|
  |
|
|
Removing malware (IMGKULOT or VBS/Capiz-A) written in VBScript from a Windows machine
Yesterday I helped a friend check his computer running WindowsXP. It has been continually displaying the follwing error: Windows - No Disk Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c As it turns out, his computer had a virus, quite a new one, which is called IMGKULOT, or VBS/Capiz-A. We were able to remove the virus manually. In case your computer gets infected with the same virus, here are the steps to do: 1. Open the Task Manager by presssing Ctrl-Alt-Del and clicking on the Task Manager button on the dialog box that appears.
2. In the Processes tab, locate wscript.exe. If you can’t see it, try clicking on the “Show processes from all users” checkbox.
3. Highlight wscript.exe, and click on the “End Process” button.
4. Highlight explorer.exe and click on the “End process” button as well.
5. In the Task Manager menu, select File->New Task (Run…), type “cmd” on the Create New Task dialog box, and click on the OK button. This will open a command prompt window.
6. Go to C:\WINDOWS\System32 by typing “cd C:\WINDOWS\System32″ in the command prompt
7. Delete all “imgkulot” files that appear on that directory by typing “del imgkulot.* /f /s /q /a”
8. Delete all “autorun” files in your root directory by typing “del c:\autorun.* /f /s /q /a”
9. If your hard disk have several partitions, apply #8 to the other drives as well.
10. The files of the virus has already been removed at this point. However, there is still a registry entry (modified by the virus) that needs to be restored. To open the Registry Editor, in the Task Manager menu, select File->New Task (Run…), type “regedit” on the Create New Task dialog box, and click on the OK button.
11. Go to the the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
12. The following key and value pair should appear. If not, please modify as is: “Userinit”=”C:\WINDOWS\system32\userinit.exe,”
13. Restart your computer. The virus should be completely removed from the computer by this time. However, please do note that removable drives may be affected as well, so be cautious with that you plug into your computer, lest the virus still resides in one of them and reinfect your machine. |
|
 |
|
No reactions yet.
Please login or sign up to rate this intel.
Please login or sign up to add a comment.
The copyright for this content entitled "Removing malware (IMGKULOT or VBS/Capiz-A) written in VBScript from a Windows machine" has been specified by the contributor as:
All Rights Reserved
This content may not be copied, distributed or adapted by anyone under any circumstances.
|
|
May, 2012
2008
January, February, March, April, May, June, July, August, September, October, November, December
2009
January, February, March, April, May, June, July, August, September, October, November, December
2010
January, February, March, April, May, June, July, August, September, October, November, December
2011
January, February, March, April, May, June, July, August, September, October, November, December
2012
January, February, March, April, May
|
|
Not a member yet?
Qondio is a powerful network for making it online. If you have a website to
promote, we can help.
Sign up and get in on the action.
|
|
Welcome to Qondio! Discover the awesome power this network can deliver by going to our About page. Or you could skip straight to the Sign Up form.
|
|
