Hello everyone sorry for late update this blog, I have been really very busy analyze forex market and grown my another business, busy IRL also… 😀

Now my story…….

Last week my cousins tell me in his office he got strange virus. He said there is lot shortcut in desktop an computers running slow. How actually some newbie out there know exactly which one real programs/folders and which one shortcut? Don’t say you’re not noob! almost many people not take to much attention on this simple different, that’s why with simple social technique virus maker can win beating yourself! 😛

LOOOOOOOOOOOOKKKKKKKK!!!!!!

shortcut

To know when your computer infected by this virus there is 4 important point:

  1. In your “My Documents” folder there is file named “database.mdb“.
  2. There is clone folder with extension .lnk maximum 5 first folder arranged by name, rules until second sub folders.
  3. There is files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folders, rules until second sub folders. (You might not see them because it’s set hidden)
  4. Your Registry Editor is disabled.

This virus master actually in “My Document” folder named “database.mdb” Wait… you will know why this is called as virus master. Actually virus will created clone for folder using “wscript.exe” execution. wscript.exe is microsoft windows based script host programs.

Virus will change your registry:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Explorer”=”Wscript.exe //e:VBScript \”C:\Documents and Settings\Administrator\My Documents\database.mdb\””

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“WinUpdate”=”Wscript.exe /e:VBScript \”C:\WINDOWS\:Microsoft Office Update for Windows XP.sys\””

I think you all know how this registry changed will affect on your computer each time it reboot no need to explain this right? Really simple social technique.

Now time for how to clean this virus manually:

1. Disabled “System Restore” in cleaning process.

2. Kill wscript.exe process from your computer background programs.

3. In cleaning process you have to rename file wscript.exe to any name ex:blabla (temporary only in cleaning process) and don’t forget to rename it back again to wscript.exe once your computer clean.

4. Deleted file “database.mdb” from “My Documents” folder.

5. Disabled any startup process which has link with “database.mdb” you can use msconfig or hijackthis.

6. Delete file autorun.inf, microsoft.inf and thumb.db use command prompt and type “del Microsoft.inf /s” (should in root drive to deleted in all in drive) for autorun.inf and thumb.db since this file set with attrib RSHA type “del autorun.inf /s /ah /f” (should in root drive to deleted in all in drive, change autorun.inf with thumb.db to deleted all thumb.db)

7. deleted all .lnk files with size 1kb, you can use advanced search function. Carefully when you want to deleted look on this sample:

lnk

Deleted only shortcut with size 1kb and using folder icon, this is social virus spreading technique that mostly tricky newbie out there.

7. Repair your registry using repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”

[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer

8. Scan with your best antivirus program to make sure your system clean and restarted your computer. Now see if this virus coming back or not 🙂

Good luck 🙂

Similar Posts:

Related Search Terms:

  • how to remove lnk virus
  • how to remove lnk virus
  • lnk virus
  • lnk virus
  • kill4shortcutvirus exe
  • kill4shortcutvirus exe
  • BackDoor-EZC!lnk
  • BackDoor-EZC!lnk
  • lnk virus removal
  • lnk virus removal
  • SHORTCUT VIRUS
  • SHORTCUT VIRUS
  • worm:win32/dorkbot!lnk
  • worm:win32/dorkbot!lnk
  • LNK file (ink) virus
  • dorkbot!ink
  • LNK file (ink) virus
  • dorkbot!ink
  • remove lnk virus
  • lnk virus remover
  • lnk virus remover
  • dorkbot lnk
  • virus lnk remover
  • virus lnk remover
  • remove lnk virus
  • dorkbot lnk
  • shortcut to skype lnk
  • shortcut to skype lnk
  • 894133bf exe
  • 894133bf exe
  • lnk a
  • lnk a
  • how to delete lnk virus
  • virus that creates shortcuts
  • how to delete lnk virus
  • virus that creates shortcuts
  • ink virus
  • deal runner virus
  • ink virus
  • deal runner virus
  • ink virus removal
  • ink virus removal
  • win32/dorkbot!ink
  • win32/dorkbot!ink
  • virus ink remover
  • lnk virus fix
  • virus lnk removal
  • virus lnk
  • recyclere518892 exe
  • virus lnk
  • recyclere518892 exe
  • ink virus remover
  • virus lnk removal
  • lnk virus fix
  • ink virus remover
  • virus ink remover
  • thumbs lnk
  • virus create shortcut
  • virus create shortcut
  • remove ink virus
  • worm:win32/dorkbot!ink
  • bcd8f464 exe
  • Dorkbot!lnk
  • Dorkbot!lnk
  • worm:win32/dorkbot!ink
  • remove ink virus
  • bcd8f464 exe
  • thumbs lnk
  • win32/dorkbot d worm
  • inkfix_xp
  • 8585485dcim exe
  • dorkbot ink
  • cmd restore ink folders
  • virus that creates shortcut
  • win32/dorkbot d worm
  • 8585485dcim exe
  • virus that creates shortcut
  • backdoor ezc lnk
  • inkfix_xp
  • maslah lnk file
  • cmd restore ink folders
  • dorkbot ink
  • maslah lnk file
  • backdoor ezc lnk
  • lnk
  • lnk runner removal
  • how to cure shortcut lnk
  • lnk
  • cara membersihkan memori yang terkena virus
  • virus ink removal
  • how to cure shortcut lnk
  • lnk runner removal
  • hapus virus shortcut
  • remover virus systemfix ink
  • virus ink removal
  • all short cuts turn into internet explorer lnk
  • how to clean lnk virus
  • how to clean lnk virus
  • hapus virus shortcut
  • cara membersihkan memori yang terkena virus
    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!