Monday, December 01, 2008

How to Remove ImgKulot and Other variants

Maybe you experienced that when you open your hard drive or USB flash drive an error message appear something like this:
Windows - No Disk Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c
Don’t worry you’re not the only one who experienced something like this, me too. This is script worm that affects only Windows operating systems. It spreads itself on removable storage devices such as diskettes, USB flash drives, memory cards of cell phones, digital camera, Mp3/Mp4 players and the like and installs itself on the Registry, thus affecting the system and it will continually display an error. Probably some of you already have encountered this annoying virus named imgkulot that prevents you from opening your removable drives. Imgkulot is simply annoying which copies itself to any storage devices available in your computer. So if you notice that when you right click on your hard drive…you will see a similar letter with a word like this or similar to these: (see image)
Follow this picture

Another characteristic of this script is when you open a folder, usually folders are opened on the same window…but once your computer is infected, the moment you open a window it to open to a new window…also, you cannot open your hard drive unless you right click it and choose open, explore or you go the address bar of windows explorer and type the drive directory of your hard drive…this script doesn’t harm your computer but it will just irritate you because it affect and modify your registry settings of your windows.

Take note of this. Imgkulot copies and hides the following files:

1. Autorun.inf - this is not a virus in itself. Generally it’s an instruction file which, from the name itself, runs automatically when a drive is opened. However, this is the part that launches the actual virus.
2. Imgkulot.vbs - a Visual Basic Script which is the actual malware (malicious software) virus.
3. Imgkulot.reg - a part of the malware which is saved in the windows registry.

Double clicking on the infected drive(s), like we usually do, would launch the virus and when you insert another removable drive (flash disk or even the memory card(s) of your cell phones and digital cameras), the virus would copy the files listed above to the uninfected drive. Right Clicking the drive and clicking Open would do the same.

Using Anti-Virus Programs
There several anti-virus programs in the market that offers to remove all or disinfects a virus, but sad to say lads, not all of them works. If you’re using AVG for example, AVG leaves the imgkulot.reg and the Autorun.inf on the drives. As a result when you double click the infected drive, you'll get an error message that says, "Imgkulot.vbs not found", (or something similar) and makes your drive inaccessible still.

Removing this annoying imgkulot virus

If your anti-virus does not works you can still try download some virus removal tool that several anti-virus vendors offer, but as I said it will not really guarantee you that it will remove all of it. But there’s no harm in trying.
Now before you call your computer technician to deal with this problem, you read on and you will be able to solve this problem all by yourself. And even if you call a technician and if he/she says you need to reformat your drive, (believe me I have encountered some technicians who would readily reformat a harddrive or a flash disk for a simple problem like this, throw them out of your door and tell him to never come back as soon as they say the word REFORMAT!

You can remove it manually by removing its entries in all your drives (including flash drives and memory cards) and in the registry. We can remove the imgkulot.reg from the registry and kill the wscript.exe from the process manually. How to do this? Very simple Lads. Here's what I did.

IMPORTANT: Please turn-off system restore to all of your drives.
Another thing before you performs the actual killing process restart your computer and run safe mode first. To execute safe mode you should press F8 several times to be sure before windows launches. Select safe mode and press enter key.

A. To start the killing process.
1. Bring up the Task Manager by pressing Control-Alt-Delete (Ctr-Alt-Del)
2. Click on the Processes tab.
3. Look for Wscript.exe from the list and select it.
4. Press End Process. (See image below)
This will prevent the virus from writing itself on the drive again after you delete it (next steps)
Open Task Manager
If you could not bring up the task bar and you get a “Task Manager has been disabled by your Administrator” message, you probably have another virus in your system that prevents this.

B. Go to My computer.
From the main menu select Folder Options.

Open Folder Options
- Then Click the View Tab.
- Then Select Show hidden files and folders
- Then uncheck Hide protected operating system files

Open View Options
C. WARNING! Please pay attention to this, DO NOT DELETE OTHER FILES aside from the ones listed below.
D. Open Drive C:/ look for all the names listed below
Then delete the Autorun.inf and the three files with imgkulot names.
other known variants:
bungoton.vbs bbgong.vbs
bunguton.bat bbgong.bat
bunguton.reg bbgong.reg
kulitot.vbs burangos.vbs
kulitot.bat burangos.bat
Kulitot.reg burangos.reg

E. After you delete the four mentioned files on Drive C: go to Windows Folder and search the entire directory again and delete all the mentioned files above that appear on the directory.
F. Next go to System32 folder and apply step E
E. And lastly, if your hard disks have several partitions, apply it also to the other drives as well.

The article that I wrote is based on my personal experience and from what I've read from other sources of file(s) and or information. The procedure that I’ve given is worked for me and other computers that I repaired that have been infected by this virus. I could not give a 100% guarantee if the process that I given will work for you especially if you have other viruses in your PCs. So be careful with what you plug in to your computer, scan it first...alright! But still, Hope you can make it.

If you have any problem just post a comment below…good luck