Hello everyone sorry for late update this blog, I have been really very busy analyze forex market and grown my another business, busy IRL also…

Now my story…….

Last week my cousins tell me in his office he got strange virus. He said there is lot shortcut in desktop an computers running slow. How actually some newbie out there know exactly which one real programs/folders and which one shortcut? Don’t say you’re not noob! almost many people not take to much attention on this simple different, that’s why with simple social technique virus maker can win beating yourself!

LOOOOOOOOOOOOKKKKKKKK!!!!!!

To know when your computer infected by this virus there is 4 important point:

1. In your “My Documents” folder there is file named “database.mdb“.
2. There is clone folder with extension .lnk maximum 5 first folder arranged by name, rules until second sub folders.
3. There is files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folders, rules until second sub folders. (You might not see them because it’s set hidden)
4. Your Registry Editor is disabled.

This virus master actually in “My Document” folder named “database.mdb” Wait… you will know why this is called as virus master. Actually virus will created clone for folder using “wscript.exe” execution. wscript.exe is microsoft windows based script host programs.

Virus will change your registry:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Explorer”=”Wscript.exe //e:VBScript \”C:\Documents and Settings\Administrator\My Documents\database.mdb\”"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“WinUpdate”=”Wscript.exe /e:VBScript \”C:\WINDOWS\:Microsoft Office Update for Windows XP.sys\”"

I think you all know how this registry changed will affect on your computer each time it reboot no need to explain this right? Really simple social technique.

Now time for how to clean this virus manually:

1. Disabled “System Restore” in cleaning process.

2. Kill wscript.exe process from your computer background programs.

3. In cleaning process you have to rename file wscript.exe to any name  ex:blabla (temporary only in cleaning process) and don’t forget to rename it back again to wscript.exe once your computer clean.

4. Deleted file “database.mdb” from “My Documents” folder.

5. Disabled any startup process which has link with “database.mdb” you can use msconfig or hijackthis.

6. Delete file autorun.inf, microsoft.inf and thumb.db use command prompt and type “del Microsoft.inf /s” (should in root drive to deleted in all in drive) for autorun.inf  and thumb.db since this file set with attrib RSHA type “del autorun.inf /s /ah /f” (should in root drive to deleted in all in drive, change autorun.inf with thumb.db to deleted all thumb.db)

7. deleted all .lnk files with size 1kb, you can use advanced search function. Carefully when you want to deleted look on this sample:

Deleted only shortcut with size 1kb and using folder icon, this is social  virus spreading technique that mostly tricky newbie out there.

7. Repair your registry using repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”

[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer

8. Scan with your best antivirus program to make sure your system clean and restarted your computer. Now see if this virus coming back or not

Good luck

Similar Posts:

• Remove MaHaDeWa VBS.Autorun.AM
• Remove W32/VBWorm.QXE (bulubebek)
• Remove virus AMBURADUL (all varian)
• Remove K0pL4xZ Virus VBWorm.QTT

• how to remove lnk virus
• lnk virus
• kill4shortcutvirus exe
• BackDoor-EZC!lnk
• lnk virus removal
• SHORTCUT VIRUS
• worm:win32/dorkbot!lnk
• LNK file (ink) virus
• dorkbot!ink
• dorkbot lnk
• e518892 exe
• remove lnk virus
• lnk virus remover
• virus lnk remover
• shortcut to skype lnk
• fix shortcut virus
• 894133bf exe
• backdoor-ezc!ink
• copy of shortcut to (1)
• lnk a
• deal runner virus
• how to delete lnk virus
• ink virus
• virus that creates shortcuts
• win32/dorkbot!ink
• backdoor-ezc lnk
• ink virus removal
• loading script c:\windows\:microsoft office update for windows xp sys failed
• lnk virus fix
• ink virus remover
• folder ink removal
• recycler\e518892 exe
• virus lnk
• virus lnk removal
• virus ink remover
• virus create shortcut
• thumbs lnk
• dcim ink
• Dorkbot!lnk
• download kill4shortcutvirus exe
• bcd8f464 exe
• worm:win32/dorkbot!ink
• remove ink virus
• cara menghilangkan virus vbscript encoded script file
• cara hilang kan virus amburadul
• cmd restore ink folders
• 8585485\dcim exe
• adt45 lnk
• backdoor ezc lnk
• inkfix_xp
• maslah lnk file
• dorkbot ink
• shortcut cleaner virus
• win32/dorkbot d worm
• virus that creates shortcut
• How to Clean Shortcut Virus
• how to fix lnk virus
• how to cure shortcut lnk
• how to clean lnk virus
• how to remove virus lnk
• hapus virus shortcut
• membasmi virus shortcut
• lnk runner removal
• lnk virüsü
• cara membersihkan memori yang terkena virus
• cara hapus virus shortcut
• virus shortcut
• systemfix ink
• virus copy shortcut link remover
• virus ink removal
• all short cuts turn into internet explorer lnk
• File extension LNK LNK
• desktop shortcut virus
• download software untuk menghapus virus wscript exe-corrupt file
• error loading setup50039 fon
• e5188982 exe
• remover virus systemfix ink
• msdtadmin
• repair shorcuts created by virus
• remove 8585485
• shortcut virus remover
• shortcut virus cleaner
• shorcut link virus
• my document turns to shortcut on flash scr virus
• microsoft office update for windows xp sys failed
• multiple shortcuts virus
• virus ms word shotcut
• virus create lnk
• virus dorkbot!ink
• virus shortcut cleaner
• virus creates shortcuts
• virus shortcut remover
• virus 894133bf exe
• vdbuf exe
• lnk virus fix microsoft
• mengatasi virus lnk
• loading script c:\windows\:microsoft office update
• mengembalikan shortcut
• how to clean lnk/dorkbot off of thumbdrive
• format doc berubah jadi microsoft word document ( vbe)
• how to fix file word change vbscript encoded
• how to clean ink virus
• how to fix shortcut virus
• how to remove dorkbot b
• how to remove ink virus
• folders turn shortcut virus
• how to remove the ink virus
• folders changed to lnk
• huoodx exe
• cara mengatasi the directory or file cannot be created
• cara membuang virus shortcut
• cara mengembalikan file word yang berubah menjadi vbscript encoded script file
• cannot find script file database mdb
• cara menghapus VBscript Encoded Script file
• cara membuka file vbscript
• cara hapus dorkbot b
• file doc jadi vbs
• DCIM lnk
• dorkbot b removal
• virus that changes exe files to type ah
• what is shortcut virus
• windows 7 inf hidden worms
• zuoopix virus
• آنتی ویروس dorkbot d
• atasi word berubah vbscrift
• anti adt45 ink
• backdoor-ezc lnk removal tool
• "mengembalikan file"+"win32/Dorkbot D"+"worm"
• BackDoor-EZC!lnk removal tool
• a variant of win32/dorkbot b worm
• ویروس lnk
• basmi virus shortcut e5188982 exe
• a virus change word document to short 1 kb
• adakah virus vbscript encode script file
• วิธีแก้ worm win32/dorkbot!ink
• ظهور WINDOWS CANNOT FIND RECYCLER \E5188982 exe
• فيروس shortcut lnk\
• فيروس اختصار المجلدات
• BackDoor-EZC!nk
• backdoor-ezc lnk removal
• bagaimana cara membuka file yang terkena virus g:recycler\e5188982 exe
• buka file kena shortcut
• backdoor-ezc!lnk remove
• antivirus untuk menghilangkan virus Ms-Dos program
• فيروس ink
• วิธีแก้ไวรัสwin32 dorkbot b
• Bagaimana cara mengatasi notebook yang problem windows program 32 nya
• แก้ the file or folderjeune scrthat this shortcut to cant be found
• 8585485 virus on windows 7
• 8585485 virus removal
• antivirus untuk win32/dorkbot d worm
• backdoor ezc!lnk
• 8585485virus
• aplikasi pembunag pif virus
• bcd8f464 exe آنتی ویروس
• antivirus menghapus vbscript encoded script file
• ฆ่าไวรัส backdoor-ezc!lnk
• backdoor ezc!ink
• * ink remover
• 8585485 virus how to remove in windows 7
• how to kill lnk
• how stop discovering shortcut ( lnk) virus in network
• hapus manual virus folder exe
• how to delete virus lnk:runner
• folders became shortcuts virus prevent
• how manual remove virus backdoor ezc lnk
• how to repair shortcut virus
• ink virüsü
• how unhide file attribute after win32/dorkbot remove xp
• how to repair file from dorkbot
• hapus virus adt45
• folder to shortcut virus
• how to treat shortcut virus
• how to clean virus folder shortcut
• how to remove shortcut virus
• how to kill lnk viruses
• inf hidden worms
• how to kill ink virus
• how to copy recycler\e5188982 exe
• folder shortcut virus remover
• how to delete virus lnk
• ink virus fix
• iiiiii Ink
• folder to lnk virus
• how to get rid of dorkbot ink
• how can i get rid of variant win32/dorkbotb
• Ink files in memory card
• how to disable virus shorcut folder
• how to recover folders win32/dorkbot d worm
• virus directory to lnk
• virus changes jpgs to shortcuts
• virus recycler folder e5188982
• usb bi loi recycler\e5188982 exe
• virus makes hidden folders ink
• virus ink attrib
• virus disabling shortcuts
• virus make shortcut
• virus change doc file to Vbscript encode file
• virus shortcut link
• solution virus ink

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!

This entry was posted on Friday, February 27th, 2009 at 8:06 PM and is filed under Computer And Internet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.