Hello everyone sorry for late update this blog, I have been really very busy analyze forex market and grown my another business, busy IRL also… :D

Now my story…….

Last week my cousins tell me in his office he got strange virus. He said there is lot shortcut in desktop an computers running slow. How actually some newbie out there know exactly which one real programs/folders and which one shortcut? Don’t say you’re not noob! almost many people not take to much attention on this simple different, that’s why with simple social technique virus maker can win beating yourself! :P

LOOOOOOOOOOOOKKKKKKKK!!!!!!

shortcut

To know when your computer infected by this virus there is 4 important point:

  1. In your “My Documents” folder there is file named “database.mdb“.
  2. There is clone folder with extension .lnk maximum 5 first folder arranged by name, rules until second sub folders.
  3. There is files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folders, rules until second sub folders. (You might not see them because it’s set hidden)
  4. Your Registry Editor is disabled.

This virus master actually in “My Document” folder named “database.mdb” Wait… you will know why this is called as virus master. Actually virus will created clone for folder using “wscript.exe” execution. wscript.exe is microsoft windows based script host programs.

Virus will change your registry:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Explorer”=”Wscript.exe //e:VBScript \”C:\Documents and Settings\Administrator\My Documents\database.mdb\”"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“WinUpdate”=”Wscript.exe /e:VBScript \”C:\WINDOWS\:Microsoft Office Update for Windows XP.sys\”"

I think you all know how this registry changed will affect on your computer each time it reboot no need to explain this right? Really simple social technique.

Now time for how to clean this virus manually:

1. Disabled “System Restore” in cleaning process.

2. Kill wscript.exe process from your computer background programs.

3. In cleaning process you have to rename file wscript.exe to any name  ex:blabla (temporary only in cleaning process) and don’t forget to rename it back again to wscript.exe once your computer clean.

4. Deleted file “database.mdb” from “My Documents” folder.

5. Disabled any startup process which has link with “database.mdb” you can use msconfig or hijackthis.

6. Delete file autorun.inf, microsoft.inf and thumb.db use command prompt and type “del Microsoft.inf /s” (should in root drive to deleted in all in drive) for autorun.inf  and thumb.db since this file set with attrib RSHA type “del autorun.inf /s /ah /f” (should in root drive to deleted in all in drive, change autorun.inf with thumb.db to deleted all thumb.db)

7. deleted all .lnk files with size 1kb, you can use advanced search function. Carefully when you want to deleted look on this sample:

lnk

Deleted only shortcut with size 1kb and using folder icon, this is social  virus spreading technique that mostly tricky newbie out there.

7. Repair your registry using repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”

[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer

8. Scan with your best antivirus program to make sure your system clean and restarted your computer. Now see if this virus coming back or not :)

Good luck :)

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

SIMILAR POST :

Incoming search terms:

  • how to remove lnk virus
  • lnk virus
  • BackDoor-EZC!lnk
  • kill4shortcutvirus exe
  • lnk virus removal
  • worm:win32/dorkbot!lnk
  • LNK file (ink) virus
  • SHORTCUT VIRUS
  • dorkbot lnk
  • dorkbot!ink
  • e518892 exe
  • remove lnk virus
  • shortcut to skype lnk
  • backdoor-ezc!ink
  • copy of shortcut to (1)
  • lnk a
  • lnk virus remover
  • deal runner virus
  • fix shortcut virus
  • ink virus
  • virus lnk remover
  • how to delete lnk virus
  • virus that creates shortcuts
  • win32/dorkbot!ink
  • backdoor-ezc lnk
  • 894133bf exe
  • ink virus removal
  • recycler\e518892 exe
  • virus lnk removal
  • bcd8f464 exe
  • cara menghilangkan virus vbscript encoded script file
  • dcim ink
  • Dorkbot!lnk
  • loading script c:\windows\:microsoft office update for windows xp sys failed
  • remove ink virus
  • thumbs lnk
  • virus create shortcut
  • virus ink remover
  • virus lnk
  • worm:win32/dorkbot!ink
  • adt45 lnk
  • cara hilang kan virus amburadul
  • cmd restore ink folders
  • dorkbot ink
  • download kill4shortcutvirus exe
  • how to fix lnk virus
  • inkfix_xp
  • lnk virus fix
  • maslah lnk file
  • shortcut cleaner virus
  • virus that creates shortcut
  • win32/dorkbot d worm
  • 8585485\dcim exe
  • all short cuts turn into internet explorer lnk
  • cara hapus virus shortcut
  • cara membersihkan memori yang terkena virus
  • download software untuk menghapus virus wscript exe-corrupt file
  • e5188982 exe
  • File extension LNK LNK
  • folder ink removal
  • hapus virus shortcut
  • how to clean lnk virus
  • how to cure shortcut lnk
  • ink virus remover
  • lnk virüsü
  • membasmi virus shortcut
  • remover virus systemfix ink
  • systemfix ink
  • virus copy shortcut link remover
  • virus shortcut
  • "mengembalikan file"+"win32/Dorkbot D"+"worm"
  • a variant of win32/dorkbot b worm
  • anti adt45 ink
  • atasi word berubah vbscrift
  • backdoor ezc lnk
  • backdoor-ezc lnk removal tool
  • BackDoor-EZC!lnk removal tool
  • cannot find script file database mdb
  • cara hapus dorkbot b
  • cara mengatasi the directory or file cannot be created
  • DCIM lnk
  • desktop shortcut virus
  • dorkbot b removal
  • error loading setup50039 fon
  • file doc jadi vbs
  • folders changed to lnk
  • folders turn shortcut virus
  • format doc berubah jadi microsoft word document ( vbe)
  • how to clean ink virus
  • how to clean lnk/dorkbot off of thumbdrive
  • How to Clean Shortcut Virus
  • how to fix file word change vbscript encoded
  • how to fix shortcut virus
  • how to remove dorkbot b
  • how to remove ink virus
  • how to remove the ink virus
  • how to remove virus lnk
  • huoodx exe
  • lnk virus fix microsoft
  • loading script c:\windows\:microsoft office update
  • mengembalikan shortcut
  • microsoft office update for windows xp sys failed
  • multiple shortcuts virus
  • my document turns to shortcut on flash scr virus
  • shorcut link virus
  • shortcut virus cleaner
  • shortcut virus remover
  • vdbuf exe
  • virus 894133bf exe
  • virus create lnk
  • virus creates shortcuts
  • virus dorkbot!ink
  • virus ink removal
  • virus ms word shotcut
  • virus shortcut cleaner
  • virus that changes exe files to type ah
  • what is shortcut virus
  • windows 7 inf hidden worms
  • zuoopix virus
  • آنتی ویروس dorkbot d
  • * ink remover
  • 8585485virus
  • a virus change word document to short 1 kb
  • adakah virus vbscript encode script file
  • antivirus menghapus vbscript encoded script file
  • antivirus untuk menghilangkan virus Ms-Dos program
  • antivirus untuk win32/dorkbot d worm
  • aplikasi pembunag pif virus
  • วิธีแก้ worm win32/dorkbot!ink
  • วิธีแก้ไวรัสwin32 dorkbot b
  • ฆ่าไวรัส backdoor-ezc!lnk
  • แก้ the file or folderjeune scrthat this shortcut to cant be found
  • backdoor ezc!lnk
  • backdoor-ezc lnk removal
  • BackDoor-EZC!nk
  • bagaimana cara membuka file yang terkena virus g:recycler\e5188982 exe
  • Bagaimana cara mengatasi notebook yang problem windows program 32 nya
  • basmi virus shortcut e5188982 exe
  • bcd8f464 exe آنتی ویروس
  • buka file kena shortcut
  • cant delete qxe application
  • cara buka file yang delete
  • cara buka file yang kena virus shortcut
  • cara hapus file terinfeksi virus exe
  • cara hapus lnk runner
  • cara hapus virus dorkbot b worm
  • cara memberantas virus shortcut dan ink
  • cara membuang virus shortcut
  • cara membuka folder shortcut
  • cara membuka LNK file
  • cara mengatasi can not find script file
  • cara mengatasi dokumen word berubah jadi vbsscrip enconded
  • cara mengatasi shortcut desktop berubah jadi ms word dengan sofware
  • cara mengembalikan data yang terkena virus dorkbot!ink
  • CARA MENGEMBALIKAN FILE DARI FLES YANG TERKENA FIRUS
  • cara mengembalikan file dari virus Dorkbot!Ink
  • cara mengembalikan file word yang berubah menjadi vbscript encoded script file
  • cara menghapus VBscript Encoded Script file
  • cara menghapus virus * lnk
  • cara menghapus virus 8585485
  • cara menghapus worm 8585485
  • cara menghilangkan script
  • cara menghilangkan vbscript
  • cara menghilangkan vbscript encoded script file
  • cara perbaiki file yang terkena vbscript encoded script file virus
  • cmd exe pif virus
  • colok usb folder jadi shortcut
  • copy of shortcut to virüsü
  • copy shortcut lnk virus pendrive
  • create lnk file virus
  • dcim e5188982 exe error
  • deal runner creates folder
  • doc berubah extion jadi vbscript
  • dorkbot d hidden
  • dorkbot d worm eset
  • dorkbot ink virus
  • dorkbot unhide folders on dos
  • dorkbot!lnk cannot access files in sd
  • download kill4shortcutvirus
  • download removable virus folder to shortcut
  • ezc!lnk
  • file word berubah jadi vbe
  • file word berubah ocpn vbs
  • file word jadi vbscript
  • file word yang terinfeksi vbscript
  • folder became shortcut dorkbot d
  • folder changed to shortcut virus ink
  • folder disappearedafter removing Worm:Win32 Dorkbot
  • folder jadi shortcut
  • folder lnk virus
  • folder shortcut virus remover
  • folder to lnk virus
  • folder to shortcut virus
  • folders became shortcuts virus prevent
  • hapus manual virus folder exe
  • hapus virus adt45
  • how can i get rid of variant win32/dorkbotb
  • how manual remove virus backdoor ezc lnk
  • how stop discovering shortcut ( lnk) virus in network
  • how to copy recycler\e5188982 exe
  • how to delete virus lnk
  • how to delete virus lnk:runner
  • how to get rid of dorkbot ink
  • how to kill ink virus
  • how to kill lnk
  • how to kill lnk viruses
  • how to recover folders win32/dorkbot d worm
  • how to remove shortcut virus
  • how to repair file from dorkbot
  • how to repair shortcut virus
  • how unhide file attribute after win32/dorkbot remove xp
  • iiiiii Ink
  • inf hidden worms
  • Ink files in memory card
  • ink virüsü
  • ink virus fix
  • kill dcim exe
  • lnk runner removal
  • lnk runner remover
  • lnk runner virus removal tool
  • lnk shortcut virus
  • lnk virüs
  • lnk virus remove
  • lnk worm
  • LNK_DORKBOT
  • loading script c:\windows\microsoft office\update for windows XP sys
  • membasmi virus * ink
  • membasmi virus exploit lnk
  • membasmi virus vbscript encoded
  • membasmi win32/dorkbot a
  • membersihkan virus dorkbot b worm pada pc
  • memory card show shortcut folder and lnk extention
  • memperbaiki e:/recycler/e5188982 exe\
  • mengatasi error shorcut windows7
  • mengatasi virus vbscript encode script file
  • mengatasi windows can not find \g:\recycler\e5188982 exe\
  • mengembalikan doc word kena virus vbscript encoded
  • menghapus dorkbot B worm dengan eset
  • menghilangkan extension virus
  • menghilangkan vbscript encoded script file
  • MENGHILANGKAN VIRUS FOLDER
  • menghilangkan virus VBScript Encoded Script File
  • microsoft word file jadi visual basic script
  • my documents icon picture on which name is written
  • nod fix virus folder exe folder lnk
  • OFFICE files is 1 KB VIRUS
  • pc virus that disables shortcuts
  • pembasmi virus recycler/e5188982 exe
  • recycler \894133 bf
  • removal tool lnk runner
  • remove 8585485
  • remove recycle and cope of shortcup virus
  • remove shortcut virus online
  • remove virus lnk
  • remover shortcut ink
  • remover shortcuts antivirus
  • remover tool setup50039 lnk
  • remover virus lnk
  • rename shortcut ink
  • sandisk card e:\recycler\894133bf exe
  • sd card bcd8f464 exe
  • shorcut virus fix
  • shortcut cant find file after virus
  • shortcut folder virus
  • shortcut virus fixes
  • shortcuts folder virus removal آنتی ویروس
  • solution virus ink
  • type file lnk file
  • usb bi loi recycler\e5188982 exe
  • فيروس ink
  • فيروس shortcut lnk\
  • فيروس اختصار المجلدات
  • virus change doc file to Vbscript encode file
  • virus changes jpgs to shortcuts
  • virus directory to lnk
  • virus disabling shortcuts
  • virus folder to lnk
  • virus ink attrib
  • virus lnk runner
  • virus makes hidden folders ink
  • virus microsoft shortcuts replaced by word
  • virus recycler folder e5188982
  • virus shortcut hide
  • virus shortcut link
  • virus shortcut remover
  • virus that changes shortcuts
  • virus that disables shortcuts
  • virus that hid my files as lnk files
  • virus that makes shortcuts
  • virus that will generate Shortcut to MS-DOS Program
  • virus worm autorun codes
  • what type of virus will stop internet shortcuts
  • win32/dorkbot a
  • Win32/Dorkbot D worm folders disappeared
  • win32/dorkbot d worm remover
  • win7 shortcut virus remover
  • windows cannot find recycler bcd8f464 exe
  • WORD JADI VBS
  • worm pif starter a removal tool download
  • worm renaming icon skype vchvcc
  • worm win32 dorkbot ink
  • worm:win32/dorkbot i
  • ظهور WINDOWS CANNOT FIND RECYCLER \E5188982 exe
  • فيرس short cut
  • "backdoor-EZC"
  • * lnk virus delet
  • 1kb shortcut virus remover
  • 2 kb shortcur virus
  • 45 kb virus hide folder
  • 83 exe shortcut virus
  • 8585485
  • 8585485 folder remover
  • 8585485 folder virus
  • 8585485 hidden folder
  • 8585485 remover
  • 8585485 virus cara
  • 8585485 virus how to remove
  • 8585485 virus on my pc
  • 8585485/dcim exe
  • 894133 exe
  • 894133 exe removal
  • 894133bf
  • 894133bf download
  • 894133bf exe bagaimana cara delete manual
  • 894133bf exe borrar
  • 894133bf exe download
  • a cure to a virus that make folder shortcuts
  • a virus that create shortcut
  • a virus that create shortcut folders
  • a virus that create shortcuts in your thumbdrive
  • A VIRUS THAT ONLY CREATES SHORTCUTS
  • a virus that share my hard disk and make my folder to 1kb file
  • a virus turns my folders into shortcuts and cannot open them
  • adt45 ink
  • adt45 lnk co to jest
  • ADT45 Virus
  • after cleaning win32 dorkbot d i cant see my files on my hdd
  • after i infected by dorkbot d worm internet explorer can not open pages
  • akon exe virus creates shortcuts
  • akses registri virus lnk
  • alamat kantor cabang bpd jawa timur ngawi
  • all exe file to change lnk in win7
  • all exe file type changed to ah
  • all ink virus
  • all my short cut dissapear after worm nMdQvhGrqSMKfog exe
  • all of my shortcuts on my desktop point to lnx files
  • all shortcorts IE
  • all shortcut change to ink
  • all shortcut turn ink
  • all shortcuts are ink

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!


This entry was posted on Friday, February 27th, 2009 at 8:06 PM and is filed under Computer And Internet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.