ie autorun.inf, Microsoft.inf and Thumb.db. The virus makes the duplication of each folder with the shortcut type.
After I clean it and then the USB time data copy my friend earlier. When you open the file in a folder that has files appear virus (autorun.inf, Microsoft.inf and Thumb.db), my conclusion was computer virus fell ill from a USB Flash Disk from variants Pif / Starter. To remove the virus could not be that easy. After a full scan and delete the files but the virus is still only appear in each folder.
Of mind is not how I try to eradicate this virus shortcut in the internet and following the steps it takes to eradicate the virus shortcut (Pif / Starter) quoted from Detikinet:
1. Turn off the system restore first, I right-click My Computer | Properties, Select the tab System Resotore, check the box small System Restore Turn off all the drive.
2. Turn off the process of Wscript file located in C: \ Windows \ System32, with how to use tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we must menhapus or me-rename the file so that's not to be used by the virus.
As a note, me-if we rename the file from Wscript.exe with the automatic, it will be copied again in the folder. Therefore, we must find where the file Wscript.exe the other, usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386.
No virus-like virus vbs other, we can change the Open With from the vbs file into Notepad, the virus berextensi this means is that mdb file Microsoft Access. So Wscript akan DATABASE.MDB run the file as though he is a vbs file.
4. Delete the files in the parent C: \ Documents and Settings \ \ My Documents \ database.mdb, so that every time the computer will not run load the file. And do not forget we are also open msconfig, disable the run command.
5. Now we will delete the files Autorun.INF. Microsoft.INF and Thumb.db. How, click the START button, type CMD, moved to the drive will be cleaned, for example, drive C: \, then we should do is:
Type C: \ del Microsoft.inf / s, this command will delete all files microsoft.inf in all folders on drive C:. While the move would drive changed the name to live course drivenya example: D: \ del Microsoft.inf / s.
For the autorun.inf file, type C: \ autorun.inf del / s / ah / f, the command will delete the file autorun.inf (syntax / ah / f) is used because the file using the attrib RSHA, as well as to file Thumb . db also do the same.
6. To men-delete files earlier than the 4 files, we must find ways to search files with the extension. Lnk size 1 kb. In the 'More advanced options' option make sure that' Search system folders' and 'Search hidden files and folders' both are checked.
Please be careful, not all the shortcut files / LNK file size of 1 kb that is a virus, we can distinguish it from the icon, size and type. To create a shortcut icon for the virus using icon 'folder', and the size of 1 kb bertipe 'shortcut'. While the correct folder should not have 'size' and the type is' File Folder '.
7. Fix the registry is modified by the virus. To speed up the process of repair registry copy the script below on the program 'notepad' and save it with the name 'Repair.inf'. Run the file in the following manner:
- Click right repair.inf
- Click Install
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
[del]
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Winupdate
HKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, explorer
1. Turn off the system restore first, I right-click My Computer | Properties, Select the tab System Resotore, check the box small System Restore Turn off all the drive.
2. Turn off the process of Wscript file located in C: \ Windows \ System32, with how to use tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we must menhapus or me-rename the file so that's not to be used by the virus.
As a note, me-if we rename the file from Wscript.exe with the automatic, it will be copied again in the folder. Therefore, we must find where the file Wscript.exe the other, usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386.
No virus-like virus vbs other, we can change the Open With from the vbs file into Notepad, the virus berextensi this means is that mdb file Microsoft Access. So Wscript akan DATABASE.MDB run the file as though he is a vbs file.
4. Delete the files in the parent C: \ Documents and Settings \ \ My Documents \ database.mdb, so that every time the computer will not run load the file. And do not forget we are also open msconfig, disable the run command.
5. Now we will delete the files Autorun.INF. Microsoft.INF and Thumb.db. How, click the START button, type CMD, moved to the drive will be cleaned, for example, drive C: \, then we should do is:
Type C: \ del Microsoft.inf / s, this command will delete all files microsoft.inf in all folders on drive C:. While the move would drive changed the name to live course drivenya example: D: \ del Microsoft.inf / s.
For the autorun.inf file, type C: \ autorun.inf del / s / ah / f, the command will delete the file autorun.inf (syntax / ah / f) is used because the file using the attrib RSHA, as well as to file Thumb . db also do the same.
6. To men-delete files earlier than the 4 files, we must find ways to search files with the extension. Lnk size 1 kb. In the 'More advanced options' option make sure that' Search system folders' and 'Search hidden files and folders' both are checked.
Please be careful, not all the shortcut files / LNK file size of 1 kb that is a virus, we can distinguish it from the icon, size and type. To create a shortcut icon for the virus using icon 'folder', and the size of 1 kb bertipe 'shortcut'. While the correct folder should not have 'size' and the type is' File Folder '.
7. Fix the registry is modified by the virus. To speed up the process of repair registry copy the script below on the program 'notepad' and save it with the name 'Repair.inf'. Run the file in the following manner:
- Click right repair.inf
- Click Install
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
[del]
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Winupdate
HKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, explorer
Hey there. I was thinking of adding a link back to your website since both of our web sites are primarily based around the same topic.
ReplyDeleteWould you prefer I link to you using your site
address: http://www.blogger.com/comment.g?blogID=4084821204375757111&postID=2749875769170487438 or blog title:
Blogger: Rose Network. Be sure to let me know at your earliest convenience.
Many thanks
my blog: pure
Hey there! Do you know if they make any plugins to safeguard against hackers?
ReplyDeleteI'm kinda paranoid about losing everything I've worked hard
on. Any recommendations?
Check out my page - sign
Woah! I'm really loving the template/theme of this site. It's
ReplyDeletesimple, yet effective. A lot of times it's challenging to get that "perfect balance" between superb usability and visual appeal. I must say that you've done a very good job
with this. Also, the blog loads super quick for me on Firefox.
Excellent Blog!
Stop by my homepage :: automatske
I was curious if you ever considered changing the page layout of your site?
ReplyDeleteIts very well written; I love what youve got to say. But maybe you
could a little more in the way of content so people could connect with it better.
Youve got an awful lot of text for only having 1 or 2 images.
Maybe you could space it out better?
my webpage; http://www.justluxe.com
my webpage :: cheap
With havin so much written content do you ever run into any issues of plagorism or copyright violation?
ReplyDeleteMy site has a lot of completely unique content I've either written myself or outsourced but it seems a lot of it is popping it up all over the internet without my agreement. Do you know any solutions to help reduce content from being ripped off? I'd genuinely appreciate
it.
Also visit my site pvc
Heya. I'm sorry to hassle you but I ran across your website and discovered you are using the exact same template as me. The only issue is on my site, I'm unable to
ReplyDeleteget the layout looking like yours. Would you mind e-mailing me at: tanja_storey@gmail.
com so I can get this figured out. By the way I have bookmarked your internet site: http://www.
blogger.com/comment.g?blogID=4084821204375757111&postID=2749875769170487438 and will certainly be visiting often.
Thank you!
Feel free to surf to my blog post; stumps
Also see my page :: Removal cost