Kamis, 18 Juni 2009

Step 7 Stop the Flood Virus Shortcut



Shortcut created virus (vaccine)

PIF Virus / Starter or a virus known as the shortcut to make the victim of sorts with lots of shortcuts made by the virus. Repotnya, if the means of the virus is not right even then he will come back, again and again.

Therefore, I see 7 sharpshooter from virus analyst Vaksincom MG Lat shortcut to stop the flood of virus that caused this:

1. Previous first turn off the system restore.

2. Turn off the process of Wscript file located in C: \ Windows \ System32, with how to use tools such as CProcess, HijackThis or can also use the Task Manager of Windows.

3. Once off the process of Wscript, we need to men-delete-me or rename the file so that's not to be used by the virus.

As a note, me-if we rename the file from Wscript.exe with the automatic, it will be copied again in the folder. Therefore, we must find where the file Wscript.exe the other, usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386.

No virus-like virus vbs other, we can change the Open With from the vbs file into Notepad, the virus berextensi this means is that mdb file Microsoft Access. So Wscript akan DATABASE.MDB run the file as though he is a vbs file.

4. Delete the files in the parent C: \ Documents and Settings \ \ My Documents \ database.mdb, so that every time the computer will not run load the file. And do not forget we are also open msconfig, disable the run command.

5. Now we will delete the files Autorun.INF. Microsoft.INF and Thumb.db. How, click the START button, type CMD, moved to the drive will be cleaned, for example, drive C: \, then we should do is:

Type C: \ del Microsoft.inf / s, this command will delete all files microsoft.inf in all folders on drive C:. While the move would drive changed the name to live course drivenya example: D: \ del Microsoft.inf / s.

For the autorun.inf file, type C: \ autorun.inf del / s / ah / f, the command will delete the file autorun.inf (syntax / ah / f) is used because the file using the attrib RSHA, as well as to file Thumb . db also do the same.

6. To men-delete files earlier than the 4 files, we must find ways to search files with the extension. Lnk size 1 kb. In the 'More advanced options' option make sure that' Search system folders' and 'Search hidden files and folders' both are checked.

Please be careful, not all the shortcut files / LNK file size of 1 kb that is a virus, we can distinguish it from the icon, size and type. To create a shortcut icon for the virus using icon 'folder', and the size of 1 kb bertipe 'shortcut'. While the correct folder should not have 'size' and the type is' File Folder '.

7. Fix the registry is modified by the virus. To speed up the process of repair registry copy the script below on the program 'notepad' and save it with the name 'Repair.inf'. Run the file in the following manner:

- Click right repair.inf
- Click Install

[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee

[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del

[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"

[del]
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Winupdate
HKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, explorer

Tidak ada komentar:

Posting Komentar