Bulubebek virus has been made using visual basic with size 53kb. Bulubebek Virus very easy to removed using some manual technique. Once virus active it will created master files:

  • \Windows\Script.exe
  • \Windows\LSASS.exe
  • \Documents and Settings\%user%\autorun.inf
  • \Documents and Settings\%user%\bulubebek.ini
  • \bulubebek.ini
  • \autorun.inf

When virus active it will blocking some windows functions such as task manager, folder option, command prompt and more… This virus spreading (usually because it was designed) using flashdisk media by creating autorun.inf files.

bulubebek_autorun.JPG

Hidden folder and duplicate folder

Bulubebek has been designed and working almost same with older brontox varian, it will hidden your real folder and make duplicate .exe files with folder icon to tricky some newbie out there.

Step to cleaning bulubebek virus

1. I recommended to unplug your computers from your network, not really necessary but I think it’s gonna be safe.
2. Disable “System Restore” when in cleaning process.
3. Kill active virus process using 3rd party tools such as process explorer, kill virus process with icon folder.

process-explorer.JPG

4. Repair registry has been changed by virus, save this code as any name with .inf extension and install it.

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2
HKCU, Software\Microsoft\Command Processor, AutoRun,0,

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAYXX.exe
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\HideFileExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPath
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathAddress
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

In case if this copy-paste code not working correctly in your text editor you can download repair files in Here

5. Find and deleted duplicate folder has been made by virus using search function. find any folders or files with rules:

  • Using folder icon.
  • Size 53 KB.
  • .exe extension
  • File type Application.

6. Shown your hidden files back, You can us your 3rd favorite tool or you can do it manually using attrib command by typing:

ATTRIB –s –h –r /s /d

NOTE: Should typing in drive root.

7. To make sure it was totally clean you can scan your computers with your best antivirus program.

Done 😀

Similar Posts:

Related Search Terms:

  • savira virus
  • savira virus
  • w32/vbworm beua
  • w32/vbworm beua
  • setprinter sys vbs
  • virus yang menghilangkan sound
  • virus yang menghilangkan sound
  • setprinter sys vbs
  • virus bulubebek
  • virus bulubebek
  • membersihkan virus autorun
  • remove savira virus
  • cara membersihkan bulu bebek
  • remove savira virus
  • sound device hilang
  • how to delete savira exe worm
  • ANTIVIRUS BEBEK
  • how to kill w32/vbworm beua virus
  • membersihkan virus autorun
  • sound device hilang
  • how to delete savira exe worm
  • ANTIVIRUS BEBEK
  • cara membersihkan bulu bebek
  • how to kill w32/vbworm beua virus
  • remove setprinter sys virus
  • cara memperbaiki restore my active desktop dari regedit
  • virus sound hilang
  • cara mengapus paksa file
  • mengatasi virus worm
  • bulu bebek
  • cara mendelete nadira shapira
  • savira worm
  • how to remove svira
  • delete svira virus of flash memory
  • how to remove setprinter sys vbs
  • cara mengatasi restore my active desktop
  • fix bulubebek
  • virus men disable paste
  • win32 autorun pif
  • fix bulubebek
  • how to remove setprinter sys vbs
  • mengatasi virus worm
  • cara mengapus paksa file
  • cara memperbaiki restore my active desktop dari regedit
  • virus men disable paste
  • win32 autorun pif
  • cara bersihkan bulu
  • remove bulu bebek
  • virus sound hilang
  • savira worm
  • cara bersihkan bulu
  • remove bulu bebek
  • cara memperbaiki lan setting
  • bulu bebek
  • cara mendelete nadira shapira
  • how to remove svira
  • remove setprinter sys virus
  • cara mengatasi restore my active desktop
  • delete svira virus of flash memory
  • cara memperbaiki lan setting
    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!