Monday, March 23, 2009

Virus Bulu Bebek Removal

Bulubebek Virus
Main File :


Virus Running Process


Virus Simptom

Duplicate every folder on Drive and change it to .EXE file with ‘folder’ Icon.
Hide the origin folder on Drive.
Hide Task Manager & Folder Option on your PC.

Remove Bulubebek Virus.
* Assume that your PC is infected by bulubebek virus Only(this step is useless if your PC is infected with multiple virus infection)

1. Disconnected From Internet (LAN or Wireles)
2. Turn Off System Restore
3. Use Third party software such as Process Explorer or Security Task Manager, to View and Kill process tree for LSASS.exe and Script.exe.
- c:\windows\LSASS.exe
- c:\windows\LSASS.ini
- c:\windows\system32\SCRIPT.exe
- c:\windows\system32\SCRIPT.ini

4. Repair Windows registry using this script:

Provider=Vaksincom Oyee


HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2
HKCU, Software\Microsoft\Command Processor, AutoRun,0,

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAYXX.exe
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\HideFileExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPath
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathAddress
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

5. Copy and paste this script into Notepad and save it as Removebulubebek.inf.
6. Right Click Removebulubebek.inf and Click install.
7. LogOff and Logon Computer.
8. ‘Show Hidden file and folder’ on your Folder Option.
9. Delete autorun.inf and bulubebek.ini on your drive (Drive C, Drive D, Removable Drive)
10. Search and remove virus duplication file by using ‘Windows Search”.
Duplication file always
• using ‘folder’ icon,
• 53Kb in size,
• .EXE file,
• File Type ‘Application’

11. To unhide the origin folder on your drive (Drive C, Drive D, Removable Drive)

• Use ATTRIB –s –h –r /s /d On Command Prompt,

c:\ ATTRIB –s –h –r /s /d
d:\ ATTRIB –s –h –r /s /d
:\ ATTRIB –s –h –r /s /d

its done ... as simple as that .. unless u'r facing a multiple virus infection

there is a few time, im facing a multiple virus infection (bulubebek,sality & 2.bat) .. its a bit disaster but i managed to remove it by using safemode or administrator account.

for Vista user,
if bulubebek infected ur pc, u will not enter ur desktop(u will only see dark screen), it is because ur system cannot run 'explorer.exe' after the virus added value 'SCRIPT.exe' at the back of it on winlogon shell. so what i always do is :-

1. press CTRL-ALT-DEL and run task manager,
2. on menu bar, click FILE -> NEW TASK (RUN)
3. type explorer.exe to enter your desktop
4. after entering ur desktop, follow the step i show u earlier ...

Download RemoveBulubebek.inf

Download process explorer.exe