Shortcut Virus on your computer
October 6, 2010 Leave a comment
Have you ever seen a case, where your computer suddenly flooded by the shortcuts that do not feel you will ever make?
If the answer to the above questions is yes, then your computer could be exposed to the virus. You have a lot of shortcuts virus found today.
The virus is also known as Worm: PIF/Starter.A by some antivirus, spread in almost all the folders in your computer, the file is like Microsoft.lnk, and also a shortcut file with a name like the name of the folder that is owned.
The virus can be said to be quite dangerous, but of course, his presence is very disturbing. Maybe for some people, this virus will just create a shortcut in each folder in the computer. Logically, to be sure each shortcut has a small size (about a few kb only), but just imagine if in your computer there are thousands, even millions of folders, how much disk space will be consumed by it.
The characteristics of the virus:
1. In the My Documents folder contained a file called database .mdb, this is the file on the mainland.
2. Autorun.inf files, Thumb.db, Microsoft.lnk in every driver, flash disk folders and sub folders until the 2nd.
3. Make any folders Duplicate Files with the extension .lnk
4. Turn off the function of the Registry file and also add a few lines in the registry
Steps by steps to remove this virus:
2. Previously, the process of turning off System Restore.
3. Once off the process of Wscript, we must delete or rename of the file so as not to be used again (temporarily) by the virus. For the record, if we rename the file wscript.exe is to automatically be copied again in the folder, therefore we must find where the file wscript.exe other. These files are usually in C:\Windows\$ NtServicePackUninstall$, C:\Windows\ServicePackFiles\i386. Unlike other VBS viruses, we can change the Open With from the vbs file into Notepad, the virus that matters is berextensi MDB Microsoft Access file. So Wscript DATABASE.MDB will run the file as if he is VBS file. (smart virus right?)
Wscript.exe //E: VBScript \”C:\Documents and Settings\Administrator\My Documents\database.mdb\”"
4. Delete an existing parent file in C:\Documents and Settings\My Documents\database.mdb, for every time the computer boots will not load the file. Do not forget to also open MSCONFIG, and disable the run command.
5. Now we will delete the files autorun.inf. Microsoft.INF and Thumb.db. by the way, click the START button, type CMD, and moved to the drive to be cleaned, for example, drive C:\, then we have to do is
Type C:\del Microsoft.inf /s = this command will delete all files microsoft.inf in all folders on drive C:
if you want to move the drive, just change the name of the drive alone.
For the autorun.inf file, type C:\ del autorun.inf /s /ah /f = this command will delete the autorun.inf file (syntax /ah /f is used because the file is taking attrib RSHA, as well as to do Thumb.db file also the same).
6. To delete files older than 4 files, we must find a way Search files with extensions .lnk size of 1 KB, On the “More advanced options”, make sure the option “Search system folders” and “Search hidden files and folders” is checked both .
Please be careful, not all files shortcut / LNK file size of 1 KB is a virus, we can distinguish it from its icon, size and type. Shortcut created by the virus, its icon always use the icon “folder”, size 1 KB to type “Shortcut”. While the correct folder should not have “size” and Typenya is the “Files Folder”.
7. Final step. Fix the registry has been in the change by the virus. To speed up the process of repair registry copy the script below on the “notepad” and then save it with the name “repair.inf”. Run the file in the following manner:
- Right-click repair.inf
- Click Install
==========copy the script start here==========
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”