Virus Bulubebek Removal...

Labels: , , Posted by Mr. Sham@poksey on Friday, April 3, 2009 at 11:21 AM

Bulubebek Virus
Main File :

:\Autorun.inf
:\bulubebek.ini

Virus Running Process

Script.exe
LSASS.exe

Virus Simptom

Duplicate every folder on Drive and change it to .EXE file with ‘folder’ Icon.
Hide the origin folder on Drive.
Hide Task Manager & Folder Option on your PC.

Remove Bulubebek Virus.

1. Disconnected From Internet (LAN or Wireles)
2. Turn Off System Restore
3. Use Third party software such as Process Explorer or Security Task Manager, to View and Kill process tree for LSASS.exe and Script.exe.
4. Repair Windows registry using this script:

[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2
HKCU, Software\Microsoft\Command Processor, AutoRun,0,

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAYXX.exe
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\HideFileExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPath
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathAddress
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools



5. Copy and paste this script into Notepad and save it as Removebulubebek.inf.
6. Right Click Removebulubebek.inf and Click install.
7. LogOff and Logon Computer.
8. ‘Show Hidden file and folder’ on your Folder Option.
9. Delete autorun.inf and bulubebek.ini on your drive (Drive C, Drive D, Removable Drive)
10. Search and remove virus duplication file by using ‘Windows Search”.
Duplication file always
• using ‘folder’ icon,
• 53Kb in size,
• .EXE file,
• File Type ‘Application’


11. To unhide the origin folder on your drive (Drive C, Drive D, Removable Drive)

• Use ATTRIB –s –h –r /s /d On Command Prompt,

c:\ ATTRIB –s –h –r /s /d
Or
d:\ ATTRIB –s –h –r /s /d
Or
:\ ATTRIB –s –h –r /s /d

 

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)