Shortcut Virus[Part 1]

Today I will share about how to delete shortcut virus

and for this is the tutorial:



Click for Virus Shortcut[Part 1] :
1. Disable 'System Restore' for a while during the cleaning process.

2. Disconnect the computer that you want to clean from internet

3. Turn of the process of virus use ‘Ice Sword’ tools, after you’ve installed it on your computer, choose a file with icon ‘Microsoft Visual Basic Project' click 'Terminate Process'. You can download ‘Ice Sword’ tool at http://icesword.en.softonic.com/

4. Delete the registry is created by the virus by:
-. Click the [Start]
-. Click [Run]
-. Type Regedit.exe, and click the [OK]
-. On application the Registry Editor, browse the key [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
-. Then delete the key that has the data [C: \ Documents and Settings \% user%].

5. Disable autoplay/autorun Windows. Copy the script under here paste in notepad and then save with name REPAIR.INF choose for ‘All Programs’ after that install that file with Right Click on the REPAIR.INF file ==> And click instal

[Version]
Signature=”$Chicago$”
Provider=Vaksincom
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoDriveTypeAutoRun,0x000000ff,255

6. Delete main files and duplicate files are created by the virus included in the flash disk. To make easier the search process, you can use the 'Search' feature. Before you search the file, you should show all hidden files by changing the Folder Options settings.

Don't get a mistake when deleting a main files and duplicate files that have been created by the virus. Then delete the main files that have characteristics:

-. Icon 'Microsoft Visual Basic Project'.
-. File Size 128 KB (for other variants will have varying sizes).
-. Extension. file '. EXE' or '. SCR'.
-. File type 'Application' or 'Screen Saver'.

Then delete the files duplicate shortcut that have characteristics:

>. 'Folder' icon or the 'icon' icon
>. Extension. LNK
>. File Type 'Shortcut'
>. 1 KB file size

Delete the file. DLL (example: ert.dll) and the Autorun.inf file on flash disk or a shared folder. Meanwhile, to avoid the virus is active again, delete the master file that has the extension EXE or SCR first and then remove Shortcut file (. LNK).

7. Unhide the folders have been hidden by the virus. To speed up the process, please download the tools Unhide Files and Folders in http://www.flashshare.com/bfu/download.html.

Once installed, select the directory [C: \ Documents and Settings] and folders that exist on the flash disk by sliding into a column that is already available. In the [Attributes] empty of all the options, then click the [Change Attributes].

8. Install security patches 'Microsoft Windows Shell shortcut handling remote code execution vulnerability, MS10-046'. Please download the security patch at http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx

As always, for optimal cleaning and prevent re-infection, you should install and scan with antivirus software that up-to-date and was able to detect this virus very well.
I hope this tutor is useful for us
~Thank you~

Original: BinusHacker

2 comments: