Look for Wscript.exe from the list and select it
    4. Press End Process
    This will prevent the virus from writing itself on the drive again after you delete it (next steps)
  • Open the Infected Drive
    - If you right click your drive and see something like the figure above,
    the best and safest way to access it, is: From the start menu click Run…:
    On the text box type the infected drive letter - e.g C: and press the Enter key

    If you could not bring up the task bar and you get a 'Task Manager has been disabled by your Administrator' message, you probably have another virus in your system that prevents this. Email me or post a message here if you do have this problem

  • View the hidden Files
    From the main menu select Folder Options

    - Then Click the View Tab.
    - Then Select Show hidden files and folders
    - Then uncheck Hide protected operating system files



    -This should show you the hidden and system files.

  • WARNING! Unless you know what you are doing, DO NOT DELETE OTHER FILES aside from the ones listed here
  • Delete the Autorun.inf and the three files with imgkulot names.
    -imgkulot.vbs
    -imgkulot.bat
    -imgkulot.reg
    (Other known variants: bungoton.vbs,bunguton,bat, bunguton.reg and kulitot.vbs, kulitot.bat, kulitot.reg)
  • For safety reasons, go to Folder options again and View Tab and select Do not Show hidden files and folders
    and Check Hide protected operating system files

Next How to Prevent Imgkulot from spreading.

2 comments:

Anonymous said...

Hmmm i already follow your procedures but when i'm trying to delete it, how can you remove the open(imkulot),explore(imkulot) when your trying to browse your explorer. pls email me @ jholganza@yahoo.com for your answer.

thanks by the way for your post this is a really good help.

More power to you.

Anonymous said...

Could you also please enlighten me on how you remove the virus from the open and explore, I'm having the same problem as anonymous. Email: laszloszaraz@hotmail.com

About TekBytes

1st of All I'm not a Computer /IT guru. I just wanted to share the little things I know about the current technologies and to bridge the gap between the real techies and the non-techies. This blog is mainly for those who wants to make the best use of the hi-tech gadgets in their hands but are not technically inclined. You may send questions about IT too, and I'll try to answer them the best as I could and if I can't and if it's worth it, I'll post your queries here in hoping we could find someone who can answer. No spamming pls.