Yesterday I tried to access Google Analytics blog, almost 90% of visitors from more than 30 countries found this blog with a keyword shortcut around the virus, the virus was present this shortcut is rampant throughout the world. For that I will try to discuss the return of the virus.
PIF Virus / Starter or better known as the virus shortcut upset victim with a lot of shortcuts that are created by the virus. Fuss, if ways of handling this virus is not right then he actually will come back again, again and again
Here are some ways of a virus analyst at MG Vaksincom Lat shortcut to stop the flood caused this virus:
1. Previously turning off system restore process.
2. Turn off the process of Wscript file located in C: \ Windows \ System32, by using tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we need to delete or rename the file so as not to be used temporarily by the virus.
For the record, if we are to rename the file wscript.exe it automatically, it will be copied again in the folder. Therefore, we must find where the file wscript.exe others, usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386.
Unlike other VBS viruses, we can change the Open With from the vbs file into Notepad, the virus that matters is berextensi MDB Microsoft Access file. So Wscript DATABASE.MDB will run the file as if he is VBS file.
4. Delete an existing parent file in C:\Documents and Settings\\My Documents\database.mdb, for every time the computer boots will not load the file. And do not forget we also open MSCONFIG, disable the run command.
5. Now we are going to delete the files autorun.inf. Microsoft.INF and Thumb.db. Way, click the START button, type CMD, and moved to the drive to be cleaned, for example, drive C:\, then we have to do is:
Type C:\del Microsoft.inf/s, this command will be to delete all files microsoft.inf the whole folder on drive C:. Meanwhile, if you want to move the drive to stay just renamed drive example: D:\del Microsoft.inf/s.
For the autorun.inf file, type C:\del autorun.inf /s/ah/f, the command would be to delete the autorun.inf file (syntax /ah/ f) is used because the file is taking attrib RSHA, as well as to file Thumb . db also do the same thing.
6. To delete files older than 4 files, we must find a way search files with extensions. Lnk size 1 kb. In the 'More advanced options' make sure the option 'Search system folders' and 'Search hidden files and folders' are both checked.
Please be careful, not all files shortcut / LNK file size of 1 kb is a virus, we can distinguish it from an icon, size and type. For a shortcut icon is created virus always uses icons 'folder', size 1 kb and type 'shortcut'. While the correct folder should not have 'size' and its type is 'File Folder'.
7. Fix the registry has been changed by the virus. To speed up the process of repair registry copy the script below on the program 'notepad' and save with the name 'repair.inf'. Run the file in the following manner:
- Right-click repair.inf
- Click Install
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
AddReg = UnhookRegKey
DelReg = del
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Winupdate
HKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, explorer
Please leave comments, suggestions or constructive criticism, may be useful to readers.