Showing posts with label virus removal. Show all posts
Showing posts with label virus removal. Show all posts

Wednesday, December 12, 2007

New Folder.exe Remover

I found this new folder remover somewhere in the net from http://technodigits.wordpress.com This one also can restore your task manager, folder options, registry edit, and run command which are disabled by some worms. Also it can disable the Autoplay on all drives. The Autoplay feature of windows has been exploited by many of the worms that came out lately. e.g. Imgkulot and its variants (bungoton,peanuts, and kulitot) pooh.vbs and other vbs worms.

Here's the download link:
newfolder-removal.zip

Posted by TekBytes at 11:48 AM 1 comments

Labels: ,

Wednesday, December 5, 2007

Removing Pooh.vbs (update)

If you have downloaded the vbswormremover that I have posted here before, I mentioned in the header and my post that I have edited it to include pooh.vbs. True enough that it can remove the file pooh.vbs. However, I was able to encounter the fully working worm just today, thus I just found out how this worm really works.

One visual symptom of this worm is that it loads the internet explorer during the windows startup with a webpage with black backround and the word "aikelyu". (Sorry to screen shot, it wasn't my pc and I lost my flash drive recently, fixed the pc in a rush).

This worm, is almost similar to imkulot worm, except for the webpage. It is loaded via autorun.inf that runs pooh.vbs using wscript.exe and puts the following files in the windows/system32 folder

  • kernell.dll.vbs
  • aikelyu.html
and adds entries on the startup registry that runs this two files. I initially intended to make an instruction on how to completely remove the pooh.vbs worm (or some call it antz virus) to makeup what the vbswormremover is missing, however, I realized it's easier to edit that myself and just give the instruction on how to remove the registry entry of this worm.
  • Download the vbswormremover
  • restart in safemode
  • run the vbswormremover - this will kill the wscript.exe from the task and delete the autorun.inf and pooh.vbs from the root directories of all available drives. I also added the lines that deletes the kernell.dll.vbs and aikelyu.html from the windows/system32 folder.
  • Next is cleaning the registry manually.
Using Hijackthis (if you know how to use this safely, do it)
Caution: Follow this instruction very carefuly!
  • Run hijackthis
  • click scan
  • and check all entries with 'kernel.dll.vbs' and 'aikelyu.html'
  • Click fix selected entries
Using regedit
Caution: Follow this instruction very carefuly!
  • Run regedit (Program->Run->regedit)
  • Select the Path: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
  • Find Shell(String Value), modify its value to "Explorer.exe" (Do not delete)
  • Remove this ->"C:\WINDOWS\system32\kernel.dll.vbs", you can see it is added to the Shell(String value)
Now restart your computer to normal mode and check if the worm is still there.

Posted by TekBytes at 12:37 AM 3 comments

Labels: ,

Wednesday, November 28, 2007

VBS Worm Remover

If your computer or storage device(s) is infected by one or more of these worms, imgkulot, peanuts, bungoton, kulitot and pooh. I have edited panot's original imgkulot remover to include the bungoton, kulitot and pooh vbs worm

here's the link: vbswormremover


Good luck.

Posted by TekBytes at 8:44 PM 3 comments

Labels:

Sunday, November 4, 2007

How to remove Imgkulot and How to Avoid infecting your Harddrive and Other Storage Devices

Disclaimer: The following article is based on my personal experience and from what I've read from the net. Link(s) are made to the source of file(s) and or information, to give credit to them. The procedure given below worked for me and other computers and storage devices that I has been infected by imgkulot alone. I could not give a 100% guarantee if the process below will work for you especially if you have other viruses in your PCs. However you can contact me anytime if you encounter some problems in following the procedures below. PAY ATTENTION to the WARNING!

Probably some of you already have encountered this annoying virus named imgkulot that prevents you from opening your harddrives and /or other storage devices( This includes Flash drives, memory cards of Cell Phones, Digital Cams, Mp3/Mp4 players) . And when you right click on one of your drives you'll get something like this (see image)

Now before you call your computer technician to deal with this problem, read on and you will be able to solve this problem yourself. And even if you call a technician and if he/she says you need to reformat your drive, (believe me I have encountered some technicians who would readily reformat a harddrive or a flash disk for a simple problem like this — I'll post another entry about these kind of "technicians"), throw them out of your door as soon as they say the word reformat! You DON'T NEED TO REFORMAT ANYTHING!.

Understanding What imgkulot does.

ImgKulot is simply annoying which copies itself to any storage devices available, including your hard drives, flash drives, even the memory cards of your cellphones, digital cams, and mp3/mp4 players.

Specifically, imgkulot copies and hides the following files:

  • Autorun.inf - this is not a virus in itself. Generally its an instruction file which, as its name implies, runs automatically when a drive is opened. However, this is the part that launches the actual virus.
  • imgkulot.vbs- a VB (Visual Basic)Script which is the actual malware (malicious software)/virus.
  • imgkulot.reg - a part of the malware which is saved in the windows registry.

Double clicking on the infected drive(s), like we usually do, would launch the virus and when you insert another removable drive (flash disk or even the memory card(s) of your cellphones and digital cameras), the virus would copy the files listed above to the uninfected drive. Right Clicking the drive and clicking Open would do the same (see image above).

Anti-Virus Programs.

As for the anti-virus programs, I'm using AVG which removes the files from the memory and from the storage devices, but not all of them sad to say. AVG leaves the imgkulot.reg and the Autorun.inf on the drives. As a result when you double click the infected drive, you'll get an error message that says, "imgkulot.vbs not found", (or something similar) and makes your drive inaccessible still. I'm not sure how other commercial anti-virus programs deals with imgkulot.

Removing imgkulot

So far downloading and running this imgkulot remover is the easiest and much safest. I found this file in Titu's Site when I was looking for such a remover. This is a simple batch file which removes the virus from the memory and from the infected drives and its very easy to use

  • Unzip the file to your hard drive
  • Double click the file.
    -it will first attempt to kill the wscript.exe from the process
    -then it will ask for the letter of the drive to be cleaned- e.g. D:
  • Repeat the process until all drives are clean.

However, I don't see a line that cleans the registry. Although This is good enough to clean the infected storage. This and another anti-virus program like AVG can completely remove the imgkulot virus from your system.

Before I found this I made a batch file which I copy on each infected drive and run. And manually remove the imgkulot.reg from the registry and kill the wscript.exe from the process manually. Here's what I did.

  • First of all kill the process from the memory.
    1.Bring up the Task Manager by pressing 'Control-Alt-Delete (Ctr-Alt-Del)' ,
    2.Click on the Processes tab.
    3. Look for Wscript.exe from the list and select it
    4. Press End Process
    This will prevent the virus from writing itself on the drive again after you delete it (next steps)
  • Open the Infected Drive
    - If you right click your drive and see something like the figure above,
    the best and safest way to access it, is: From the start menu click Run…:
    On the text box type the infected drive letter - e.g C: and press the Enter key

    If you could not bring up the task bar and you get a 'Task Manager has been disabled by your Administrator' message, you probably have another virus in your system that prevents this. Email me or post a message here if you do have this problem

  • View the hidden Files
    From the main menu select Folder Options

    - Then Click the View Tab.
    - Then Select Show hidden files and folders
    - Then uncheck Hide protected operating system files



     -This should show you the hidden and system files.

  • WARNING! Unless you know what you are doing, DO NOT DELETE OTHER FILES aside from the ones listed here
  • Delete the Autorun.inf and the three files with imgkulot names.
    -imgkulot.vbs
    -imgkulot.bat
    -imgkulot.reg
    (Other known variants: bungoton.vbs,bunguton,bat, bunguton.reg and kulitot.vbs, kulitot.bat, kulitot.reg)
  • For safety reasons, go to Folder options again and View Tab and select Do not Show hidden files and folders
    and Check Hide protected operating system files

Next How to Prevent Imgkulot from spreading.

Posted by TekBytes at 6:05 PM 2 comments

Labels: , ,

Subscribe to: Posts (Atom)

About TekBytes

1st of All I'm not a Computer /IT guru. I just wanted to share the little things I know about the current technologies and to bridge the gap between the real techies and the non-techies. This blog is mainly for those who wants to make the best use of the hi-tech gadgets in their hands but are not technically inclined. You may send questions about IT too, and I'll try to answer them the best as I could and if I can't and if it's worth it, I'll post your queries here in hoping we could find someone who can answer. No spamming pls.