One of viruses lately that is troublesome enough that the virus is often called a shortcut, this virus does not damage files, but only hides the original file and then create a new shortcut for our files so that if the virus made clickable shortcut files / folders will not open because indeed it is not the original shortcut. I am also a victim of the virus that shortcut, so I'd better let teman2 lanjutin this post others can read and the virus can be removed.
After I tried to find a solution how to eliminate the virus with the help of an uncle google shortcut Sanya find some blog and website that provides articles how to remove / clean the virus shortcut, among others are quite efficient in my opinion as follows:
how it works:
1. Turn off system restore our computer beforehand how to right click on My Computer icon, Properties, click the System Restore tab and then give a check mark in Turn Off System Restore on All Drives and click OK
2. Turn off the process of Wscript file located in C: \ Windows \ System32, by using tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we need to delete or rename the file so as not to be used temporarily by the virus
For the record, if we are to rename the file wscript.exe with the automatic, it will dicopykan again in the folder. Therefore, we must find where the file wscript.exe others, usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386.
Unlike other VBS viruses, we can change the Open With from the vbs file into Notepad, the virus that matters is berextensi MDB Microsoft Access file. So Wscript DATABASE.MDB will run the file as if he is VBS file
4. Delete an existing parent file in C: \ Documents and Settings \ \ My Documents \ database.mdb, for every time the computer boots will not load the file. And do not forget we also open MSCONFIG, disable the run command.
5. Now we are going to delete the files autorun.inf. Microsoft.INF and Thumb.db. Way, click the START button, type CMD, and moved to the drive to be cleaned, for example, drive C: \, then we have to do is:
Type C: \ del Microsoft.inf / s, this command will be to delete all files microsoft.inf the whole folder on drive C:. Meanwhile, if you want to move the drive to stay just renamed drive example: D: \ del Microsoft.inf / s.
For the autorun.inf file, type C: \ del autorun.inf / s / ah / f, will command to delete the autorun.inf file (syntax / ah / f) is used because the file is taking attrib RSHA, as well as to file Thumb . db also do the same thing
6. To delete files older than 4 files, we must find a way search files with extensions. Lnk size 1 kb. In the 'More advanced options' make sure the option 'Search system folders' and 'Search hidden files and folders' are both checked.
"Please be careful, not all files shortcut / LNK file size of 1 kb is a virus, we can distinguish it from an icon, size and type. For the shortcut icon created by the virus always uses icons' folder ', size 1 kb and type' shortcut '. The correct folder should not have' size 'and its type is' File Folder'. "
7. Fix the registry has been changed by the virus. To speed up the process of repair registry copy the script below on the program 'notepad' and save with the name 'repair.inf'. Run the file in the following manner:
Right-click repair.inf
Click Install
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
[Del]
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Winupdate
HKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, explorer
GOOD WORKS
No comments:
Post a Comment