Microsoft.lnk Shortcut Virus? Worm:PIF/Starter.A

Hello everyone sorry for late update this blog, I have been really very busy analyze forex market and grown my another business, busy IRL also… ๐Ÿ˜€

Now my story…….

Last week my cousins tell me in his office he got strange virus. He said there is lot shortcut in desktop an computers running slow. How actually some newbie out there know exactly which one real programs/folders and which one shortcut? Don’t say you’re not noob! almost many people not take to much attention on this simple different, that’s why with simple social technique virus maker can win beating yourself! ๐Ÿ˜›

LOOOOOOOOOOOOKKKKKKKK!!!!!!

shortcut

To know when your computer infected by this virus there is 4 important point:

  1. In your “My Documents” folder there is file named “database.mdb“.
  2. There is clone folder with extension .lnk maximum 5 first folder arranged by name, rules until second sub folders.
  3. There is files Autorun.inf, Thumb.db, Microsoft.lnk in each root drive and folders, rules until second sub folders. (You might not see them because it’s set hidden)
  4. Your Registry Editor is disabled.

This virus master actually in “My Document” folder named “database.mdb” Wait… you will know why this is called as virus master. Actually virus will created clone for folder using “wscript.exe” execution. wscript.exe is microsoft windows based script host programs.

Virus will change your registry:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Explorer”=”Wscript.exe //e:VBScript \”C:\Documents and Settings\Administrator\My Documents\database.mdb\””

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“WinUpdate”=”Wscript.exe /e:VBScript \”C:\WINDOWS\:Microsoft Office Update for Windows XP.sys\””

I think you all know how this registry changed will affect on your computer each time it reboot no need to explain this right? Really simple social technique.

Now time for how to clean this virus manually:

1. Disabled “System Restore” in cleaning process.

2. Kill wscript.exe process from your computer background programs.

3. In cleaning process you have to rename file wscript.exe to any nameร‚  ex:blabla (temporary only in cleaning process) and don’t forget to rename it back again to wscript.exe once your computer clean.

4. Deleted file “database.mdb” from “My Documents” folder.

5. Disabled any startup process which has link with “database.mdb” you can use msconfig or hijackthis.

6. Delete file autorun.inf, microsoft.inf and thumb.db use command prompt and type “del Microsoft.inf /s” (should in root drive to deleted in all in drive) for autorun.infร‚  and thumb.db since this file set with attrib RSHA type “del autorun.inf /s /ah /f” (should in root drive to deleted in all in drive, change autorun.inf with thumb.db to deleted all thumb.db)

7. deleted all .lnk files with size 1kb, you can use advanced search function. Carefully when you want to deleted look on this sample:

lnk

Deleted only shortcut with size 1kb and using folder icon, this is socialร‚  virus spreading technique that mostly tricky newbie out there.

7. Repair your registry using repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”

[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer

8. Scan with your best antivirus program to make sure your system clean and restarted your computer. Now see if this virus coming back or not ๐Ÿ™‚

Good luck ๐Ÿ™‚

Similar Posts:

24 thoughts on “Microsoft.lnk Shortcut Virus? Worm:PIF/Starter.A”

  1. Hi, this was really helpful… i had done exactly the same steps except the last step for Repair your registry using repair.inf… thanks a lot!!!

  2. mas istanto…aku kayaknya punya problem yang sama, banyak shortcut gitu dan kalo mau copy folder ke flashdisk munculnya juga shortcut. tapi aku gak ketemu file database mbd. kira2 kenapa ya?

    thanks

  3. detected vbs.lnkstarter.c virus & all folders becomes shortcut of 1 kb,but data is ok.how to remove shortcuts of 1 kb

  4. Ass Wr WB, Lam kenal Mas, Saya pengguna baru untuk mendeteksi salah satu Virus, Virus tersebut ada di dalam CoreSwitch, apakah itu benar ya Mas, karena pihak dari team Cisco mengatakan bahwa didalam coreSwitch saya kedapatan Virus Conficker-A atau Mal/Conficker-A. Nah dari situ ada saran dari mereka unutk meReloadnya, Mohon Pencerahan dan Solusinya. Terima kasih, Wss Wr Wb. reg;Dheaa

  5. Ass. Wr.Wb. Salam Kenal Mas, mohon bantuannya sebagai pemula saya diberikan tahap-demi tahap untuk mengatasi virus guaasokx.exe pada external HD, semuanya terlihat jadi shorcut 1kb, sedangkan data tersebut sangat berarti bagi saya, saya sekarang tidak bisa bekerja sebelum data tsb bisa dipulihkan,

    Saya berharap atas bantuannya, terima kasih.

    [email protected]

  6. when i plugged in my thumbdrive or external hd, it creates some shorcut folders (videos, pictures, images, documents). it even changes my folders in it into shorcut and i can’t open it… please help me… i’m using bit defender 2009 but it doesn’t help me at all…

  7. hi there,
    as for this guide to delete the shortcut virus, it is nice and easy to understand. i removed the virus now. but the virus did change few setting of my folder.

    if you realize it (hope you do), this virus changed the attribute of the folder infected. It changed the read only and hidden attribute. the infected folder will remain hidden even if the virus is removed. Plus, user cannot thick the hidden button, it is disabled. as for the read-only attribute, it still be changed also. i cannot disabled the read-only attribute. But i can disable the hidden attribute setting using “attribute changer 6.20”, (but i still cannot thick the hidden attribute button)…..

    now, my question : how to remove the disabled hidden setting and the read-only setting? back to its former state, which is thick-able…..

  8. I simply couldn’t go away your web site prior to suggesting that I really enjoyed the standard information an individual provide on your guests? Is gonna be back incessantly to check up on new posts

  9. Awesome site you have here but I was curious if you knew of any message boards
    that cover the same topics talked about in this article?
    I’d really like to be a part of online community where I can get advice from other experienced individuals that share the same interest. If you have any recommendations, please let me know. Many thanks!

  10. Wonderful write-up. I’d been checking regularly this web site using this program . motivated! Very helpful information and facts exclusively a concluding element ๐Ÿ™‚ I personally take care of similarly info very much. I’d been trying to find this particular specified info for your quite very long moment. Appreciate it along with all the best !.

  11. If some one wants to be updated with latest technologies after that he must be go to see this web site and
    be up to date all the time.

  12. how make money from home

    Do you mind if I quote a few of your posts as long as I
    provide credit and sources back to your weblog? My website
    is in the very same area of interest as yours and my visitors would
    certainly benefit from some of the information you
    provide here. Please let me know if this alright
    with you. Appreciate it!

  13. Hello there I am so glad I found your blog, I really found
    yyou by mistake, while I waas browsing oon Aol for something else, Nonetheless I am here now annd would just like to ssay kudos for a arvelous post and
    a all round interesting blog (I also love the theme/design), I don’t have time to browse it all at the moment but I have bookmarked it and also included your RSS feeds,
    so when I have timke I will be back to read a great deal more, Please do keep up the great
    job.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.