Yesterday I helped a friend check his computer running WindowsXP. It has been continually displaying the follwing error:
Windows - No Disk Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c
As it turns out, his computer had a virus, quite a new one, which is called IMGKULOT, or VBS/Capiz-A. We were able to remove the virus manually. In case your computer gets infected with the same virus, here are the steps to do:
- Open the Task Manager by presssing Ctrl-Alt-Del and clicking on the Task Manager button on the dialog box that appears.
- In the Processes tab, locate wscript.exe. If you can’t see it, try clicking on the “Show processes from all users” checkbox.
- Highlight wscript.exe, and click on the “End Process” button.
- Highlight explorer.exe and click on the “End process” button as well.
- In the Task Manager menu, select File->New Task (Run…), type “cmd” on the Create New Task dialog box, and click on the OK button. This will open a command prompt window.
- Go to C:\WINDOWS\System32 by typing “cd C:\WINDOWS\System32″ in the command prompt
- Delete all “imgkulot” files that appear on that directory by typing “del imgkulot.* /f /s /q /a”
- Delete all “autorun” files in your root directory by typing “del c:\autorun.* /f /s /q /a”
- If your hard disk have several partitions, apply #8 to the other drives as well.
- The files of the virus has already been removed at this point. However, there is still a registry entry (modified by the virus) that needs to be restored. To open the Registry Editor, in the Task Manager menu, select File->New Task (Run…), type “regedit” on the Create New Task dialog box, and click on the OK button.
- Go to the the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- The following key and value pair should appear. If not, please modify as is: “Userinit”=”C:\WINDOWS\system32\userinit.exe,”
- Restart your computer.
The virus should be completely removed from the computer by this time. However, please do note that removable drives may be affected as well, so be cautious with that you plug into your computer, lest the virus still resides in one of them and reinfect your machine.
September 20th, 2007 at 7:59 am
hi, my computer’s been infected with imgkulot and i’ve been trying your suggestions on how to remove it but i can’t find wscript.exe on the taskmanager. does it have any other name?
thanks!
September 20th, 2007 at 7:47 pm
hi i have imgekulot remover. i got one while searching google….. i think that the program i got was also made by the author of imgkulot.. totally lame!
September 20th, 2007 at 10:16 pm
@kris:
Hi there, and thanks for visiting my blog.
I know there are several IMGKULOT removers around. Several major antivirus vendors claim to be able to remove them as well. I don’t have confirmation if what you’re saying is true, but that would be quite amusing.
September 20th, 2007 at 10:22 pm
@ela:
Thanks for visiting my blog!
I’m afraid it doeesn’t have any other name, as it is the executable file for the Microsoft Windows Scripting Host application.
If you can’t find it even though you’ve checked “Show processes from all users” try continuing through the process I’ve outlined and see if the virus symptoms would still appear afterwards.
September 24th, 2007 at 4:01 am
Your website really helped us in removing the virus from our computer. I’m thankful that there are people like you who post things like this on websites to help other people.
September 25th, 2007 at 6:49 pm
i have problem… my usb got infected w/ imgkulot..how do i remove it? does imgkulot have any harmful effects?
September 26th, 2007 at 5:52 am
Hello Paul,
Just remove all instances of imgkulot.* and autorun.* from your USB drive.
As with the hard drive, just type the following instructions from the command prompt (replacing [driveletter] with the drive letter assigned to the USB drive):
del [driveletter]:\imgkulot.* /f /s /q /a
del [driveletter]:\autorun.* /f /s /q /a
However, this complicates things. If you have a clean system, chances are your machine could get infected if you insert an infected USB drive in it. I suggest disabling autorun from Windows first before attempting to insert an ‘infected’ USB drive.
September 26th, 2007 at 11:19 am
ei! thanks for the instructions.. really helped..
quick question though, i have a partition as recovery and cant seem to access it how do i remove the autorun?
another thing is that when the command for deleting the autorun erases all autorun things in windows.. will this have any effect on any other programs or will it just affect imgkulot?
thanks in advance!
September 26th, 2007 at 11:31 pm
Hello Andrew,
Could you try entering Safe Mode if you could access the partition?
Deleting the autorun files would only affect imgkulot. Supposedly the autorun.inf file is used in auto-playing CD-ROMs and other read-only media.
September 27th, 2007 at 8:25 am
Thanks Bro…really helped
October 2nd, 2007 at 1:29 pm
Hi Ronnie,
This really helped me a lot. Thanks!
October 2nd, 2007 at 8:27 pm
thanks bro. your instructions really helped.
October 4th, 2007 at 6:35 am
I followed the instruction and I was able to remove imgkulot successfully. However, I think there’s something wrong with the settings. The theme is is the Microsoft Classic and there’s no other option. My other USB devices are not working also. Please help.
October 4th, 2007 at 1:05 pm
Techie Henry, thanks for the tips on how to remove the f*****g imgkulot virus. You are the man!
October 5th, 2007 at 7:46 am
thanx for the help!i was about to format my computer when i found your site!thank you very much….is there any problem to the computer when imgkulot has been remove?like the autorun.inf?i read from the other comment that it affect the CD-ROM auto playing!plz reply to my question!thanx and godbless but f**k to imgkulot!!!!hehehehe
October 5th, 2007 at 9:25 am
Thanks a lot for this help…Kudos to you!!!
October 6th, 2007 at 5:44 am
i already followed your instructions…i deleted all imgkulot in all my drives and restarted my pc,,,but when i open the drives D and C it says “Can not find script file ‘C:\imgkulot.vbs’” and those drives cannot be opened anymore…what should i do next?can you please help me figure this out?
October 6th, 2007 at 7:08 pm
hi toolatethehero, i have a imgkulot remover that i get through my clazmyt, it it effective…if you like email me at “karenfonzy@yahoo.com” and i forward it to your e-add!thanx…
October 6th, 2007 at 10:54 pm
@toolatethehero:
Thanks for visiting my site!
Please repeat the sequence again, making sure that the registry entries have been changed. You were able to delete the virus files, but I don’t think the autorun and registry settings were not deleted.
October 6th, 2007 at 10:57 pm
@abnoy:
I don’t think there was any mention about CD-ROMs not autoplaying.
October 8th, 2007 at 9:22 am
thanks for the advise. i was able to remove this virus from my system.
October 8th, 2007 at 10:48 pm
hi..i followed ur sequence . Could u pls help me, but unfortunately i cant find that wscript.exe u said in the process menu… is there other names? or other options?
tnx.
October 9th, 2007 at 9:47 am
Hello Hannah,
Have you checked the “Show processes from all users” option in the Task Manager? That may be preventing you from seeing the wscript.exe program.
If you still can’t , try rebooting into safe mode and repeat the sequence I posted.
October 9th, 2007 at 10:45 am
Wow.. now you’ve also become an AV guy =)
October 10th, 2007 at 9:20 am
@motmot:
That just happened by chance.
October 11th, 2007 at 6:16 am
guys, it seems that there is a new virus spreading out…i believe its is just imgkulot remodified as they work in the same way…so if your pc has “I Love My Peanut” on its drives…better do those posted above…
October 13th, 2007 at 8:47 am
Thank you for posting this! I got to remove the imgkulot from my Mom’s laptop! Thank you again!
October 13th, 2007 at 7:49 pm
my task manager was disabled. Eve if I click the start menu and look for the run tab I can’t find it. What should I do? Thanks!
October 13th, 2007 at 8:56 pm
@kainis:
Restart you computer and run Windows in safe mode.
October 16th, 2007 at 11:22 pm
Man thank you so much! It works! This is a big help to others with the same problem. Well just an announcement, I got that virus from my friends MP4 player (IPOD look a like) ‘coz he usually go to the mall to have it loaded with songs so all you people be careful on handling usb devices that comes from outside sources. Peace!!!
October 17th, 2007 at 5:01 pm
sir, i already did your instructions. how come when i restarted my computer, it wont login. by the time i clicked it, it says. “loading…” all a sudden “logging out…” can you please help me?
October 18th, 2007 at 5:33 am
@Aaron:
That isn’t supposed to happen after you perform the steps I have outlined. You might have done something else that would have caused that problem.
I guess problems like that can better be checked by trying safe mode. Restart your computer in safe mode and see if the same thing happens. If it didn’t you might have deleted a file from the windows\system directory that is needed during the login sequence.
October 18th, 2007 at 7:25 pm
everytime i open my flashdrive this message appears: cannot find imgkulot.vbs. then i canno open my flashdrive! wat will i do
October 19th, 2007 at 8:49 am
@von:
I think the virus is still on your machine, Please retrace the steps I outlined above and as you remove the virus files from drive C, do the same as well in your flash drive.
October 19th, 2007 at 6:11 pm
Thanks!
Followed yr instructions & healed imgkulot, however now the laptop wont recognise my dvd-ram (matshita uj-830s)
Any suggestions??
Cheers
Rico
November 13th, 2007 at 9:28 pm
hi..i was searching for a virus called i love my peanut that infected my computer and i found this site that knows how to delete viruses from computers.can somebody help me how to remove it? thanks..
April 2nd, 2008 at 10:39 pm
Hi! My c and my d drives got infected with the i love my peanut. I followed Ronnie’s instructions just now and I succeeded in removing the annoying virus.
Thanks Ron!