You fell ill a computer virus / malware folder shortcut harry potter.lnk, microsoft.lnk, new folder with file type is shortcut, file size is 1 Kb and many more indicator. The author use of Windows XP SP2 but this virus may attack on vista too.
According to my way of hypothetical virus / malware is as follows:
There are 2 methods to remove this virus:
According to my way of hypothetical virus / malware is as follows:
- Virus / malware will put this file database.mdb, thumb.db, Autorun.inf, shortcut folder harry potter .... lnk, microsoft folder shortcuts, folders and shortcuts to folders on the new document.
- Virus / malware will enable wscript.exe file that is located in the system32 folder on the Windows folder to run the file on my database.mdb document.
- Shortcut folders will be related to the earlier file wscript.exe and thumb.db.
- If you open a shortcut folders before they will activate the file wscript.exe and thumb.db and file will create a duplicate folder shortcut is on your computer, thumb.db file and the file autorun.inf in the drive C.
- If your computer is exposed to the virus / malware then this whole drive C: you will have found duplicates on your computer, thumb.db file and the file autorun.inf. It also will scan a drive, CD ROM, flash and your network as the media spread of the virus / malware this.
There are 2 methods to remove this virus:
Method 1 - With the use of Antivirus update.
Antivirus which can identify the virus (You can download directly "here" ), namely:
You can delete the Autorun.inf file and folder shortcuts all the duplicates manually.
You can delete the Autorun.inf file and folder shortcuts all the duplicates manually.
Method 2 - With the manual.
In fact, if we do not delete the registry before (step 10) is not a problem, but at the restart windows will appear 2 text box that the first search for the file dialog database.mdb we remove earlier, the second prompted enter cd WindowsXP (this show is that there are also who does not). click Ok. Regedit and then it is likely we will didisable by the virus earlier. This also ga not problem if your brain is often especial registry windows.
Method to prevent the virus come again:
Virus this work if we click the folder shortcut new harry potter ... lnk, microsoft. Once we click the folder shortcut its so activated wsript.exe will find a file that is located in the folder windows system32 folder. Wscript.exe actively with the virus will begin to spread. So the key is that the virus is active on the file wscript.exe. For that we must kill wscript.exe way change of the name.
Open Windows Explorer, click the tool menu option, folder option, view, click show hidden files and folders, click / uncheck the Hide extensions for known file types and Hide protected operating system files.Klik OK.
Open the folder C: \ Windows \ system32 \ dllcache. This folder is collection of files from the backup files in the system32 folder. Find the file and click the right wsript.exe rename a wscriptx.exe for example. And open the C: \ Windows \ system32, find the file and click the right wsript.exe rename wscriptx.exe also be, for example.
Now you can start trying and Good Luck!
Antivirus which can identify the virus (You can download directly "here" ), namely:
- AVG free: detect as VBS Worm.
- Norton Antivirus 2009 (trial 15 days) : detect as VBSRunauto.
You can delete the Autorun.inf file and folder shortcuts all the duplicates manually.
- Antivir Avira Premium (license 6 months free) : detect as VBS/Yuyun A or malware DR/Agent.JP.4.
You can delete the Autorun.inf file and folder shortcuts all the duplicates manually.
- or other antivirus that have newest update.
Method 2 - With the manual.
- Turn off system Restore.
- Turn off the virus by using wscript.exe tool CProcess or CurrProcess (you can download via google). Run Crocess, search tab on the process name wscript.exe then right click on the name of the file and click kill procesess selected.
- Open Windows Explorer, click the tool menu option, folder option, view, click show hidden files and folders, click / uncheck the Hide extensions for known file types and Hide protected operating system files.Klik OK.
- Open my documents. Delete the file database.mdb.
- Click the Search button. Click All Files and Folders. In the All or part of the file name type: thumb.db, in the Look in a click. Delete all files that have been found. Repeat the steps above and delete all files that are found again.
- Click the Search button. Click All Files and Folders. In the All or part of the file name type: Autorun.inf, Look at the click in my computer. Delete all files that have been found. Repeat the steps above and delete all files that are found again.
- In step 6 virus is actually missing or no longer active but still have the rest of the shortcut duplicate folders created by malware earlier.
- If you also want removed, you must be careful once the shortcut is created by the virus with a shortcut to the default windows. The shortcut of the folder is created by the virus that is when we refer to the folder will appear in the link from the shortcut to the windows/system32. That we should be clear.
- How to find the folder shortcut: Click the Search button. Click All Files and Folders. In the All or part of the file name type: *. lnk, Look at the click in my computer. You must choose from based on the characteristics of a folder shortcut is created by the virus at the top of the line.
- You can delete the registry made by the virus earlier by using the tool HijackThis. (You can download HijackThis 2.0.2 here). Click Scan system and only looking at the HKCU \ ... \ ... database.mdb, HKLM \ ... \ .... relating to the WindowsXP cd (I forget the name length, and for that sometimes there is also sometimes not), and HKCU \ ... \ .... disableregedit = 1. click the button fixed.
- Now restart your computer.
In fact, if we do not delete the registry before (step 10) is not a problem, but at the restart windows will appear 2 text box that the first search for the file dialog database.mdb we remove earlier, the second prompted enter cd WindowsXP (this show is that there are also who does not). click Ok. Regedit and then it is likely we will didisable by the virus earlier. This also ga not problem if your brain is often especial registry windows.
Method to prevent the virus come again:
Virus this work if we click the folder shortcut new harry potter ... lnk, microsoft. Once we click the folder shortcut its so activated wsript.exe will find a file that is located in the folder windows system32 folder. Wscript.exe actively with the virus will begin to spread. So the key is that the virus is active on the file wscript.exe. For that we must kill wscript.exe way change of the name.
Open Windows Explorer, click the tool menu option, folder option, view, click show hidden files and folders, click / uncheck the Hide extensions for known file types and Hide protected operating system files.Klik OK.
Open the folder C: \ Windows \ system32 \ dllcache. This folder is collection of files from the backup files in the system32 folder. Find the file and click the right wsript.exe rename a wscriptx.exe for example. And open the C: \ Windows \ system32, find the file and click the right wsript.exe rename wscriptx.exe also be, for example.
Now you can start trying and Good Luck!
No comments:
Post a Comment