Wednesday 3 August 2011

7 Step to Stop the Flood of Shortcut Virus

PIF/Starter Virus or better known as the shortcut virus upset victim with a lot of shortcuts that are created by the virus. Fuss, if ways of handling this virus is not right then he actually will come back again, again and again.
Therefore, consider the 7 ways of telling a virus analyst at Vaksincom MG Lat to stop shortcut flood caused this virus:

1. previously turning off system restore process.
2. Turn off the process of Wscript file located in C:\Windows\System32, by using tools such as CProcess, HijackThis or can also use the How to run JPG as an EXE [Shortcut Executing Method]” href=””>Task Manager of Windows.

3. Once off the process of Wscript, we need to delete or rename the file so as not to be used temporarily by the virus.

For the record, if we are to rename the file wscript.exe it automatically, it will be copied again in the folder. Therefore, we must find where the file wscript.exe others, usually in C:\Windows\$NtServicePackUninstall$, C:\Windows\ServicePackFiles\i386.
Unlike other VBS viruses, we can change the Open With from the vbs file into Notepad, the virus that matters is the extension MDB Microsoft Access file. So Wscript DATABASE.MDB will run the file as if he is VBS file.

4. Delete an existing parent file in C:\Documents and Settings\\My Documents\database.mdb, for every time the computer boots will not load the file. And do not forget we also open MSCONFIG, disable the command to run it.

5. Now we are going to delete the files autorun.inf, Microsoft.INF and Thumb.db. Way, click the START button, type CMD, and moved to the drive to be cleaned, for example, drive C:\, then we have to do is:

Type C:\del Microsoft.inf /s, this command will be to delete all files microsoft.inf the whole folder on drive C:. Meanwhile, if you want to move the drive to stay just renamed drive example: D:\del Microsoft.inf /s.

For the autorun.inf file, type C:\del autorun.inf /s /ah /f, the command will be to delete the autorun.inf file (syntax /ah /f) is used because the file is taking attrib RSHA, as well as to file Thumb.db also do the same thing.

6. To delete files older than 4 files, we must find a way search files with extensions. Lnk size 1 kb. In the ‘More advanced options’ make sure the option ‘Search system folders’ and ‘Search hidden files and folders’ are both checked.

Please be careful, not all files shortcut / LNK with I kb of file size a virus, we can distinguish it from an icon, size and type. For the shortcut icon created virus always uses icons ‘folder’, size 1 kb and type ‘shortcut’. While the correct folder should not have ‘size’ and its type is ‘File Folder’.

7. Fix the registry has been changed by the virus. To speed up the process of repair registry copy the script below on the program ‘notepad’ and save with the name ‘repair.inf’. Run the file in the following manner:

- Right-click repair.inf
- Click Install

Provider=Vaksincom Oyee


HKLM, Software\CLASSES\batfile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""% 1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"reg edit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""% 1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run , Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run , explorer